Edit tour

Windows Analysis Report
McDQxpmcsx.exe

Overview

General Information

Sample Name:	McDQxpmcsx.exe
Original Sample Name:	Trojan.Win32.Yakes.abaep-a597d34bc2464c3ace48ac04f6653f65ac4822ea8e4a5717ba9e4909b8c62240.exe
Analysis ID:	828210
MD5:	de74e1eb8ca5494496632da478851ade
SHA1:	99f22f4fa9a0619b9f09e15afc6446160ae6541e
SHA256:	a597d34bc2464c3ace48ac04f6653f65ac4822ea8e4a5717ba9e4909b8c62240
Infos:

Detection

DBatLoader, Kovter

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected DBatLoader

Multi AV Scanner detection for submitted file

Yara detected Kovter

Malicious sample detected (through community Yara rule)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

McDQxpmcsx.exe (PID: 5812 cmdline: C:\Users\user\Desktop\McDQxpmcsx.exe MD5: DE74E1EB8CA5494496632DA478851ADE)

WerFault.exe (PID: 5860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 548 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/ https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
Kovter	Kovter is a Police RansomwareFeb 2012 - Police RansomwareAug 2013 - Became AD FraudMar 2014 - Ransomware to AD Fraud malwareJune 2014 - Distributed from sweet orange exploit kitDec 2014 - Run affiliated nodeApr 2015 - Spread via fiesta and nuclear packMay 2015 - Kovter become fileless2016 - Malvertising campaign on Chrome and FirefoxJune 2016 - Change in persistenceJuly 2017 - Nemucod and Kovter was packed togetherJan 2018 - Cyclance report on Persistence	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663 https://0xchrollo.github.io/articles/unpacking-kovter-malware/ https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/ https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/ https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter

Malware Configuration

Threatname: Kovter

{"C2 list": ["118.152.203.69:8080", "43.196.120.143:43769", "138.128.4.56:443", "204.154.86.52:80", "245.205.239.106:8080", "187.76.252.156:80", "114.52.244.183:80", "140.226.224.5:80", "160.143.241.163:80", "51.112.97.137:443", "52.126.114.36:443", "223.52.200.123:51937", "59.174.81.241:80", "221.212.169.225:443", "73.113.56.236:80", "107.93.151.243:80", "203.114.114.238:80", "63.205.142.8:80", "234.66.246.60:80", "192.25.8.106:80", "179.107.133.160:32063", "239.252.57.226:443", "84.112.242.173:20563", "191.60.181.8:443", "247.254.97.44:80", "122.51.41.116:443", "219.223.5.124:80", "243.120.185.214:80", "188.42.229.174:80", "147.110.19.73:8080", "57.64.116.154:80", "50.20.158.91:80", "31.55.103.36:80", "231.24.43.160:443", "93.23.133.12:44973", "121.1.97.238:23796", "161.98.211.13:80", "230.170.239.110:80", "38.213.236.215:443", "4.2.93.240:443", "185.8.39.196:443", "62.246.159.45:29777", "65.142.3.77:80", "233.246.19.88:80", "56.45.172.15:443", "17.70.160.177:47409", "215.195.157.23:46178", "147.182.45.195:80", "197.67.222.174:49289", "240.6.248.40:80", "165.55.28.84:80", "97.244.248.95:80", "208.34.57.230:443", "204.156.80.143:80", "11.84.212.233:80", "14.218.9.7:80", "59.171.57.86:80", "182.244.120.22:39922", "72.55.201.47:80", "149.202.169.37:80", "180.120.50.157:80", "64.119.131.70:80", "190.241.178.20:80", "202.229.169.223:27708", "241.23.63.32:80", "211.234.25.247:80", "205.112.120.107:80", "226.111.254.91:48729", "240.14.65.225:80", "11.199.231.233:80", "216.255.124.248:80", "80.226.136.72:80", "86.184.161.192:80", "90.162.18.88:443", "72.11.127.42:29763", "137.240.49.114:80", "9.113.170.2:80", "249.227.105.65:8080", "190.248.174.126:80", "8.32.174.96:443", "236.167.40.107:80", "112.243.193.160:8080", "239.169.215.153:80", "184.146.142.33:443", "155.222.204.74:8080", "104.82.125.22:80", "154.2.89.193:443", "41.50.97.234:80", "109.169.49.28:8080", "89.110.147.2:43937", "190.114.255.205:26337", "37.157.245.32:443", "107.173.46.207:80", "91.134.137.104:8080", "185.120.14.76:443", "142.58.189.80:8080", "186.201.26.27:443", "193.146.45.23:33617", "98.102.72.235:443", "198.217.124.158:8080", "39.86.4.181:80", "215.81.85.163:80", "177.11.236.47:443", "158.200.34.246:80", "143.32.188.239:80", "142.182.226.11:80", "85.50.170.89:80", "48.56.118.210:25083", "39.220.191.86:8080", "30.31.84.168:34611", "116.100.157.126:443", "96.253.168.180:33060", "82.14.22.115:80", "78.232.15.33:80", "235.223.101.232:80", "131.8.145.43:80", "6.143.82.131:443", "165.227.127.78:80", "173.160.165.195:80", "225.17.250.240:80", "10.220.17.111:80", "78.241.203.223:443", "128.229.171.210:80", "45.120.75.171:80", "226.88.102.136:443", "120.105.44.115:80", "93.125.54.109:80", "187.220.197.155:59041", "128.164.25.232:30918", "144.51.123.86:8080", "211.187.158.238:80", "8.27.166.97:80", "35.150.228.14:80", "160.234.86.59:80", "155.187.135.180:8080", "88.68.214.211:443", "236.167.86.138:80", "138.145.176.48:80", "83.136.12.97:26092", "171.75.110.230:80", "10.162.182.189:80", "14.2.28.225:80", "9.136.241.146:443", "123.36.205.171:80", "244.254.158.255:80", "182.171.170.36:80", "216.46.52.143:80", "156.235.148.126:38807", "156.6.121.47:80", "244.82.240.159:80", "228.157.6.228:80", "144.166.224.34:49354", "14.85.14.247:80", "170.226.97.40:443", "252.45.226.43:80"], "cp1cptm": "30", "cptmkey": "e086aa137fa19f67d27b39d0eca18610", "keypass": "65537::19522997575054907426554839772202893949064667436330012851486601573672578014023529616671665555927323094351879155591436487128820172552469735659517542751735426712295686609130477424093114196023150427769866831977132493325789625582690673761599383991535000872703053188107144540678963887449541977716556272360743912300213554790082676478081366256001689695367664109647204683040472995564506452532881927504362622488073259160546226002887661491089819185150097820082274803050015187526359970203832566435923214708589228221527050531432943671054442357162433286543257082235512170086631319042116775032280820629831168914542642499106397564761", "passdebug": "0", "debugelg": "1", "elgdl_sl": "0", "dl_slb_dll": "0", "b_dllnonul": "http://109.120.179.92/upload2.php", "nonuldnet32": "http://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe", "dnet32dnet64": "http://download.microsoft.com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64.exe", "dnet64pshellxp": "http://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe", "pshellxppshellvistax32": "http://download.microsoft.com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86.msu", "pshellvistax32pshellvistax64": "http://download.microsoft.com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64.msu", "pshellvistax64pshell2k3x32": "http://download.microsoft.com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG.exe", "pshell2k3x32pshell2k3x64": "http://download.microsoft.com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG.exe", "pshell2k3x64cl_fv": "0", "cl_fvfl_fu": "https://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_24_active_x.exe", "fl_fumainanti": "DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:1:DD17Dal:http://109.120.179.92/upload.php:al::mainanti"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
McDQxpmcsx.exe	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
McDQxpmcsx.exe	JoeSecurity_Kovter	Yara detected Kovter	Joe Security
McDQxpmcsx.exe	Win32_Ransomware_Kovter	unknown	ReversingLabs	0x45654:$remote_connection_1: 55 8B EC 81 C4 C0 FB FF FF 53 56 57 33 DB 89 9D C0 FB FF FF 89 9D C4 FB FF FF 89 9D C8 FB FF FF 89 9D CC FB FF FF 89 9D D0 FB FF FF 89 9D D4 FB FF FF 89 9D D8 FB FF FF 89 5D EC 89 5D E4 8B D9 ... 0x45868:$remote_connection_2: 45 E0 50 6A 1F 8B 45 F4 50 E8 82 0A FC FF 85 C0 0F 84 B4 00 00 00 8B 45 E0 0D 00 01 00 00 0D 80 00 00 00 89 45 E0 8B 45 DC 50 8D 45 E0 50 6A 1F 8B 45 F4 50 E8 67 0A FC FF 85 C0 0F 84 89 00 00 ... 0x45b78:$remote_connection_3: 45 F4 50 E8 80 07 FC FF 85 C0 74 46 83 7D F0 00 74 40 8D 45 E4 8B 55 F0 E8 03 D1 FB FF 8D 45 E4 E8 97 CF FB FF 8D 95 DC FB FF FF 8B 4D F0 E8 E5 FE FB FF 8B C6 8B 55 E4 E8 B7 CD FB FF 8B 45 F0 ... 0x471e7:$find_files: 50 E8 C3 E5 FB FF 8B D8 83 FB FF 0F 84 06 01 00 00 33 F6 46 81 FE 10 27 00 00 0F 87 F7 00 00 00 83 FB FF 0F 84 EE 00 00 00 8D 45 F8 8D 57 2C B9 04 01 00 00 E8 48 BC FB FF 8B 45 F8 BA 10 81 44 ... 0x22616:$decrypt_payload_script: FF 75 D8 FF 75 F4 68 A8 33 42 00 FF 75 FC 68 B4 33 42 00 8D 45 D4 E8 97 FC FF FF FF 75 D4 FF 75 F0 68 C0 33 42 00 FF 75 EC 68 D4 33 42 00 FF 75 EC 68 E0 33 42 00 FF 75 F4 68 EC 33 42 00 FF 75 ...

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Kovter	Yara detected Kovter	Joe Security
00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Kovter	Yara detected Kovter	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.McDQxpmcsx.exe.64c0000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.2.McDQxpmcsx.exe.64c0000.0.unpack	JoeSecurity_Kovter	Yara detected Kovter	Joe Security
0.2.McDQxpmcsx.exe.64c0000.0.unpack	Win32_Ransomware_Kovter	unknown	ReversingLabs	0x45654:$remote_connection_1: 55 8B EC 81 C4 C0 FB FF FF 53 56 57 33 DB 89 9D C0 FB FF FF 89 9D C4 FB FF FF 89 9D C8 FB FF FF 89 9D CC FB FF FF 89 9D D0 FB FF FF 89 9D D4 FB FF FF 89 9D D8 FB FF FF 89 5D EC 89 5D E4 8B D9 ... 0x45868:$remote_connection_2: 45 E0 50 6A 1F 8B 45 F4 50 E8 82 0A FC FF 85 C0 0F 84 B4 00 00 00 8B 45 E0 0D 00 01 00 00 0D 80 00 00 00 89 45 E0 8B 45 DC 50 8D 45 E0 50 6A 1F 8B 45 F4 50 E8 67 0A FC FF 85 C0 0F 84 89 00 00 ... 0x45b78:$remote_connection_3: 45 F4 50 E8 80 07 FC FF 85 C0 74 46 83 7D F0 00 74 40 8D 45 E4 8B 55 F0 E8 03 D1 FB FF 8D 45 E4 E8 97 CF FB FF 8D 95 DC FB FF FF 8B 4D F0 E8 E5 FE FB FF 8B C6 8B 55 E4 E8 B7 CD FB FF 8B 45 F0 ... 0x471e7:$find_files: 50 E8 C3 E5 FB FF 8B D8 83 FB FF 0F 84 06 01 00 00 33 F6 46 81 FE 10 27 00 00 0F 87 F7 00 00 00 83 FB FF 0F 84 EE 00 00 00 8D 45 F8 8D 57 2C B9 04 01 00 00 E8 48 BC FB FF 8B 45 F8 BA 10 81 44 ... 0x22616:$decrypt_payload_script: FF 75 D8 FF 75 F4 68 A8 33 42 00 FF 75 FC 68 B4 33 42 00 8D 45 D4 E8 97 FC FF FF FF 75 D4 FF 75 F0 68 C0 33 42 00 FF 75 EC 68 D4 33 42 00 FF 75 EC 68 E0 33 42 00 FF 75 F4 68 EC 33 42 00 FF 75 ...
0.0.McDQxpmcsx.exe.64c0000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.0.McDQxpmcsx.exe.64c0000.0.unpack	JoeSecurity_Kovter	Yara detected Kovter	Joe Security
0.0.McDQxpmcsx.exe.64c0000.0.unpack	Win32_Ransomware_Kovter	unknown	ReversingLabs	0x45654:$remote_connection_1: 55 8B EC 81 C4 C0 FB FF FF 53 56 57 33 DB 89 9D C0 FB FF FF 89 9D C4 FB FF FF 89 9D C8 FB FF FF 89 9D CC FB FF FF 89 9D D0 FB FF FF 89 9D D4 FB FF FF 89 9D D8 FB FF FF 89 5D EC 89 5D E4 8B D9 ... 0x45868:$remote_connection_2: 45 E0 50 6A 1F 8B 45 F4 50 E8 82 0A FC FF 85 C0 0F 84 B4 00 00 00 8B 45 E0 0D 00 01 00 00 0D 80 00 00 00 89 45 E0 8B 45 DC 50 8D 45 E0 50 6A 1F 8B 45 F4 50 E8 67 0A FC FF 85 C0 0F 84 89 00 00 ... 0x45b78:$remote_connection_3: 45 F4 50 E8 80 07 FC FF 85 C0 74 46 83 7D F0 00 74 40 8D 45 E4 8B 55 F0 E8 03 D1 FB FF 8D 45 E4 E8 97 CF FB FF 8D 95 DC FB FF FF 8B 4D F0 E8 E5 FE FB FF 8B C6 8B 55 E4 E8 B7 CD FB FF 8B 45 F0 ... 0x471e7:$find_files: 50 E8 C3 E5 FB FF 8B D8 83 FB FF 0F 84 06 01 00 00 33 F6 46 81 FE 10 27 00 00 0F 87 F7 00 00 00 83 FB FF 0F 84 EE 00 00 00 8D 45 F8 8D 57 2C B9 04 01 00 00 E8 48 BC FB FF 8B 45 F8 BA 10 81 44 ... 0x22616:$decrypt_payload_script: FF 75 D8 FF 75 F4 68 A8 33 42 00 FF 75 FC 68 B4 33 42 00 8D 45 D4 E8 97 FC FF FF FF 75 D4 FF 75 F0 68 C0 33 42 00 FF 75 EC 68 D4 33 42 00 FF 75 EC 68 E0 33 42 00 FF 75 F4 68 EC 33 42 00 FF 75 ...
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: McDQxpmcsx.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: McDQxpmcsx.exe	ReversingLabs: Detection: 71%
Source: McDQxpmcsx.exe	Virustotal: Detection: 65%			Perma Link

Machine Learning detection for sample

Source: McDQxpmcsx.exe

Joe Sandbox ML: detected

Source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack	Avira: Label: DR/Delphi.Gen

Source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack

Malware Configuration Extractor: Kovter {"C2 list": ["118.152.203.69:8080", "43.196.120.143:43769", "138.128.4.56:443", "204.154.86.52:80", "245.205.239.106:8080", "187.76.252.156:80", "114.52.244.183:80", "140.226.224.5:80", "160.143.241.163:80", "51.112.97.137:443", "52.126.114.36:443", "223.52.200.123:51937", "59.174.81.241:80", "221.212.169.225:443", "73.113.56.236:80", "107.93.151.243:80", "203.114.114.238:80", "63.205.142.8:80", "234.66.246.60:80", "192.25.8.106:80", "179.107.133.160:32063", "239.252.57.226:443", "84.112.242.173:20563", "191.60.181.8:443", "247.254.97.44:80", "122.51.41.116:443", "219.223.5.124:80", "243.120.185.214:80", "188.42.229.174:80", "147.110.19.73:8080", "57.64.116.154:80", "50.20.158.91:80", "31.55.103.36:80", "231.24.43.160:443", "93.23.133.12:44973", "121.1.97.238:23796", "161.98.211.13:80", "230.170.239.110:80", "38.213.236.215:443", "4.2.93.240:443", "185.8.39.196:443", "62.246.159.45:29777", "65.142.3.77:80", "233.246.19.88:80", "56.45.172.15:443", "17.70.160.177:47409", "215.195.157.23:46178", "147.182.45.195:80", "197.67.222.174:49289", "240.6.248.40:80", "165.55.28.84:80", "97.244.248.95:80", "208.34.57.230:443", "204.156.80.143:80", "11.84.212.233:80", "14.218.9.7:80", "59.171.57.86:80", "182.244.120.22:39922", "72.55.201.47:80", "149.202.169.37:80", "180.120.50.157:80", "64.119.131.70:80", "190.241.178.20:80", "202.229.169.223:27708", "241.23.63.32:80", "211.234.25.247:80", "205.112.120.107:80", "226.111.254.91:48729", "240.14.65.225:80", "11.199.231.233:80", "216.255.124.248:80", "80.226.136.72:80", "86.184.161.192:80", "90.162.18.88:443", "72.11.127.42:29763", "137.240.49.114:80", "9.113.170.2:80", "249.227.105.65:8080", "190.248.174.126:80", "8.32.174.96:443", "236.167.40.107:80", "112.243.193.160:8080", "239.169.215.153:80", "184.146.142.33:443", "155.222.204.74:8080", "104.82.125.22:80", "154.2.89.193:443", "41.50.97.234:80", "109.169.49.28:8080", "89.110.147.2:43937", "190.114.255.205:26337", "37.157.245.32:443", "107.173.46.207:80", "91.134.137.104:8080", "185.120.14.76:443", "142.58.189.80:8080", "186.201.26.27:443", "193.146.45.23:33617", "98.102.72.235:443", "198.217.124.158:8080", "39.86.4.181:80", "215.81.85.163:80", "177.11.236.47:443", "158.200.34.246:80", "143.32.188.239:80", "142.182.226.11:80", "85.50.170.89:80", "48.56.118.210:25083", "39.220.191.86:8080", "30.31.84.168:34611", "116.100.157.126:443", "96.253.168.180:33060", "82.14.22.115:80", "78.232.15.33:80", "235.223.101.232:80", "131.8.145.43:80", "6.143.82.131:443", "165.227.127.78:80", "173.160.165.195:80", "225.17.250.240:80", "10.220.17.111:80", "78.241.203.223:443", "128.229.171.210:80", "45.120.75.171:80", "226.88.102.136:443", "120.105.44.115:80", "93.125.54.109:80", "187.220.197.155:59041", "128.164.25.232:30918", "144.51.123.86:8080", "211.187.158.238:80", "8.27.166.97:80", "35.150.228.14:80", "160.234.86.59:80", "155.187.135.180:8080", "88.68.214.211:443", "236.167.86.138:80", "138.145.176.48:80", "83.136.12.97:26092", "171.75.110.230:80", "10.162.182.189

Source: McDQxpmcsx.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 118.152.203.69:8080
Source: Malware configuration extractor	URLs: 43.196.120.143:43769
Source: Malware configuration extractor	URLs: 138.128.4.56:443
Source: Malware configuration extractor	URLs: 204.154.86.52:80
Source: Malware configuration extractor	URLs: 245.205.239.106:8080
Source: Malware configuration extractor	URLs: 187.76.252.156:80
Source: Malware configuration extractor	URLs: 114.52.244.183:80
Source: Malware configuration extractor	URLs: 140.226.224.5:80
Source: Malware configuration extractor	URLs: 160.143.241.163:80
Source: Malware configuration extractor	URLs: 51.112.97.137:443
Source: Malware configuration extractor	URLs: 52.126.114.36:443
Source: Malware configuration extractor	URLs: 223.52.200.123:51937
Source: Malware configuration extractor	URLs: 59.174.81.241:80
Source: Malware configuration extractor	URLs: 221.212.169.225:443
Source: Malware configuration extractor	URLs: 73.113.56.236:80
Source: Malware configuration extractor	URLs: 107.93.151.243:80
Source: Malware configuration extractor	URLs: 203.114.114.238:80
Source: Malware configuration extractor	URLs: 63.205.142.8:80
Source: Malware configuration extractor	URLs: 234.66.246.60:80
Source: Malware configuration extractor	URLs: 192.25.8.106:80
Source: Malware configuration extractor	URLs: 179.107.133.160:32063
Source: Malware configuration extractor	URLs: 239.252.57.226:443
Source: Malware configuration extractor	URLs: 84.112.242.173:20563
Source: Malware configuration extractor	URLs: 191.60.181.8:443
Source: Malware configuration extractor	URLs: 247.254.97.44:80
Source: Malware configuration extractor	URLs: 122.51.41.116:443
Source: Malware configuration extractor	URLs: 219.223.5.124:80
Source: Malware configuration extractor	URLs: 243.120.185.214:80
Source: Malware configuration extractor	URLs: 188.42.229.174:80
Source: Malware configuration extractor	URLs: 147.110.19.73:8080
Source: Malware configuration extractor	URLs: 57.64.116.154:80
Source: Malware configuration extractor	URLs: 50.20.158.91:80
Source: Malware configuration extractor	URLs: 31.55.103.36:80
Source: Malware configuration extractor	URLs: 231.24.43.160:443
Source: Malware configuration extractor	URLs: 93.23.133.12:44973
Source: Malware configuration extractor	URLs: 121.1.97.238:23796
Source: Malware configuration extractor	URLs: 161.98.211.13:80
Source: Malware configuration extractor	URLs: 230.170.239.110:80
Source: Malware configuration extractor	URLs: 38.213.236.215:443
Source: Malware configuration extractor	URLs: 4.2.93.240:443
Source: Malware configuration extractor	URLs: 185.8.39.196:443
Source: Malware configuration extractor	URLs: 62.246.159.45:29777
Source: Malware configuration extractor	URLs: 65.142.3.77:80
Source: Malware configuration extractor	URLs: 233.246.19.88:80
Source: Malware configuration extractor	URLs: 56.45.172.15:443
Source: Malware configuration extractor	URLs: 17.70.160.177:47409
Source: Malware configuration extractor	URLs: 215.195.157.23:46178
Source: Malware configuration extractor	URLs: 147.182.45.195:80
Source: Malware configuration extractor	URLs: 197.67.222.174:49289
Source: Malware configuration extractor	URLs: 240.6.248.40:80
Source: Malware configuration extractor	URLs: 165.55.28.84:80
Source: Malware configuration extractor	URLs: 97.244.248.95:80
Source: Malware configuration extractor	URLs: 208.34.57.230:443
Source: Malware configuration extractor	URLs: 204.156.80.143:80
Source: Malware configuration extractor	URLs: 11.84.212.233:80
Source: Malware configuration extractor	URLs: 14.218.9.7:80
Source: Malware configuration extractor	URLs: 59.171.57.86:80
Source: Malware configuration extractor	URLs: 182.244.120.22:39922
Source: Malware configuration extractor	URLs: 72.55.201.47:80
Source: Malware configuration extractor	URLs: 149.202.169.37:80
Source: Malware configuration extractor	URLs: 180.120.50.157:80
Source: Malware configuration extractor	URLs: 64.119.131.70:80
Source: Malware configuration extractor	URLs: 190.241.178.20:80
Source: Malware configuration extractor	URLs: 202.229.169.223:27708
Source: Malware configuration extractor	URLs: 241.23.63.32:80
Source: Malware configuration extractor	URLs: 211.234.25.247:80
Source: Malware configuration extractor	URLs: 205.112.120.107:80
Source: Malware configuration extractor	URLs: 226.111.254.91:48729
Source: Malware configuration extractor	URLs: 240.14.65.225:80
Source: Malware configuration extractor	URLs: 11.199.231.233:80
Source: Malware configuration extractor	URLs: 216.255.124.248:80
Source: Malware configuration extractor	URLs: 80.226.136.72:80
Source: Malware configuration extractor	URLs: 86.184.161.192:80
Source: Malware configuration extractor	URLs: 90.162.18.88:443
Source: Malware configuration extractor	URLs: 72.11.127.42:29763
Source: Malware configuration extractor	URLs: 137.240.49.114:80
Source: Malware configuration extractor	URLs: 9.113.170.2:80
Source: Malware configuration extractor	URLs: 249.227.105.65:8080
Source: Malware configuration extractor	URLs: 190.248.174.126:80
Source: Malware configuration extractor	URLs: 8.32.174.96:443
Source: Malware configuration extractor	URLs: 236.167.40.107:80
Source: Malware configuration extractor	URLs: 112.243.193.160:8080
Source: Malware configuration extractor	URLs: 239.169.215.153:80
Source: Malware configuration extractor	URLs: 184.146.142.33:443
Source: Malware configuration extractor	URLs: 155.222.204.74:8080
Source: Malware configuration extractor	URLs: 104.82.125.22:80
Source: Malware configuration extractor	URLs: 154.2.89.193:443
Source: Malware configuration extractor	URLs: 41.50.97.234:80
Source: Malware configuration extractor	URLs: 109.169.49.28:8080
Source: Malware configuration extractor	URLs: 89.110.147.2:43937
Source: Malware configuration extractor	URLs: 190.114.255.205:26337
Source: Malware configuration extractor	URLs: 37.157.245.32:443
Source: Malware configuration extractor	URLs: 107.173.46.207:80
Source: Malware configuration extractor	URLs: 91.134.137.104:8080
Source: Malware configuration extractor	URLs: 185.120.14.76:443
Source: Malware configuration extractor	URLs: 142.58.189.80:8080
Source: Malware configuration extractor	URLs: 186.201.26.27:443
Source: Malware configuration extractor	URLs: 193.146.45.23:33617
Source: Malware configuration extractor	URLs: 98.102.72.235:443
Source: Malware configuration extractor	URLs: 198.217.124.158:8080
Source: Malware configuration extractor	URLs: 39.86.4.181:80
Source: Malware configuration extractor	URLs: 215.81.85.163:80
Source: Malware configuration extractor	URLs: 177.11.236.47:443
Source: Malware configuration extractor	URLs: 158.200.34.246:80
Source: Malware configuration extractor	URLs: 143.32.188.239:80
Source: Malware configuration extractor	URLs: 142.182.226.11:80
Source: Malware configuration extractor	URLs: 85.50.170.89:80
Source: Malware configuration extractor	URLs: 48.56.118.210:25083
Source: Malware configuration extractor	URLs: 39.220.191.86:8080
Source: Malware configuration extractor	URLs: 30.31.84.168:34611
Source: Malware configuration extractor	URLs: 116.100.157.126:443
Source: Malware configuration extractor	URLs: 96.253.168.180:33060
Source: Malware configuration extractor	URLs: 82.14.22.115:80
Source: Malware configuration extractor	URLs: 78.232.15.33:80
Source: Malware configuration extractor	URLs: 235.223.101.232:80
Source: Malware configuration extractor	URLs: 131.8.145.43:80
Source: Malware configuration extractor	URLs: 6.143.82.131:443
Source: Malware configuration extractor	URLs: 165.227.127.78:80
Source: Malware configuration extractor	URLs: 173.160.165.195:80
Source: Malware configuration extractor	URLs: 225.17.250.240:80
Source: Malware configuration extractor	URLs: 10.220.17.111:80
Source: Malware configuration extractor	URLs: 78.241.203.223:443
Source: Malware configuration extractor	URLs: 128.229.171.210:80
Source: Malware configuration extractor	URLs: 45.120.75.171:80
Source: Malware configuration extractor	URLs: 226.88.102.136:443
Source: Malware configuration extractor	URLs: 120.105.44.115:80
Source: Malware configuration extractor	URLs: 93.125.54.109:80
Source: Malware configuration extractor	URLs: 187.220.197.155:59041
Source: Malware configuration extractor	URLs: 128.164.25.232:30918
Source: Malware configuration extractor	URLs: 144.51.123.86:8080
Source: Malware configuration extractor	URLs: 211.187.158.238:80
Source: Malware configuration extractor	URLs: 8.27.166.97:80
Source: Malware configuration extractor	URLs: 35.150.228.14:80
Source: Malware configuration extractor	URLs: 160.234.86.59:80
Source: Malware configuration extractor	URLs: 155.187.135.180:8080
Source: Malware configuration extractor	URLs: 88.68.214.211:443
Source: Malware configuration extractor	URLs: 236.167.86.138:80
Source: Malware configuration extractor	URLs: 138.145.176.48:80
Source: Malware configuration extractor	URLs: 83.136.12.97:26092
Source: Malware configuration extractor	URLs: 171.75.110.230:80
Source: Malware configuration extractor	URLs: 10.162.182.189:80
Source: Malware configuration extractor	URLs: 14.2.28.225:80
Source: Malware configuration extractor	URLs: 9.136.241.146:443
Source: Malware configuration extractor	URLs: 123.36.205.171:80
Source: Malware configuration extractor	URLs: 244.254.158.255:80
Source: Malware configuration extractor	URLs: 182.171.170.36:80
Source: Malware configuration extractor	URLs: 216.46.52.143:80
Source: Malware configuration extractor	URLs: 156.235.148.126:38807
Source: Malware configuration extractor	URLs: 156.6.121.47:80
Source: Malware configuration extractor	URLs: 244.82.240.159:80
Source: Malware configuration extractor	URLs: 228.157.6.228:80
Source: Malware configuration extractor	URLs: 144.166.224.34:49354
Source: Malware configuration extractor	URLs: 14.85.14.247:80
Source: Malware configuration extractor	URLs: 170.226.97.40:443
Source: Malware configuration extractor	URLs: 252.45.226.43:80

Source: Amcache.hve.2.dr

String found in binary or memory: http://upx.sf.net

E-Banking Fraud

Yara detected Kovter

Source: Yara match	File source: McDQxpmcsx.exe, type: SAMPLE
Source: Yara match	File source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: McDQxpmcsx.exe, type: SAMPLE	Matched rule: Win32_Ransomware_Kovter Author: ReversingLabs
Source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_Kovter Author: ReversingLabs
Source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_Kovter Author: ReversingLabs

Source: McDQxpmcsx.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: McDQxpmcsx.exe, type: SAMPLE	Matched rule: Win32_Ransomware_Kovter tc_detection_name = Kovter, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_Kovter tc_detection_name = Kovter, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_Kovter tc_detection_name = Kovter, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: C:\Users\user\Desktop\McDQxpmcsx.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 548

Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C6FDC	0_2_064C6FDC
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C6C14	0_2_064C6C14
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064D4524	0_2_064D4524
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C6D30	0_2_064C6D30
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C7DA8	0_2_064C7DA8
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064D6A30	0_2_064D6A30
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064D9AE0	0_2_064D9AE0
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064D9804	0_2_064D9804

Source: McDQxpmcsx.exe	ReversingLabs: Detection: 71%
Source: McDQxpmcsx.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\McDQxpmcsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\McDQxpmcsx.exe C:\Users\user\Desktop\McDQxpmcsx.exe
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 548

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5812

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC5F.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.winEXE@2/6@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: McDQxpmcsx.exe, type: SAMPLE
Source: Yara match	File source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_06503E70 push ecx; mov dword ptr [esp], edx	0_2_06503E75
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C66D8 push 00406704h; ret	0_2_064C66FC
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_06501EF0 push ecx; mov dword ptr [esp], FFFFFFFFh	0_2_06501EF3
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064D86FC push 00418728h; ret	0_2_064D8720
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C6E98 push 00406EC4h; ret	0_2_064C6EBC
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064F6E94 push 00436EF6h; ret	0_2_064F6EEE
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064CAEA8 push 0040AED4h; ret	0_2_064CAECC
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C66A0 push 004066CCh; ret	0_2_064C66C4
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064D874C push 004187ACh; ret	0_2_064D87A4
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064CB754 push 0040B787h; ret	0_2_064CB77F
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C6F10 push 00406F3Ch; ret	0_2_064C6F34
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064CAF80 push 0040AFACh; ret	0_2_064CAFA4
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C5FA4 push 00406009h; ret	0_2_064C6001
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_06512C74 push 00452CC6h; ret	0_2_06512CBE
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064CE42C push 0040E478h; ret	0_2_064CE470
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064CECEC push 0040ED18h; ret	0_2_064CED10
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064DADFC push 0041AE28h; ret	0_2_064DAE20
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C7A4C push 00407A78h; ret	0_2_064C7A70
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C6240 push 0040626Ch; ret	0_2_064C6264
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064CDA54 push 0040DA80h; ret	0_2_064CDA78
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064CE268 push 0040E294h; ret	0_2_064CE28C
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064CDA08 push 0040DA4Ah; ret	0_2_064CDA42
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064DC210 push 0041C23Ch; ret	0_2_064DC234
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064DB22C push 0041B258h; ret	0_2_064DB250
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064D6A30 push 00416B98h; ret	0_2_064D6B90
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064D62CC push 004162F8h; ret	0_2_064D62F0
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C7AD4 push 00407B00h; ret	0_2_064C7AF8
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064CDA8C push 0040DAB8h; ret	0_2_064CDAB0
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064DE340 push 0041E382h; ret	0_2_064DE37A
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_064C6B70 push 00406B9Ch; ret	0_2_064C6B94
Source: C:\Users\user\Desktop\McDQxpmcsx.exe	Code function: 0_2_06502BF0 push 00442C35h; ret	0_2_06502C2D

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.2.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\McDQxpmcsx.exe

Code function: 0_2_064C98A4 mov eax, dword ptr fs:[00000030h]

0_2_064C98A4

Source: C:\Users\user\Desktop\McDQxpmcsx.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\McDQxpmcsx.exe

Code function: 0_2_064C620C LdrInitializeThunk,

0_2_064C620C

Source: Amcache.hve.2.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information

Yara detected Kovter

Source: Yara match	File source: McDQxpmcsx.exe, type: SAMPLE
Source: Yara match	File source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Software Packing	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
McDQxpmcsx.exe	72%	ReversingLabs	Win32.Trojan.Barys
McDQxpmcsx.exe	65%	Virustotal		Browse
McDQxpmcsx.exe	100%	Avira	DR/Delphi.Gen
McDQxpmcsx.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.McDQxpmcsx.exe.64c0000.0.unpack	100%	Avira	TR/ATRAPS.Gen		Download File
0.0.McDQxpmcsx.exe.64c0000.0.unpack	100%	Avira	DR/Delphi.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
149.202.169.37:80	0%	Avira URL Cloud	safe
180.120.50.157:80	0%	Avira URL Cloud	safe
86.184.161.192:80	0%	Avira URL Cloud	safe
211.234.25.247:80	0%	Avira URL Cloud	safe
4.2.93.240:443	0%	Avira URL Cloud	safe
154.2.89.193:443	0%	Avira URL Cloud	safe
249.227.105.65:8080	0%	Avira URL Cloud	safe
128.164.25.232:30918	0%	Avira URL Cloud	safe
236.167.40.107:80	0%	Avira URL Cloud	safe
52.126.114.36:443	0%	Avira URL Cloud	safe
241.23.63.32:80	0%	Avira URL Cloud	safe
240.14.65.225:80	0%	Avira URL Cloud	safe
85.50.170.89:80	0%	Avira URL Cloud	safe
90.162.18.88:443	0%	Avira URL Cloud	safe
231.24.43.160:443	0%	Avira URL Cloud	safe
64.119.131.70:80	0%	Avira URL Cloud	safe
39.86.4.181:80	0%	Avira URL Cloud	safe
156.235.148.126:38807	0%	Avira URL Cloud	safe
226.88.102.136:443	0%	Avira URL Cloud	safe
38.213.236.215:443	0%	Avira URL Cloud	safe
11.84.212.233:80	0%	Avira URL Cloud	safe
8.27.166.97:80	0%	Avira URL Cloud	safe
88.68.214.211:443	0%	Avira URL Cloud	safe
128.229.171.210:80	0%	Avira URL Cloud	safe
118.152.203.69:8080	0%	Avira URL Cloud	safe
185.8.39.196:443	0%	Avira URL Cloud	safe
197.67.222.174:49289	0%	Avira URL Cloud	safe
234.66.246.60:80	0%	Avira URL Cloud	safe
252.45.226.43:80	0%	Avira URL Cloud	safe
31.55.103.36:80	0%	Avira URL Cloud	safe
14.218.9.7:80	0%	Avira URL Cloud	safe
10.162.182.189:80	0%	Avira URL Cloud	safe
97.244.248.95:80	0%	Avira URL Cloud	safe
137.240.49.114:80	0%	Avira URL Cloud	safe
56.45.172.15:443	0%	Avira URL Cloud	safe
208.34.57.230:443	0%	Avira URL Cloud	safe
192.25.8.106:80	0%	Avira URL Cloud	safe
84.112.242.173:20563	0%	Avira URL Cloud	safe
243.120.185.214:80	0%	Avira URL Cloud	safe
240.6.248.40:80	0%	Avira URL Cloud	safe
142.58.189.80:8080	0%	Avira URL Cloud	safe
10.220.17.111:80	0%	Avira URL Cloud	safe
187.220.197.155:59041	0%	Avira URL Cloud	safe
204.156.80.143:80	0%	Avira URL Cloud	safe
107.93.151.243:80	0%	Avira URL Cloud	safe
14.2.28.225:80	0%	Avira URL Cloud	safe
182.171.170.36:80	0%	Avira URL Cloud	safe
83.136.12.97:26092	0%	Avira URL Cloud	safe
11.199.231.233:80	0%	Avira URL Cloud	safe
72.11.127.42:29763	0%	Avira URL Cloud	safe
45.120.75.171:80	0%	Avira URL Cloud	safe
221.212.169.225:443	0%	Avira URL Cloud	safe
48.56.118.210:25083	0%	Avira URL Cloud	safe
239.252.57.226:443	0%	Avira URL Cloud	safe
59.174.81.241:80	0%	Avira URL Cloud	safe
188.42.229.174:80	0%	Avira URL Cloud	safe
9.113.170.2:80	0%	Avira URL Cloud	safe
89.110.147.2:43937	0%	Avira URL Cloud	safe
98.102.72.235:443	0%	Avira URL Cloud	safe
244.82.240.159:80	0%	Avira URL Cloud	safe
143.32.188.239:80	0%	Avira URL Cloud	safe
8.32.174.96:443	0%	Avira URL Cloud	safe
160.234.86.59:80	0%	Avira URL Cloud	safe
173.160.165.195:80	0%	Avira URL Cloud	safe
138.145.176.48:80	0%	Avira URL Cloud	safe
122.51.41.116:443	0%	Avira URL Cloud	safe
131.8.145.43:80	0%	Avira URL Cloud	safe
107.173.46.207:80	0%	Avira URL Cloud	safe
121.1.97.238:23796	0%	Avira URL Cloud	safe
170.226.97.40:443	0%	Avira URL Cloud	safe
230.170.239.110:80	0%	Avira URL Cloud	safe
190.114.255.205:26337	0%	Avira URL Cloud	safe
205.112.120.107:80	0%	Avira URL Cloud	safe
190.248.174.126:80	0%	Avira URL Cloud	safe
63.205.142.8:80	0%	Avira URL Cloud	safe
182.244.120.22:39922	0%	Avira URL Cloud	safe
120.105.44.115:80	0%	Avira URL Cloud	safe
41.50.97.234:80	0%	Avira URL Cloud	safe
198.217.124.158:8080	0%	Avira URL Cloud	safe
244.254.158.255:80	0%	Avira URL Cloud	safe
165.55.28.84:80	0%	Avira URL Cloud	safe
184.146.142.33:443	0%	Avira URL Cloud	safe
78.232.15.33:80	0%	Avira URL Cloud	safe
185.120.14.76:443	0%	Avira URL Cloud	safe
57.64.116.154:80	0%	Avira URL Cloud	safe
156.6.121.47:80	0%	Avira URL Cloud	safe
116.100.157.126:443	0%	Avira URL Cloud	safe
228.157.6.228:80	0%	Avira URL Cloud	safe
245.205.239.106:8080	0%	Avira URL Cloud	safe
78.241.203.223:443	0%	Avira URL Cloud	safe
223.52.200.123:51937	0%	Avira URL Cloud	safe
219.223.5.124:80	0%	Avira URL Cloud	safe
6.143.82.131:443	0%	Avira URL Cloud	safe
158.200.34.246:80	0%	Avira URL Cloud	safe
215.195.157.23:46178	0%	Avira URL Cloud	safe
91.134.137.104:8080	0%	Avira URL Cloud	safe
62.246.159.45:29777	0%	Avira URL Cloud	safe
144.51.123.86:8080	0%	Avira URL Cloud	safe
35.150.228.14:80	0%	Avira URL Cloud	safe
216.46.52.143:80	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
4.2.93.240:443	true	Avira URL Cloud: safe	unknown
149.202.169.37:80	true	Avira URL Cloud: safe	unknown
180.120.50.157:80	true	Avira URL Cloud: safe	unknown
211.234.25.247:80	true	Avira URL Cloud: safe	unknown
86.184.161.192:80	true	Avira URL Cloud: safe	unknown
154.2.89.193:443	true	Avira URL Cloud: safe	unknown
128.164.25.232:30918	true	Avira URL Cloud: safe	unknown
249.227.105.65:8080	true	Avira URL Cloud: safe	unknown
236.167.40.107:80	true	Avira URL Cloud: safe	unknown
240.14.65.225:80	true	Avira URL Cloud: safe	unknown
85.50.170.89:80	true	Avira URL Cloud: safe	unknown
52.126.114.36:443	true	Avira URL Cloud: safe	unknown
241.23.63.32:80	true	Avira URL Cloud: safe	unknown
64.119.131.70:80	true	Avira URL Cloud: safe	unknown
90.162.18.88:443	true	Avira URL Cloud: safe	unknown
231.24.43.160:443	true	Avira URL Cloud: safe	unknown
39.86.4.181:80	true	Avira URL Cloud: safe	unknown
156.235.148.126:38807	true	Avira URL Cloud: safe	unknown
38.213.236.215:443	true	Avira URL Cloud: safe	unknown
226.88.102.136:443	true	Avira URL Cloud: safe	unknown
8.27.166.97:80	true	Avira URL Cloud: safe	unknown
11.84.212.233:80	true	Avira URL Cloud: safe	unknown
88.68.214.211:443	true	Avira URL Cloud: safe	unknown
128.229.171.210:80	true	Avira URL Cloud: safe	unknown
118.152.203.69:8080	true	Avira URL Cloud: safe	unknown
234.66.246.60:80	true	Avira URL Cloud: safe	unknown
185.8.39.196:443	true	Avira URL Cloud: safe	unknown
197.67.222.174:49289	true	Avira URL Cloud: safe	unknown
252.45.226.43:80	true	Avira URL Cloud: safe	unknown
31.55.103.36:80	true	Avira URL Cloud: safe	unknown
14.218.9.7:80	true	Avira URL Cloud: safe	unknown
10.162.182.189:80	true	Avira URL Cloud: safe	unknown
97.244.248.95:80	true	Avira URL Cloud: safe	unknown
137.240.49.114:80	true	Avira URL Cloud: safe	unknown
56.45.172.15:443	true	Avira URL Cloud: safe	unknown
208.34.57.230:443	true	Avira URL Cloud: safe	unknown
192.25.8.106:80	true	Avira URL Cloud: safe	unknown
84.112.242.173:20563	true	Avira URL Cloud: safe	unknown
243.120.185.214:80	true	Avira URL Cloud: safe	unknown
240.6.248.40:80	true	Avira URL Cloud: safe	unknown
142.58.189.80:8080	true	Avira URL Cloud: safe	unknown
10.220.17.111:80	true	Avira URL Cloud: safe	unknown
187.220.197.155:59041	true	Avira URL Cloud: safe	unknown
204.156.80.143:80	true	Avira URL Cloud: safe	unknown
107.93.151.243:80	true	Avira URL Cloud: safe	unknown
14.2.28.225:80	true	Avira URL Cloud: safe	unknown
182.171.170.36:80	true	Avira URL Cloud: safe	unknown
83.136.12.97:26092	true	Avira URL Cloud: safe	unknown
11.199.231.233:80	true	Avira URL Cloud: safe	unknown
72.11.127.42:29763	true	Avira URL Cloud: safe	unknown
45.120.75.171:80	true	Avira URL Cloud: safe	unknown
48.56.118.210:25083	true	Avira URL Cloud: safe	unknown
221.212.169.225:443	true	Avira URL Cloud: safe	unknown
59.174.81.241:80	true	Avira URL Cloud: safe	unknown
239.252.57.226:443	true	Avira URL Cloud: safe	unknown
188.42.229.174:80	true	Avira URL Cloud: safe	unknown
9.113.170.2:80	true	Avira URL Cloud: safe	unknown
89.110.147.2:43937	true	Avira URL Cloud: safe	unknown
98.102.72.235:443	true	Avira URL Cloud: safe	unknown
244.82.240.159:80	true	Avira URL Cloud: safe	unknown
143.32.188.239:80	true	Avira URL Cloud: safe	unknown
160.234.86.59:80	true	Avira URL Cloud: safe	unknown
8.32.174.96:443	true	Avira URL Cloud: safe	unknown
173.160.165.195:80	true	Avira URL Cloud: safe	unknown
138.145.176.48:80	true	Avira URL Cloud: safe	unknown
131.8.145.43:80	true	Avira URL Cloud: safe	unknown
122.51.41.116:443	true	Avira URL Cloud: safe	unknown
107.173.46.207:80	true	Avira URL Cloud: safe	unknown
121.1.97.238:23796	true	Avira URL Cloud: safe	unknown
170.226.97.40:443	true	Avira URL Cloud: safe	unknown
230.170.239.110:80	true	Avira URL Cloud: safe	unknown
190.114.255.205:26337	true	Avira URL Cloud: safe	unknown
205.112.120.107:80	true	Avira URL Cloud: safe	unknown
190.248.174.126:80	true	Avira URL Cloud: safe	unknown
63.205.142.8:80	true	Avira URL Cloud: safe	unknown
182.244.120.22:39922	true	Avira URL Cloud: safe	unknown
120.105.44.115:80	true	Avira URL Cloud: safe	unknown
41.50.97.234:80	true	Avira URL Cloud: safe	unknown
198.217.124.158:8080	true	Avira URL Cloud: safe	unknown
244.254.158.255:80	true	Avira URL Cloud: safe	unknown
165.55.28.84:80	true	Avira URL Cloud: safe	unknown
184.146.142.33:443	true	Avira URL Cloud: safe	unknown
78.232.15.33:80	true	Avira URL Cloud: safe	unknown
185.120.14.76:443	true	Avira URL Cloud: safe	unknown
57.64.116.154:80	true	Avira URL Cloud: safe	unknown
156.6.121.47:80	true	Avira URL Cloud: safe	unknown
116.100.157.126:443	true	Avira URL Cloud: safe	unknown
228.157.6.228:80	true	Avira URL Cloud: safe	unknown
245.205.239.106:8080	true	Avira URL Cloud: safe	unknown
78.241.203.223:443	true	Avira URL Cloud: safe	unknown
223.52.200.123:51937	true	Avira URL Cloud: safe	unknown
219.223.5.124:80	true	Avira URL Cloud: safe	unknown
6.143.82.131:443	true	Avira URL Cloud: safe	unknown
158.200.34.246:80	true	Avira URL Cloud: safe	unknown
215.195.157.23:46178	true	Avira URL Cloud: safe	unknown
91.134.137.104:8080	true	Avira URL Cloud: safe	unknown
62.246.159.45:29777	true	Avira URL Cloud: safe	unknown
35.150.228.14:80	true	Avira URL Cloud: safe	unknown
144.51.123.86:8080	true	Avira URL Cloud: safe	unknown
216.46.52.143:80	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828210
Start date and time:	2023-03-16 20:42:38 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	McDQxpmcsx.exe
Original Sample Name:	Trojan.Win32.Yakes.abaep-a597d34bc2464c3ace48ac04f6653f65ac4822ea8e4a5717ba9e4909b8c62240.exe
Detection:	MAL
Classification:	mal88.troj.winEXE@2/6@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 94.1%) Quality average: 63.1% Quality standard deviation: 28.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 13.107.42.16, 13.107.5.88
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, config.edge.skype.com.trafficmanager.net, eudb.ris.api.iris.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, e-0009.e-msedge.net, arc.msn.com, ris.api.iris.microsoft.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, login.live.com, store-images.s-microsoft.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, cdn.onenote.net, l-0007.l-msedge.net, config.edge.skype.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
20:43:36	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_McDQxpmcsx.exe_e2a05888f0e57a2e21899ccd987a717a5affaba_69d5103c_16a0c691\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8673257914721644
Encrypted:	false
SSDEEP:	96:cpzFYAeL7yPrrhhZ7MfRpXIQcQvc6QcEDMcw3DL+HbHg/8BRTf3jFa9iVfNsOFzC:QzyAYsWHBUZMXojrq/u7s9S274ItQ
MD5:	0EEBB9437CE8443700F647637B0F8F5D
SHA1:	D371A062D34D0545B5187B537C5C5B56562B81B4
SHA-256:	54E102AFD8C07DDCD491AE689268BCF466764F3BA7FD7B8D4433CC3D6666FBD3
SHA-512:	BF076F30E8AD20C5F506528260D62A23BDD8DDE7E9710506AB577CF87E8ADFFF56CE38A296C8BD9606CDC78C2A0F0EFFB14BC268AA42B45D2B796A9E82379061
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.3.4.9.8.2.1.3.7.1.4.9.5.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.3.4.9.8.2.1.4.5.7.4.3.2.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.4.1.4.1.8.2.-.0.0.c.c.-.4.c.0.d.-.9.a.1.e.-.2.c.a.d.7.7.1.a.6.c.2.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.7.f.3.b.7.1.-.1.d.c.9.-.4.e.6.b.-.8.d.5.5.-.e.0.5.e.2.d.e.2.2.0.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.c.D.Q.x.p.m.c.s.x...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.b.4.-.0.0.0.1.-.0.0.1.a.-.2.e.5.a.-.7.0.a.5.8.2.5.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.d.f.8.2.3.b.f.e.5.9.7.0.2.a.2.e.8.5.d.1.6.7.4.f.e.f.7.2.f.f.e.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.f.2.2.f.4.f.a.9.a.0.6.1.9.b.9.f.0.9.e.1.5.a.f.c.6.4.4.6.1.6.0.a.e.6.5.4.1.e.!.M.c.D.Q.x.p.m.c.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC5F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 17 03:43:34 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	38408
Entropy (8bit):	2.1002405446289933
Encrypted:	false
SSDEEP:	192:j1+ZTZeOMFOeiFYiKJYJytobTTuUO6wDCMT5/DW7GMt:XOMoeOYiK7CbTCv5y7j
MD5:	CDA556748E6C0CFB72C63E6F43D41D62
SHA1:	D1B40DF82A4CE5F0DA7CD9A17128D6B5385E78D6
SHA-256:	51CD56450495A80453D95FAE52FBA32764060C5BC00106A1F319B5B1BF00F6C5
SHA-512:	8F644F9B8959C6F2D4E26FE2DDE40B8C561A43DEFEE2A4C81ABC037B1DADD4C75111107EC62CF42FB83C7F087D0A0CE09E203C1D98B303FB0A8CBC10E30488CD
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........d........................x...............F*..........T.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T..............d.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEF1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8286
Entropy (8bit):	3.6934388525342174
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi5v67A6YqbSUyIzgmfQSACprT89bPhsfbsFm:RrlsNix6s6YmSUyMgmfQS8Pafbj
MD5:	F1E6C392E4B6CC0F0A65585E4C3B7B99
SHA1:	F9344BC95E4729AED1B609CC685CFE4517DE2481
SHA-256:	A88CFA11511FD2D035C094657F3B0EA082A9EF65631B8E1E16CC2C56FC9C385E
SHA-512:	3267C237E5977A4A06A697F96DBA00E3E6AEEDE06402525FFB5A26B9A0918D42B4EAC2CCAA690773A64A0073CC3784CA35AF70CF3D62D83096E7010FC01A95B5
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF4F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4563
Entropy (8bit):	4.452469055941927
Encrypted:	false
SSDEEP:	48:cvIwSD8zsGJgtWI9d5Wgc8sqYj/8fm8M4JNYMRaF1+q8AF1Jh1OCKjNd:uITfcaIgrsqYAJNVUpFd1KjNd
MD5:	DE072A8A459A307BA491F648E48381A2
SHA1:	70883ED3C2DAAEE9A72A0784B361E6A2CC77453D
SHA-256:	F07D5FC30BAE12860FB51EE5000B19640B5B5971358EA4F903EDB4191239CF8F
SHA-512:	6B30DB8CF26480A8221CC131C9FBE9AF9C0BC1687929C12D53FB2DD4BC7D7E4D28C6FB27188F512E16E6854CB6A9C413C206CD01C33BBBCC4D3635A68B2BF20F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1956294" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.293929431477453
Encrypted:	false
SSDEEP:	12288:n8rZegyi2DJU47GdpiDMD0N7lEQtNXajb8IOCPoOufYOBN5P2RiKzvne:8rZegyi2DJ77GdpUjCIt
MD5:	DB5455A4716DCF1C4A934793BD787789
SHA1:	764A66FAB17D17C89BCFB3CAD7EB41CC7EA50F0D
SHA-256:	CA6C0190AED9C59FEA927DF21F00CD36413AEB659DBD38FB9AB18ACFAB6B1444
SHA-512:	88B492D675FBD0E7A415CAF9F824BC0B0C5AE9D50F4E373FC5C93D664581A162F64673A4ECA69F06CE69744D90301C231CC94BC69788596EE33788208525C74D
Malicious:	false
Reputation:	low
Preview:	regf^...^...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.'...X..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.73192193625167
Encrypted:	false
SSDEEP:	384:5Z5/+0lljBA+x86rQpn88oTVgGXm+NODvkZ9x7NcA:5H/+0lltA+Ja88+VgG2nDvc7NN
MD5:	5189D67EB5FF62555A13F4428262DB16
SHA1:	52925E10DFD99E33DF78B0DA8B244F9CCBB2122C
SHA-256:	53D7DDD1429C53C798EF5F527D3E9382090DEBD6968C2A629AC69278BDDA6790
SHA-512:	90C178CCB9F44B6BBBF98140E55C7C7C5148779E4B7F96B4AED584B64E9C4524823BD61BDAA3B4A2E08F1F516AB6F1D2C92B9F2858A9CFE990024BF501674269
Malicious:	false
Reputation:	low
Preview:	regf]...]...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.'...X..................................................................................................................................................................................................................................................................................................................................................HvLE.^......]............!...{;.e....{.b............................. ..hbin................p.\..,..........nk,..'...X.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..'...X...... ........................... .......Z.......................Root........lf......Root....nk ..'...X...................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.572339141382909
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	McDQxpmcsx.exe
File size:	405504
MD5:	de74e1eb8ca5494496632da478851ade
SHA1:	99f22f4fa9a0619b9f09e15afc6446160ae6541e
SHA256:	a597d34bc2464c3ace48ac04f6653f65ac4822ea8e4a5717ba9e4909b8c62240
SHA512:	3f4daf1ed4e877b8afc746784ce697beea7cdd19b220b7a8535ba378906ebd7d9bd7c0ecdc11a7e952e050ffc31b7fa9cced324b33a45a8df682dd2f7f0519d2
SSDEEP:	6144:JE9yDzN5oqKVsJAC328uO6s1wQW877buWxjy/qj+aA/H4:+EDJ5ofs9BuOB1wQW87XuWxM
TLSH:	AA844A39F680D537D42118BCCE0FD2E5A569F2342D381957B6E45F4C48F9683AE2BA43
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x6512c74
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x64c0000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	c62ca0115b2faa73006dca641101cfb1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF4h
mov eax, 00452ADCh
call 00007F7A7C79293Dh
xor eax, eax
push ebp
push 00452CBFh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000000h
push 00000000h
push 0045E9D8h
mov ecx, 004523A0h
xor edx, edx
xor eax, eax
call 00007F7A7C78FA24h
or eax, FFFFFFFFh
call 00007F7A7C7CBA04h
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
push 00452CC6h
ret
jmp 00007F7A7C78F4A5h
jmp 00007F7A7C7DF3AAh
call 00007F7A7C78F892h
nop
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f000	0x17ea	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0x1a58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x61000	0x418c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x51ccc	0x51e00	False	0.5017742127862596	data	6.320714277150328	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x53000	0x6bc8	0x6c00	False	0.4409722222222222	data	5.893018164675212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x5a000	0x49e1	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x17ea	0x1800	False	0.3878580729166667	data	4.920853386252966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x61000	0x418c	0x4200	False	0.8029711174242424	data	6.799271556137428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x66000	0x1a58	0x1c00	False	0.71875	data	6.014579613853744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x66064	0x19f4	ASCII text, with very long lines (6644), with no line terminators

Imports

DLL	Import
kernel32.dll	GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, lstrcpyA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, GetModuleFileNameA
advapi32.dll	SetTokenInformation, RegSetValueExW, RegSetValueExA, RegQueryValueExW, RegQueryValueExA, RegOpenKeyExW, RegOpenKeyExA, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyW, RegCreateKeyA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, LookupAccountSidW, IsValidSid, GetUserNameW, GetTokenInformation, GetSidSubAuthorityCount, GetSidSubAuthority, AdjustTokenPrivileges
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadContext, SetLastError, SetFileAttributesW, SetEvent, SetErrorMode, ResumeThread, RemoveDirectoryW, ReadProcessMemory, ReadFile, QueryDosDeviceW, OpenProcess, OpenMutexA, OpenFileMappingA, OpenEventA, MapViewOfFile, LockResource, LocalFree, LocalAlloc, LoadResource, LoadLibraryW, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GetVolumeInformationW, GetTimeZoneInformation, GetTickCount, GetThreadContext, GetTempPathW, GetSystemTime, GetSystemInfo, GetShortPathNameW, GetProcessTimes, GetProcAddress, GetModuleHandleA, GetModuleFileNameW, GetLocaleInfoA, GetLastError, GetFileSize, GetFileAttributesW, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeW, GetCurrentProcessId, GetCurrentProcess, GetComputerNameW, GetCommandLineW, FreeLibrary, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, ExitThread, ExitProcess, EnterCriticalSection, DuplicateHandle, DeleteFileW, CreateRemoteThread, CreateProcessW, CreateMutexA, CreateFileMappingA, CreateFileW, CreateFileA, CreateEventA, CreateDirectoryW, CloseHandle
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
gdi32.dll	GetDCOrgEx, GetClipBox
user32.dll	SystemParametersInfoA, SetWindowPos, SetProcessWindowStation, RegisterClassExA, RegisterClassA, OpenWindowStationA, OffsetRect, LoadCursorA, IsIconic, IntersectRect, GetWindowThreadProcessId, GetWindowRect, GetWindowPlacement, GetSystemMetrics, GetLastInputInfo, GetClassInfoExA, ExitWindowsEx, EnumWindows, DefWindowProcA, CreateWindowExA, CreateDesktopA, ChildWindowFromPoint, CharLowerW
wininet.dll	InternetSetOptionA, InternetReadFile, InternetQueryOptionA, InternetOpenA, InternetConnectA, InternetCloseHandle, HttpSendRequestA, HttpOpenRequestA
ole32.dll	CoCreateInstance, CoSetProxyBlanket, CoInitializeSecurity, CoUninitialize, CoInitializeEx, CoInitialize
oleaut32.dll	SysAllocString
wsock32.dll	__WSAFDIsSet, WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, send, select, recv, ioctlsocket, inet_addr, htons, connect, closesocket
ntdll.dll	ZwSuspendProcess
wtsapi32.dll	WTSFreeMemory
Wtsapi32.dll	WTSEnumerateSessionsA
advapi32.dll	ConvertSidToStringSidA
PSAPI.DLL	GetModuleFileNameExW
kernel32.dll	GlobalMemoryStatusEx, GetDevicePowerState, GetVersionExA
shell32.dll	ShellExecuteExW
ole32.dll	CoTaskMemFree
ntdll.dll	ZwWriteVirtualMemory, NtQueryValueKey, NtDeleteValueKey, NtSetValueKey, ZwCreateSection, ZwMapViewOfSection, ZwUnmapViewOfSection, ZwQueryInformationProcess
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorA
urlmon.dll	UrlMkSetSessionOption

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: McDQxpmcsx.exePID: 5812, Parent PID: 3452

General

Target ID:	0
Start time:	20:43:32
Start date:	16/03/2023
Path:	C:\Users\user\Desktop\McDQxpmcsx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\McDQxpmcsx.exe
Imagebase:	0x64c0000
File size:	405504 bytes
MD5 hash:	DE74E1EB8CA5494496632DA478851ADE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Kovter, Description: Yara detected Kovter, Source: 00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Kovter, Description: Yara detected Kovter, Source: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5860, Parent PID: 5812

General

Target ID:	2
Start time:	20:43:33
Start date:	16/03/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 548
Imagebase:	0xdf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: McDQxpmcsx.exePID: 5812, Parent PID: 3452COMMON

Executed Functions

Function 064C620C Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E064C620C(intOrPtr __eax) {
				intOrPtr _t5;
				intOrPtr _t8;

				_push(0); // executed
				L064C610C(); // executed
				 *0x45a4cc = __eax;
				 *0x00453100 = __eax;
				 *0x00453104 = 0;
				 *0x00453108 = 0;
				_t5 = E064C61C0();
				_t8 = 0x4530fc;
				return E064C30D8(_t5, _t8);
			}

0x064c620d
0x064c620f
0x064c621a
0x064c6220
0x064c6223
0x064c622a
0x064c6231
0x064c6236
0x064c623d

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16290b3f9d436231d43aa026d19cd3bce2a929cac79990995bb311c0088d5a69
Instruction ID: 5ac10d55ccadd135206b68881dd90d9f93b9fed3ff7193e11b4335386700be14
Opcode Fuzzy Hash: 16290b3f9d436231d43aa026d19cd3bce2a929cac79990995bb311c0088d5a69
Instruction Fuzzy Hash: 52D05EB41002015DE3C0EF668C04305FA90BB80322F10C25ED00C8A343CA78C0488F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 064D6A30 Relevance: 1.4, Strings: 1, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E064D6A30(void* __ebx, void* __esi) {
				char _v8;
				void* __ecx;
				intOrPtr _t90;
				intOrPtr _t105;

				_push(_t105);
				_push(0x416b91);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105;
				 *0x45a774 = 0;
				_push(0x45a778);
				L064C6498();
				E064C3318(0, 0x416844, 0,  &_v8, 0, 1);
				E064C3318(0, 0x416844, 0,  &_v8, 0, 2);
				E064C3318(0, 0x416844, 0,  &_v8, 0, 3);
				E064C3318(0, 0x416844, 0,  &_v8, 0, 4);
				if(E06505308(E064C3318(0, 0x416844, 0,  &_v8, 0, 5)) == 1) {
					E064C3318(0, 0x416844, 0,  &_v8, 0, 6);
					E064C3318(0, 0x416844, 0,  &_v8, 0, 7);
					E064C3318(0, 0x416844, 0,  &_v8, 0, 8);
					E064C3318(0, 0x416844, 0,  &_v8, 0, 9);
					E064C3318(0, 0x416844, 0,  &_v8, 0, 0xa);
					E064C3318(0, 0x416844, 0,  &_v8, 0, 0xb);
					E064C3318(0, 0x416844, 0,  &_v8, 0, 0xc);
					E064C3318(0, 0x416844, 0,  &_v8, 0, 0xd);
					E064C3318(0, 0x416844, 0,  &_v8, 0, 0xe);
					E064C3318(0, 0x416844, 0,  &_v8, 0, 0xf);
				}
				_pop(_t90);
				 *[fs:eax] = _t90;
				_push(0x416b98);
				return 0;
			}

0x064d6a38
0x064d6a39
0x064d6a3e
0x064d6a41
0x064d6a46
0x064d6a4b
0x064d6a50
0x064d6a68
0x064d6a7b
0x064d6a8e
0x064d6aa1
0x064d6abf
0x064d6ad3
0x064d6ae6
0x064d6af9
0x064d6b0c
0x064d6b1f
0x064d6b32
0x064d6b45
0x064d6b58
0x064d6b6b
0x064d6b7e
0x064d6b7e
0x064d6b85
0x064d6b88
0x064d6b8b
0x064d6b90

Strings

DhA, xrefs: 064D6A5D

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: DhA
API String ID: 0-606956711
Opcode ID: 18c448fff161cc4110ea50e04b39138ecc90dd3b9d7f18569b2211b89c4d1d41
Instruction ID: f598a04ab3bd3655b6a8d15e16e3d395eae9c089313b1785377f8a66c06bad9f
Opcode Fuzzy Hash: 18c448fff161cc4110ea50e04b39138ecc90dd3b9d7f18569b2211b89c4d1d41
Instruction Fuzzy Hash: 6E413469B903187AEBD5DEB68C11FDF329F6788B10F50C83E6A04EE5C1ED749A0047A5

Uniqueness

Uniqueness Score: -1.00%

Function 064C6FDC Relevance: .7, Instructions: 731
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E064C6FDC(void* __eflags, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void* _t762;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t787;
				signed int _t788;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				signed int _t868;
				signed int _t869;
				signed int _t870;
				signed int _t871;
				signed int _t872;
				signed int _t873;
				signed int _t874;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t878;
				signed int _t879;
				signed int _t880;
				signed int _t881;
				signed int _t882;
				signed int _t883;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t889;
				signed int _t890;
				signed int _t891;

				E064C266C(_a4 + 0xffffffc0, 0x40,  &_v72);
				_t876 =  *(_a4 - 0x4c);
				_t859 =  *(_a4 - 0x48);
				_v8 =  *((intOrPtr*)(_a4 - 0x44));
				_t773 = E064C6FC4(((_v8 ^  *(_a4 - 0x48)) & _t876 ^ _v8) +  *((intOrPtr*)(_a4 - 0x50)) + _v72 + 0xd76aa478, 7) + _t876;
				_v8 = E064C6FC4((( *(_a4 - 0x48) ^ _t876) & _t773 ^  *(_a4 - 0x48)) + _v8 + _v68 + 0xe8c7b756, 0xc) + _t773;
				_t860 = E064C6FC4(((_t876 ^ _t773) & _v8 ^ _t876) + _t859 + _v64 + 0x242070db, 0x11) + _v8;
				_t877 = E064C6FC4(((_v8 ^ _t773) & _t860 ^ _t773) + _t876 + _v60 + 0xc1bdceee, 0x16) + _t860;
				_t774 = E064C6FC4(((_v8 ^ _t860) & _t877 ^ _v8) + _t773 + _v56 + 0xf57c0faf, 7) + _t877;
				_v8 = E064C6FC4(((_t860 ^ _t877) & _t774 ^ _t860) + _v8 + _v52 + 0x4787c62a, 0xc) + _t774;
				_t861 = E064C6FC4(((_t877 ^ _t774) & _v8 ^ _t877) + _t860 + _v48 + 0xa8304613, 0x11) + _v8;
				_t878 = E064C6FC4(((_v8 ^ _t774) & _t861 ^ _t774) + _t877 + _v44 + 0xfd469501, 0x16) + _t861;
				_t775 = E064C6FC4(((_v8 ^ _t861) & _t878 ^ _v8) + _t774 + _v40 + 0x698098d8, 7) + _t878;
				_v8 = E064C6FC4(((_t861 ^ _t878) & _t775 ^ _t861) + _v8 + _v36 + 0x8b44f7af, 0xc) + _t775;
				_t862 = E064C6FC4(((_t878 ^ _t775) & _v8 ^ _t878) + _t861 + _v32 + 0xffff5bb1, 0x11) + _v8;
				_t879 = E064C6FC4(((_v8 ^ _t775) & _t862 ^ _t775) + _t878 + _v28 + 0x895cd7be, 0x16) + _t862;
				_t776 = E064C6FC4(((_v8 ^ _t862) & _t879 ^ _v8) + _t775 + _v24 + 0x6b901122, 7) + _t879;
				_v8 = E064C6FC4(((_t862 ^ _t879) & _t776 ^ _t862) + _v8 + _v20 + 0xfd987193, 0xc) + _t776;
				_t863 = E064C6FC4(((_t879 ^ _t776) & _v8 ^ _t879) + _t862 + _v16 + 0xa679438e, 0x11) + _v8;
				_t880 = E064C6FC4(((_v8 ^ _t776) & _t863 ^ _t776) + _t879 + _v12 + 0x49b40821, 0x16) + _t863;
				_t777 = E064C6FC4(((_t863 ^ _t880) & _v8 ^ _t863) + _t776 + _v68 + 0xf61e2562, 5) + _t880;
				_v8 = E064C6FC4(((_t880 ^ _t777) & _t863 ^ _t880) + _v8 + _v48 + 0xc040b340, 9) + _t777;
				_t864 = E064C6FC4(((_v8 ^ _t777) & _t880 ^ _t777) + _t863 + _v28 + 0x265e5a51, 0xe) + _v8;
				_t881 = E064C6FC4(((_v8 ^ _t864) & _t777 ^ _v8) + _t880 + _v72 + 0xe9b6c7aa, 0x14) + _t864;
				_t778 = E064C6FC4(((_t864 ^ _t881) & _v8 ^ _t864) + _t777 + _v52 + 0xd62f105d, 5) + _t881;
				_v8 = E064C6FC4(((_t881 ^ _t778) & _t864 ^ _t881) + _v8 + _v32 + 0x2441453, 9) + _t778;
				_t865 = E064C6FC4(((_v8 ^ _t778) & _t881 ^ _t778) + _t864 + _v12 + 0xd8a1e681, 0xe) + _v8;
				_t882 = E064C6FC4(((_v8 ^ _t865) & _t778 ^ _v8) + _t881 + _v56 + 0xe7d3fbc8, 0x14) + _t865;
				_t779 = E064C6FC4(((_t865 ^ _t882) & _v8 ^ _t865) + _t778 + _v36 + 0x21e1cde6, 5) + _t882;
				_v8 = E064C6FC4(((_t882 ^ _t779) & _t865 ^ _t882) + _v8 + _v16 + 0xc33707d6, 9) + _t779;
				_t866 = E064C6FC4(((_v8 ^ _t779) & _t882 ^ _t779) + _t865 + _v60 + 0xf4d50d87, 0xe) + _v8;
				_t883 = E064C6FC4(((_v8 ^ _t866) & _t779 ^ _v8) + _t882 + _v40 + 0x455a14ed, 0x14) + _t866;
				_t780 = E064C6FC4(((_t866 ^ _t883) & _v8 ^ _t866) + _t779 + _v20 + 0xa9e3e905, 5) + _t883;
				_v8 = E064C6FC4(((_t883 ^ _t780) & _t866 ^ _t883) + _v8 + _v64 + 0xfcefa3f8, 9) + _t780;
				_t867 = E064C6FC4(((_v8 ^ _t780) & _t883 ^ _t780) + _t866 + _v44 + 0x676f02d9, 0xe) + _v8;
				_t884 = E064C6FC4(((_v8 ^ _t867) & _t780 ^ _v8) + _t883 + _v24 + 0x8d2a4c8a, 0x14) + _t867;
				_t781 = E064C6FC4((_t867 ^ _t884 ^ _v8) + _t780 + _v52 + 0xfffa3942, 4) + _t884;
				_v8 = E064C6FC4((_t884 ^ _t781 ^ _t867) + _v8 + _v40 + 0x8771f681, 0xb) + _t781;
				_t868 = E064C6FC4((_v8 ^ _t781 ^ _t884) + _t867 + _v28 + 0x6d9d6122, 0x10) + _v8;
				_t885 = E064C6FC4((_v8 ^ _t868 ^ _t781) + _t884 + _v16 + 0xfde5380c, 0x17) + _t868;
				_t782 = E064C6FC4((_t868 ^ _t885 ^ _v8) + _t781 + _v68 + 0xa4beea44, 4) + _t885;
				_v8 = E064C6FC4((_t885 ^ _t782 ^ _t868) + _v8 + _v56 + 0x4bdecfa9, 0xb) + _t782;
				_t869 = E064C6FC4((_v8 ^ _t782 ^ _t885) + _t868 + _v44 + 0xf6bb4b60, 0x10) + _v8;
				_t886 = E064C6FC4((_v8 ^ _t869 ^ _t782) + _t885 + _v32 + 0xbebfbc70, 0x17) + _t869;
				_t783 = E064C6FC4((_t869 ^ _t886 ^ _v8) + _t782 + _v20 + 0x289b7ec6, 4) + _t886;
				_v8 = E064C6FC4((_t886 ^ _t783 ^ _t869) + _v8 + _v72 + 0xeaa127fa, 0xb) + _t783;
				_t870 = E064C6FC4((_v8 ^ _t783 ^ _t886) + _t869 + _v60 + 0xd4ef3085, 0x10) + _v8;
				_t887 = E064C6FC4((_v8 ^ _t870 ^ _t783) + _t886 + _v48 + 0x4881d05, 0x17) + _t870;
				_t784 = E064C6FC4((_t870 ^ _t887 ^ _v8) + _t783 + _v36 + 0xd9d4d039, 4) + _t887;
				_v8 = E064C6FC4((_t887 ^ _t784 ^ _t870) + _v8 + _v24 + 0xe6db99e5, 0xb) + _t784;
				_t871 = E064C6FC4((_v8 ^ _t784 ^ _t887) + _t870 + _v12 + 0x1fa27cf8, 0x10) + _v8;
				_t888 = E064C6FC4((_v8 ^ _t871 ^ _t784) + _t887 + _v64 + 0xc4ac5665, 0x17) + _t871;
				_t785 = E064C6FC4((( !_v8 | _t888) ^ _t871) + _t784 + _v72 + 0xf4292244, 6) + _t888;
				_v8 = E064C6FC4((( !_t871 | _t785) ^ _t888) + _v8 + _v44 + 0x432aff97, 0xa) + _t785;
				_t872 = E064C6FC4((( !_t888 | _v8) ^ _t785) + _t871 + _v16 + 0xab9423a7, 0xf) + _v8;
				_t889 = E064C6FC4((( !_t785 | _t872) ^ _v8) + _t888 + _v52 + 0xfc93a039, 0x15) + _t872;
				_t786 = E064C6FC4((( !_v8 | _t889) ^ _t872) + _t785 + _v24 + 0x655b59c3, 6) + _t889;
				_v8 = E064C6FC4((( !_t872 | _t786) ^ _t889) + _v8 + _v60 + 0x8f0ccc92, 0xa) + _t786;
				_t873 = E064C6FC4((( !_t889 | _v8) ^ _t786) + _t872 + _v32 + 0xffeff47d, 0xf) + _v8;
				_t890 = E064C6FC4((( !_t786 | _t873) ^ _v8) + _t889 + _v68 + 0x85845dd1, 0x15) + _t873;
				_t787 = E064C6FC4((( !_v8 | _t890) ^ _t873) + _t786 + _v40 + 0x6fa87e4f, 6) + _t890;
				_v8 = E064C6FC4((( !_t873 | _t787) ^ _t890) + _v8 + _v12 + 0xfe2ce6e0, 0xa) + _t787;
				_t874 = E064C6FC4((( !_t890 | _v8) ^ _t787) + _t873 + _v48 + 0xa3014314, 0xf) + _v8;
				_t891 = E064C6FC4((( !_t787 | _t874) ^ _v8) + _t890 + _v20 + 0x4e0811a1, 0x15) + _t874;
				_t788 = E064C6FC4((( !_v8 | _t891) ^ _t874) + _t787 + _v56 + 0xf7537e82, 6) + _t891;
				_v8 = E064C6FC4((( !_t874 | _t788) ^ _t891) + _v8 + _v28 + 0xbd3af235, 0xa) + _t788;
				_t875 = E064C6FC4((( !_t891 | _v8) ^ _t788) + _t874 + _v64 + 0x2ad7d2bb, 0xf) + _v8;
				_t762 = E064C6FC4((( !_t788 | _t875) ^ _v8) + _t891 + _v36 + 0xeb86d391, 0x15);
				 *((intOrPtr*)(_a4 - 0x50)) =  *((intOrPtr*)(_a4 - 0x50)) + _t788;
				 *(_a4 - 0x4c) =  *(_a4 - 0x4c) + _t762 + _t875;
				 *(_a4 - 0x48) =  *(_a4 - 0x48) + _t875;
				 *((intOrPtr*)(_a4 - 0x44)) =  *((intOrPtr*)(_a4 - 0x44)) + _v8;
				 *((intOrPtr*)(_a4 - 0x5c)) = 0;
				return E064C277C(_a4 + 0xffffffc0, 0x40);
			}

0x064c6ff3
0x064c7001
0x064c7007
0x064c7010
0x064c7033
0x064c7054
0x064c7077
0x064c7098
0x064c70ba
0x064c70db
0x064c70fe
0x064c711f
0x064c7141
0x064c7162
0x064c7185
0x064c71a6
0x064c71c8
0x064c71e9
0x064c720c
0x064c722d
0x064c724e
0x064c726f
0x064c7292
0x064c72b4
0x064c72d5
0x064c72f6
0x064c7319
0x064c733b
0x064c735c
0x064c737d
0x064c73a0
0x064c73c2
0x064c73e3
0x064c7404
0x064c7427
0x064c7449
0x064c7468
0x064c7487
0x064c74a8
0x064c74c7
0x064c74e6
0x064c7505
0x064c7526
0x064c7545
0x064c7564
0x064c7583
0x064c75a4
0x064c75c3
0x064c75e2
0x064c7601
0x064c7622
0x064c7641
0x064c7662
0x064c7683
0x064c76a6
0x064c76c7
0x064c76e8
0x064c7709
0x064c772c
0x064c774d
0x064c776e
0x064c778f
0x064c77b2
0x064c77d3
0x064c77f4
0x064c7815
0x064c7838
0x064c7852
0x064c785e
0x064c7864
0x064c786a
0x064c7873
0x064c787b
0x064c7896

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3e607bc732dfcf5ac214234888a6de6e879a92abf7d50a0be8c3545c3f4d83
Instruction ID: 9f9a2ab68807732e18e3cec60e0a0273f193319de36c36403f6b4fdfb8b16d99
Opcode Fuzzy Hash: db3e607bc732dfcf5ac214234888a6de6e879a92abf7d50a0be8c3545c3f4d83
Instruction Fuzzy Hash: 39421877B10018AFCB90DFADCD827CEB3E2AF58228F2D88699554E7741D638EE059750

Uniqueness

Uniqueness Score: -1.00%

Function 064D9AE0 Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E064D9AE0(char* __eax, void* __ebx, signed int __ecx, char* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char* _v8;
				char* _v12;
				char _v20;
				char _v28;
				signed int* _v32;
				char _v36;
				char _v37;
				char _v38;
				signed int _v44;
				signed int _v48;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				char _v72;
				void* _t237;
				void* _t271;
				signed int* _t279;
				intOrPtr _t285;
				signed int _t290;
				signed int _t299;
				signed int _t309;
				void* _t322;
				intOrPtr _t329;
				signed int _t336;
				intOrPtr _t351;
				signed int _t372;
				signed int _t386;
				signed int _t392;
				signed int _t397;
				char _t399;
				signed int _t401;
				char* _t403;
				void* _t406;
				intOrPtr _t407;
				void* _t409;

				_t409 = __eflags;
				_t330 = __ecx;
				_t407 = _t406 + 0xffffffbc;
				_push(__edi);
				_t403 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t329 = _a4;
				E064C3E84( &_v20,  *0x4187cc);
				E064C3E84( &_v28,  *0x4187cc);
				E064C3E84( &_v36,  *0x4187cc);
				_push(_t406);
				_push(0x419ec7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t407;
				_v37 =  *_v8;
				_v38 =  *_v12;
				E064D94E0(_v8);
				E064D94E0(_v12);
				E064D94E4(_v8, _t329, _t409);
				E064D94E4(_v12,  &_v36, _t409);
				if(E064D9110(_v8, _t330, _v12) == 1) {
					E064D8E9C(0x419ee0, _t329, _t403, __edi, _t403);
					L23:
					_t397 =  *( *(_t403 + 4));
					while(_t397 > 1 && ( *(_t403 + 4))[_t397] == 0) {
						_t397 = _t397 - 1;
						__eflags = _t397;
					}
					if(_t397 <  *( *(_t403 + 4))) {
						_t169 = _t397 + 1; // 0x0
						_t330 = 1;
						E064C51D0();
						 *( *(_t403 + 4)) = _t397;
					}
					 *_t403 = 1;
					E064D90FC( &_v36);
					E064D8E9C(0x419ee0, _t329,  &_v28, _t397, _t403);
					E064D8E9C(0x419eec, _t329,  &_v20, _t397, _t403);
					if(_v37 != 0) {
						 *_t403 = _v38;
					} else {
						_t237 = E064D9110(_t329, _t330,  &_v28);
						_t418 = _t237 - 2;
						if(_t237 != 2) {
							E064D9188(_t403,  &_v36,  &_v20);
							E064D90FC(_t403);
							E064D94E4( &_v36, _t403, _t418);
							E064D90FC( &_v36);
							E064D93DC(_v12,  &_v36, _t329);
							E064D90FC(_t329);
							E064D94E4( &_v36, _t329, _t418);
							E064D90FC( &_v36);
						}
						if(_v38 == 1) {
							 *_t403 = 0;
						}
					}
					E064D90FC( &_v20);
					E064D90FC( &_v28);
					 *_v8 = _v37;
					 *_v12 = _v38;
					_pop(_t351);
					 *[fs:eax] = _t351;
					_push(0x419ece);
					return E064C3F7C( &_v36, 3,  *0x4187cc);
				}
				_t399 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) -  *((intOrPtr*)( *((intOrPtr*)(_v12 + 4))));
				_t22 = _t399 + 2; // 0x2
				_t336 = 1;
				E064C51D0();
				_t407 = _t407 + 4;
				_t24 = _t399 + 1; // 0x1
				 *( *(_t403 + 4)) = _t24;
				if(_t399 <= 0) {
					L4:
					_v44 = _t399 + 1;
					_t330 = 0;
					( *(_t403 + 4))[_v44] = 0;
					while(E064D9110(_t329, _t330, _v12) != 1) {
						while(1) {
							_t271 = E064D9110(_t329, _t330,  &_v36);
							__eflags = _t271 - 1;
							if(_t271 == 1) {
								break;
							}
							_t401 =  *_v32;
							_t330 =  *( *(_t329 + 4));
							__eflags = _t401 - _t330;
							if(_t401 >= _t330) {
								__eflags =  *( *(_t329 + 4)) - 1;
								if( *( *(_t329 + 4)) <= 1) {
									L10:
									_t330 = _v32[ *_v32] + 1;
									__eflags = 0;
									_v60 = ( *(_t329 + 4))[ *( *(_t329 + 4))] / (_v32[ *_v32] + 1);
									_v56 = 0;
									goto L11;
								}
								_t285 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t285 + 4)))) - 1;
								if( *((intOrPtr*)( *((intOrPtr*)(_t285 + 4)))) <= 1) {
									goto L10;
								} else {
									_v60 = ( *(_t329 + 4))[ *( *(_t329 + 4))];
									_v56 = 0;
									_t290 = _v60;
									_v60 = _t290 << 0x1f;
									_v56 = (_v56 << 0x00000020 | _t290) << 0x1f;
									asm("adc edx, [ebp-0x34]");
									_v60 =  *((intOrPtr*)( *(_t329 + 4) +  *( *(_t329 + 4)) * 4 - 4)) + _v60;
									_v56 = 0;
									_t330 =  *_v32;
									_v68 = _v32[_t330];
									_v64 = 0;
									_t299 = _v68;
									_v68 = _t299 << 0x1f;
									_v64 = (_v64 << 0x00000020 | _t299) << 0x1f;
									asm("adc edx, [ebp-0x3c]");
									asm("adc edx, 0x0");
									_v68 =  *((intOrPtr*)(_v32 + _t330 * 4 - 4)) + _v68 + 1;
									_v64 = 0;
									_t386 = _v56;
									_v60 = E064C5D62(_v60, _t386, _v68, _v64);
									_v56 = _t386;
									goto L11;
								}
							} else {
								_v60 = ( *(_t329 + 4))[_t330];
								_v56 = 0;
								_t309 = _v60;
								_v60 = _t309 << 0x1f;
								_v56 = (_v56 << 0x00000020 | _t309) << 0x1f;
								asm("adc edx, [ebp-0x34]");
								_v60 =  *((intOrPtr*)( *(_t329 + 4) + _t330 * 4 - 4)) + _v60;
								_v56 = 0;
								_t392 = _v56;
								_v60 = E064C5D62(_v60, _t392, _v32[_t401] + 1, 0);
								_v56 = _t392;
								L11:
								__eflags = _v56;
								if(__eflags == 0) {
									__eflags = _v60;
								}
								if(__eflags == 0) {
									_t279 =  *(_t403 + 4);
									_t372 = _v44;
									_t150 =  &(_t279[_t372]);
									 *_t150 = _t279[_t372] + 1;
									__eflags =  *_t150;
									E064D9574(_t329,  &_v36);
								} else {
									E064D9EF0(_t329, _v60,  &_v36);
									_t330 = _v60;
									( *(_t403 + 4))[_v44] = ( *(_t403 + 4))[_v44] + _v60;
								}
								continue;
							}
						}
						__eflags =  *( *(_t329 + 4)) -  *_v32;
						if( *( *(_t329 + 4)) <=  *_v32) {
							_t322 = E064D9110( &_v36, _t330, _v12);
							__eflags = _t322 - 2;
							if(_t322 != 2) {
								E064D951C( &_v36);
								_t161 =  &_v44;
								 *_t161 = _v44 - 1;
								__eflags =  *_t161;
							}
						}
					}
					goto L23;
				} else {
					_v72 = _t399;
					_v48 = 1;
					do {
						E064D99FC( &_v36, _t336);
						_t336 = 0;
						( *(_t403 + 4))[_v48] = 0;
						_v48 = _v48 + 1;
						_t35 =  &_v72;
						 *_t35 = _v72 - 1;
					} while ( *_t35 != 0);
					goto L4;
				}
			}

0x064d9ae0
0x064d9ae0
0x064d9ae3
0x064d9ae8
0x064d9ae9
0x064d9aeb
0x064d9aee
0x064d9af1
0x064d9afd
0x064d9b0b
0x064d9b19
0x064d9b20
0x064d9b21
0x064d9b26
0x064d9b29
0x064d9b31
0x064d9b39
0x064d9b3f
0x064d9b47
0x064d9b51
0x064d9b5c
0x064d9b6e
0x064d9db0
0x064d9db5
0x064d9db8
0x064d9dbd
0x064d9dbc
0x064d9dbc
0x064d9dbc
0x064d9dd0
0x064d9dd2
0x064d9dd9
0x064d9de4
0x064d9def
0x064d9def
0x064d9df1
0x064d9df7
0x064d9e04
0x064d9e11
0x064d9e1a
0x064d9e84
0x064d9e1c
0x064d9e21
0x064d9e26
0x064d9e28
0x064d9e32
0x064d9e39
0x064d9e43
0x064d9e4b
0x064d9e58
0x064d9e5f
0x064d9e69
0x064d9e71
0x064d9e71
0x064d9e7a
0x064d9e7c
0x064d9e7c
0x064d9e7a
0x064d9e89
0x064d9e91
0x064d9e9c
0x064d9ea4
0x064d9ea8
0x064d9eab
0x064d9eae
0x064d9ec6
0x064d9ec6
0x064d9b82
0x064d9b84
0x064d9b8b
0x064d9b96
0x064d9b9b
0x064d9b9e
0x064d9ba4
0x064d9ba8
0x064d9bcf
0x064d9bd0
0x064d9bd9
0x064d9bdb
0x064d9d99
0x064d9d61
0x064d9d66
0x064d9d6b
0x064d9d6d
0x00000000
0x00000000
0x064d9beb
0x064d9bf0
0x064d9bf2
0x064d9bf4
0x064d9c50
0x064d9c53
0x064d9d02
0x064d9d19
0x064d9d1f
0x064d9d21
0x064d9d24
0x00000000
0x064d9d24
0x064d9c59
0x064d9c5f
0x064d9c62
0x00000000
0x064d9c68
0x064d9c75
0x064d9c78
0x064d9c7b
0x064d9c88
0x064d9c8b
0x064d9c9f
0x064d9ca2
0x064d9ca5
0x064d9cab
0x064d9cb5
0x064d9cb8
0x064d9cbb
0x064d9cc8
0x064d9ccb
0x064d9cda
0x064d9ce0
0x064d9ce3
0x064d9ce6
0x064d9cf2
0x064d9cfa
0x064d9cfd
0x00000000
0x064d9cfd
0x064d9bf6
0x064d9bfe
0x064d9c01
0x064d9c04
0x064d9c11
0x064d9c14
0x064d9c23
0x064d9c26
0x064d9c29
0x064d9c3a
0x064d9c42
0x064d9c45
0x064d9d27
0x064d9d27
0x064d9d2b
0x064d9d2d
0x064d9d2d
0x064d9d31
0x064d9d4e
0x064d9d51
0x064d9d54
0x064d9d54
0x064d9d54
0x064d9d5c
0x064d9d33
0x064d9d3b
0x064d9d46
0x064d9d49
0x064d9d49
0x00000000
0x064d9d31
0x064d9bf4
0x064d9d7b
0x064d9d7d
0x064d9d85
0x064d9d8a
0x064d9d8c
0x064d9d91
0x064d9d96
0x064d9d96
0x064d9d96
0x064d9d96
0x064d9d8c
0x064d9d7d
0x00000000
0x064d9baa
0x064d9baa
0x064d9bad
0x064d9bb4
0x064d9bb7
0x064d9bc2
0x064d9bc4
0x064d9bc7
0x064d9bca
0x064d9bca
0x064d9bca
0x00000000
0x064d9bb4

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97319d965e9968a6b08315866f51fde26aeb3f2e46170c82c4c9653d9cfd0716
Instruction ID: 872b1be03855eb85bc8fdd9a55ee4433298e9c6cffa7bfaa4926b0c71bbdb73b
Opcode Fuzzy Hash: 97319d965e9968a6b08315866f51fde26aeb3f2e46170c82c4c9653d9cfd0716
Instruction Fuzzy Hash: 77E1D174E00209DFCB95DF99D99099EBBF2FF89300F14806AE465AB325D734AD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 064D4524 Relevance: .2, Instructions: 235
COMMONCrypto

Download Yara Rule

C-Code - Quality: 52%

			E064D4524(void* __ebx, intOrPtr* __edi, void* __esi) {
				char _v8;
				unsigned int _v36;
				char _v48;
				intOrPtr _v80;
				intOrPtr _v88;
				void* _t56;
				signed int _t58;
				void* _t60;
				void* _t61;
				unsigned int _t66;
				unsigned int _t68;
				signed int _t72;
				unsigned int _t80;
				void* _t85;
				void* _t86;
				void* _t91;
				void* _t92;
				void* _t116;
				unsigned int* _t123;
				unsigned int* _t124;
				intOrPtr _t139;
				unsigned int _t150;
				signed int _t156;
				intOrPtr _t163;
				intOrPtr* _t169;
				unsigned int _t172;
				intOrPtr _t173;
				void* _t176;
				intOrPtr* _t177;

				_t169 = __edi;
				_t177 = _t176 + 0xffffffd4;
				_push(__edi);
				_v8 = 0;
				_push(_t176);
				_push(0x4147da);
				_push( *[fs:eax]);
				 *[fs:eax] = _t177;
				_push(0x4147ec);
				L064C64B8();
				if(0 != 0) {
					_push(0x4147f8);
					_push(0);
					L064C6448();
					_t169 = 0;
				}
				if(_t169 == 0) {
					__eflags = 0;
					_pop(_t139);
					 *[fs:eax] = _t139;
					_push(0x4147e1);
					return E064C52D0( &_v8,  *0x414510);
				}
				L3:
				while(1) {
					if(E064D1A34() <=  *((intOrPtr*)( *0x459950))) {
						_t56 = E06502DAC(_t55);
						_push(0);
						_push(_t56);
						_t58 =  *( *0x459924);
						asm("cdq");
						_t60 = _t58 / 0x64 + _t58 / 0x64 * 4;
						asm("cdq");
						__eflags = _t58 % 0x64 - _v80;
						if(__eflags != 0) {
							_pop(_t61);
							if(__eflags >= 0) {
								L26:
								_push(0);
								E064C51D0();
								_t177 = _t177 + 4;
								_t172 = 0;
								__eflags = 0;
								_t123 =  *0x459a84;
								do {
									__eflags =  *_t123;
									if( *_t123 != 0) {
										_t66 =  *_t169( *_t123,  &_v48, 0x28);
										__eflags = _t66;
										if(_t66 != 0) {
											__eflags = _v36 >> 0xa >> 0xa;
											if(_v36 >> 0xa >> 0xa > 0) {
												_t80 = E064C5014(_v8) + 1;
												__eflags = _t80;
												_push(_t80);
												E064C51D0();
												_t177 = _t177 + 4;
												 *((intOrPtr*)(_v8 + E064C5014(_v8) * 4 - 4)) = _t172;
											}
										}
									}
									_t172 = _t172 + 1;
									_t123 =  &(_t123[0x82]);
									__eflags = _t172 - 0x1e;
								} while (_t172 != 0x1e);
								_t68 = E064C5014(_v8);
								__eflags = _t68;
								if(_t68 > 0) {
									_t72 =  *(_v8 + E064C279C(E064C5014(_v8)) * 4);
									_t150 =  *( *0x459a84 + ((_t72 << 6) + _t72) * 8);
									__eflags = _t150;
									if(_t150 != 0) {
										_push(3);
										__eflags = (_t72 << 6) + _t72;
										_push(_t150);
										L064C6568();
									}
								}
								L35:
								_push(0xfa);
								L064C6560();
								continue;
							}
							L25:
							_t85 = E064FF668(_t61);
							__eflags = _t85 - 5;
							if(_t85 > 5) {
								goto L35;
							}
							goto L26;
						}
						__eflags = _t60 -  *_t177;
						_pop(_t61);
						if(_t60 >=  *_t177) {
							goto L26;
						}
						goto L25;
					}
					_t86 = E06502DAC(_t55);
					_push(0);
					_push(_t86);
					asm("cdq");
					_t156 =  *( *0x459924) % 0x64;
					asm("cdq");
					_t91 = E064C5D1C( *( *0x459924) / 0x64, _t156, 0xd, 0);
					if(_t156 != _v88) {
						_pop(_t157);
						_pop(_t92);
						if(__eflags >= 0) {
							L12:
							_push(0);
							E064C51D0();
							_t177 = _t177 + 4;
							_t173 = 0;
							_t124 =  *0x459a84;
							do {
								if( *_t124 != 0) {
									_push(0x28);
									_push( &_v48);
									_push( *_t124);
									if( *_t169() != 0 && _v36 >> 0xa >> 0xa > 0) {
										_push(E064C5014(_v8) + 1);
										E064C51D0();
										_t177 = _t177 + 4;
										 *((intOrPtr*)(_v8 + E064C5014(_v8) * 4 - 4)) = _t173;
									}
								}
								_t173 = _t173 + 1;
								_t124 =  &(_t124[0x82]);
							} while (_t173 != 0x1e);
							if(E064C5014(_v8) > 0) {
								_t163 =  *((intOrPtr*)( *0x459a84 + (( *(_v8 + E064C279C(E064C5014(_v8)) * 4) << 6) +  *(_v8 + E064C279C(E064C5014(_v8)) * 4)) * 8));
								if(_t163 != 0) {
									_push(3);
									_push(_t163);
									L064C6568();
								}
							}
							goto L35;
						}
						L8:
						_t116 = E064FF668(_t92);
						asm("cdq");
						_push(_t116);
						if(0 != _v80) {
							if(__eflags < 0) {
								goto L35;
							}
							goto L12;
						}
						if(0xd <  *_t177) {
							goto L35;
						} else {
							goto L12;
						}
					}
					_pop(_t157);
					_pop(_t92);
					if(_t91 >=  *_t177) {
						goto L12;
					} else {
						goto L8;
					}
				}
			}

0x064d4524
0x064d4527
0x064d452c
0x064d452f
0x064d4534
0x064d4535
0x064d453a
0x064d453d
0x064d4542
0x064d4547
0x064d4550
0x064d4552
0x064d4557
0x064d4558
0x064d455d
0x064d455d
0x064d4561
0x064d47be
0x064d47c0
0x064d47c3
0x064d47c6
0x064d47d9
0x064d47d9
0x00000000
0x064d4567
0x064d4579
0x064d46ae
0x064d46b5
0x064d46b6
0x064d46bc
0x064d46c3
0x064d46c6
0x064d46c9
0x064d46ca
0x064d46ce
0x064d46da
0x064d46db
0x064d46eb
0x064d46eb
0x064d46fb
0x064d4700
0x064d4703
0x064d4703
0x064d4705
0x064d470b
0x064d470b
0x064d470e
0x064d4719
0x064d471b
0x064d471d
0x064d4728
0x064d472a
0x064d4734
0x064d4734
0x064d4735
0x064d4744
0x064d4749
0x064d4757
0x064d4757
0x064d472a
0x064d471d
0x064d475b
0x064d475c
0x064d4762
0x064d4762
0x064d476a
0x064d476f
0x064d4771
0x064d4783
0x064d4793
0x064d4796
0x064d4798
0x064d479a
0x064d47a1
0x064d47a9
0x064d47aa
0x064d47aa
0x064d4798
0x064d47af
0x064d47af
0x064d47b4
0x00000000
0x064d47b4
0x064d46dd
0x064d46dd
0x064d46e2
0x064d46e5
0x00000000
0x00000000
0x00000000
0x064d46e5
0x064d46d0
0x064d46d4
0x064d46d5
0x00000000
0x00000000
0x00000000
0x064d46d7
0x064d457f
0x064d4586
0x064d4587
0x064d459a
0x064d459b
0x064d459d
0x064d459e
0x064d45a7
0x064d45b2
0x064d45b3
0x064d45b4
0x064d45dd
0x064d45dd
0x064d45ed
0x064d45f2
0x064d45f5
0x064d45f7
0x064d45fd
0x064d4600
0x064d4602
0x064d4607
0x064d460a
0x064d460f
0x064d4627
0x064d4636
0x064d463b
0x064d4649
0x064d4649
0x064d460f
0x064d464d
0x064d464e
0x064d4654
0x064d4663
0x064d4689
0x064d468e
0x064d4694
0x064d46a3
0x064d46a4
0x064d46a4
0x064d468e
0x00000000
0x064d4663
0x064d45b6
0x064d45b6
0x064d45bb
0x064d45bd
0x064d45c6
0x064d45d7
0x00000000
0x00000000
0x00000000
0x064d45d7
0x064d45cd
0x00000000
0x064d45d3
0x00000000
0x064d45d3
0x064d45cd
0x064d45ac
0x064d45ad
0x064d45ae
0x00000000
0x064d45b0
0x00000000
0x064d45b0
0x064d45ae

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21913e31528494e32640f7fc0b8c149e8aab5f9d709b921b3c28052cc8628be0
Instruction ID: 6e9f1eb225c41dc2d31e9af995ad57d4ea4569ed3c7b668bb4733b5a64fdd033
Opcode Fuzzy Hash: 21913e31528494e32640f7fc0b8c149e8aab5f9d709b921b3c28052cc8628be0
Instruction Fuzzy Hash: A7718279E002049FEBD5EB69DD90AAE73E6EBC5710F20412AE521D7390DB30EE11C765

Uniqueness

Uniqueness Score: -1.00%

Function 064C7DA8 Relevance: .2, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E064C7DA8(unsigned int* __eax, signed int* __ecx, unsigned int* __edx) {
				signed int* _v20;
				signed int* _v24;
				signed int* _v28;
				unsigned int* _v32;
				signed int _v36;
				signed int _v40;
				signed int* _v44;
				unsigned int* _t66;
				signed int _t73;
				unsigned int* _t74;
				signed int* _t75;
				unsigned int _t77;
				void* _t79;
				void* _t80;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				signed int* _t92;
				unsigned int _t94;
				unsigned int _t159;
				unsigned int _t168;
				unsigned int _t177;
				unsigned int _t186;
				unsigned int** _t197;

				_t197 =  &_v32;
				_v44 = __ecx;
				 *_t197 = __eax;
				_t79 = 0x10;
				_t66 = __edx;
				_t75 = _v44;
				do {
					 *_t75 =  *_t66 << 0x00000018 | ( *_t66 & 0x0000ff00) << 0x00000008 | ( *_t66 & 0x00ff0000) >> 0x00000008 |  *_t66 >> 0x00000018;
					_t75 =  &(_t75[1]);
					_t66 =  &(_t66[1]);
					_t79 = _t79 - 1;
				} while (_t79 != 0);
				_t80 = 0x40;
				_t92 =  &(_v44[0xd]);
				do {
					_t92[3] = ( *_t92 ^  *(_t92 - 0x14) ^  *(_t92 - 0x2c) ^  *(_t92 - 0x34)) + ( *_t92 ^  *(_t92 - 0x14) ^  *(_t92 - 0x2c) ^  *(_t92 - 0x34)) | ( *_t92 ^  *(_t92 - 0x14) ^  *(_t92 - 0x2c) ^  *(_t92 - 0x34)) >> 0x0000001f;
					_t92 =  &(_t92[1]);
					_t80 = _t80 - 1;
				} while (_t80 != 0);
				_t77 =  *( *_t197);
				_t94 = ( *_t197)[1];
				_v40 = ( *_t197)[2];
				_t73 = ( *_t197)[3];
				_v36 = ( *_t197)[4];
				_t83 = 0x14;
				_v32 = _v44;
				do {
					_t159 = (_t77 << 0x00000005 | _t77 >> 0x0000001b) + ((_v40 ^ _t73) & _t94 ^ _t73) + _v36 +  *_v32 + 0x5a827999;
					_v36 = _t73;
					_t73 = _v40;
					_v40 = _t94 << 0x0000001e | _t94 >> 0x00000002;
					_t94 = _t77;
					_t77 = _t159;
					_v32 =  &(_v32[1]);
					_t83 = _t83 - 1;
				} while (_t83 != 0);
				_t84 = 0x14;
				_v28 =  &(_v44[0x14]);
				do {
					_t168 = (_t77 << 0x00000005 | _t77 >> 0x0000001b) + (_v40 ^ _t94 ^ _t73) + _v36 +  *_v28 + 0x6ed9eba1;
					_v36 = _t73;
					_t73 = _v40;
					_v40 = _t94 << 0x0000001e | _t94 >> 0x00000002;
					_t94 = _t77;
					_t77 = _t168;
					_v28 =  &(_v28[1]);
					_t84 = _t84 - 1;
				} while (_t84 != 0);
				_t85 = 0x14;
				_v24 =  &(_v44[0x28]);
				do {
					_t177 = (_t77 << 0x00000005 | _t77 >> 0x0000001b) + (_v40 & _t94 | _t73 & _t94 | _v40 & _t73) + _v36 +  *_v24 + 0x8f1bbcdc;
					_v36 = _t73;
					_t73 = _v40;
					_v40 = _t94 << 0x0000001e | _t94 >> 0x00000002;
					_t94 = _t77;
					_t77 = _t177;
					_v24 =  &(_v24[1]);
					_t85 = _t85 - 1;
				} while (_t85 != 0);
				_t86 = 0x14;
				_v20 =  &(_v44[0x3c]);
				do {
					_t186 = (_t77 << 0x00000005 | _t77 >> 0x0000001b) + (_v40 ^ _t94 ^ _t73) + _v36 +  *_v20 + 0xca62c1d6;
					_v36 = _t73;
					_t73 = _v40;
					_v40 = _t94 << 0x0000001e | _t94 >> 0x00000002;
					_t94 = _t77;
					_t77 = _t186;
					_v20 =  &(_v20[1]);
					_t86 = _t86 - 1;
				} while (_t86 != 0);
				 *( *_t197) =  *( *_t197) + _t77;
				( *_t197)[1] = ( *_t197)[1] + _t94;
				( *_t197)[2] = ( *_t197)[2] + _v40;
				( *_t197)[3] = ( *_t197)[3] + _t73;
				_t74 =  *_t197;
				_t74[4] = _t74[4] + _v36;
				return _t74;
			}

0x064c7dac
0x064c7daf
0x064c7db3
0x064c7db6
0x064c7dbb
0x064c7dbd
0x064c7dc1
0x064c7de7
0x064c7de9
0x064c7dec
0x064c7def
0x064c7def
0x064c7df2
0x064c7dfb
0x064c7dfe
0x064c7e12
0x064c7e15
0x064c7e18
0x064c7e18
0x064c7e1e
0x064c7e23
0x064c7e2c
0x064c7e33
0x064c7e3c
0x064c7e40
0x064c7e49
0x064c7e4d
0x064c7e6f
0x064c7e75
0x064c7e79
0x064c7e87
0x064c7e8b
0x064c7e8d
0x064c7e8f
0x064c7e94
0x064c7e94
0x064c7e97
0x064c7ea3
0x064c7ea7
0x064c7ec7
0x064c7ecd
0x064c7ed1
0x064c7edf
0x064c7ee3
0x064c7ee5
0x064c7ee7
0x064c7eec
0x064c7eec
0x064c7eef
0x064c7efe
0x064c7f02
0x064c7f2e
0x064c7f34
0x064c7f38
0x064c7f46
0x064c7f4a
0x064c7f4c
0x064c7f4e
0x064c7f53
0x064c7f53
0x064c7f56
0x064c7f65
0x064c7f69
0x064c7f89
0x064c7f8f
0x064c7f93
0x064c7fa1
0x064c7fa5
0x064c7fa7
0x064c7fa9
0x064c7fae
0x064c7fae
0x064c7fb4
0x064c7fb9
0x064c7fc3
0x064c7fc9
0x064c7fcc
0x064c7fd3
0x064c7fdd

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873da35689f22003dd71cb35d832fcd299933c2a4a338c9518d5bf00ccb812d8
Instruction ID: 716f36dcc23adbca1d054e511117bc4dee4c76f37dd05e933a586cb029c54d4d
Opcode Fuzzy Hash: 873da35689f22003dd71cb35d832fcd299933c2a4a338c9518d5bf00ccb812d8
Instruction Fuzzy Hash: E2610B369047269BD744CF0AC88014AF7E2EFC8364F1ACA6DE998A7351D675AC51CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 064D9804 Relevance: .2, Instructions: 160
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E064D9804(void* __eax, char* __edx) {
				signed int _t107;
				signed int _t108;
				void* _t111;
				signed int* _t116;
				void* _t130;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int _t157;
				signed int _t166;
				signed int _t175;
				char* _t183;
				signed int _t185;
				void* _t186;
				intOrPtr* _t187;
				signed int* _t188;

				_t183 = __edx;
				_t186 = __eax;
				 *(_t187 + 4) =  *( *(__eax + 4));
				 *_t187 =  *(_t187 + 4) +  *(_t187 + 4);
				_push( *_t187 + 1);
				E064C51D0();
				_t188 = _t187 + 4;
				 *( *(__edx + 4)) =  *_t188;
				_t107 =  *_t188;
				if(_t107 > 0) {
					_t188[6] = _t107;
					_t151 = 1;
					do {
						( *(__edx + 4))[_t151] = 0;
						_t151 = _t151 + 1;
						_t10 =  &(_t188[6]);
						 *_t10 = _t188[6] - 1;
					} while ( *_t10 != 0);
				}
				_t108 = _t188[1];
				if(_t108 > 0) {
					_t188[6] = _t108;
					_t150 = 1;
					do {
						_t188[4] =  *( *((intOrPtr*)(_t186 + 4)) + _t150 * 4);
						_t188[5] = 0;
						_t166 = _t188[7];
						_t188[4] = E064C5D1C(_t188[6], _t166,  *( *((intOrPtr*)(_t186 + 4)) + _t150 * 4), 0);
						_t188[5] = _t166;
						_t155 = _t150 + _t150;
						asm("adc edx, [esp+0x14]");
						_t188[4] =  *( *(_t183 + 4) + _t155 * 4 - 4) + _t188[4];
						_t188[5] = 0;
						 *( *(_t183 + 4) + _t155 * 4 - 4) = _t188[4] & 0x7fffffff;
						_t188[2] = (_t188[5] << 0x00000020 | _t188[4]) >> 0x1f;
						_t43 = _t150 + 1; // 0x2
						_t185 = _t43;
						_t130 = _t188[1] - _t185;
						if(_t130 >= 0) {
							_t188[7] = _t130 + 1;
							do {
								_t188[4] =  *( *((intOrPtr*)(_t186 + 4)) + _t150 * 4) +  *( *((intOrPtr*)(_t186 + 4)) + _t150 * 4);
								_t188[5] = 0;
								_t175 = _t188[7];
								_t188[4] = E064C5D1C(_t188[6], _t175,  *((intOrPtr*)( *((intOrPtr*)(_t186 + 4)) + _t185 * 4)), 0);
								_t188[5] = _t175;
								_t157 = _t185 + _t150;
								asm("adc edx, [esp+0x14]");
								_t188[4] =  *( *(_t183 + 4) + _t157 * 4 - 4) + _t188[4];
								_t188[5] = 0;
								asm("adc edx, [esp+0x14]");
								_t188[4] = _t188[2] + _t188[4];
								_t188[5] = 0;
								 *( *(_t183 + 4) + _t157 * 4 - 4) = _t188[4] & 0x7fffffff;
								_t188[2] = (_t188[5] << 0x00000020 | _t188[4]) >> 0x1f;
								_t185 = _t185 + 1;
								_t82 =  &(_t188[7]);
								 *_t82 = _t188[7] - 1;
							} while ( *_t82 != 0);
						}
						( *(_t183 + 4))[_t188[1] + _t150] = _t188[2];
						_t150 = _t150 + 1;
						_t89 =  &(_t188[6]);
						 *_t89 = _t188[6] - 1;
					} while ( *_t89 != 0);
				}
				 *_t183 = 1;
				while(( *(_t183 + 4))[ *_t188] == 0 &&  *_t188 > 1) {
					 *_t188 =  *_t188 - 1;
				}
				_t111 = _t188[1] + _t188[1];
				if(_t111 !=  *_t188) {
					_push( *_t188 + 1);
					E064C51D0();
					_t116 =  *(_t183 + 4);
					 *_t116 = _t188[1];
					return _t116;
				}
				return _t111;
			}

0x064d980b
0x064d980d
0x064d9814
0x064d981e
0x064d9825
0x064d9834
0x064d9839
0x064d9842
0x064d9844
0x064d9849
0x064d984b
0x064d984f
0x064d9854
0x064d9859
0x064d985c
0x064d985d
0x064d985d
0x064d985d
0x064d9854
0x064d9863
0x064d9869
0x064d986f
0x064d9873
0x064d9878
0x064d9882
0x064d9886
0x064d9897
0x064d98a0
0x064d98a4
0x064d98aa
0x064d98b9
0x064d98bd
0x064d98c1
0x064d98d2
0x064d98e5
0x064d98e9
0x064d98e9
0x064d98f0
0x064d98f2
0x064d98f9
0x064d98fd
0x064d9907
0x064d990b
0x064d991d
0x064d9926
0x064d992a
0x064d992e
0x064d993e
0x064d9942
0x064d9946
0x064d9954
0x064d9958
0x064d995c
0x064d996d
0x064d9980
0x064d9984
0x064d9985
0x064d9985
0x064d9985
0x064d98fd
0x064d999c
0x064d999f
0x064d99a0
0x064d99a0
0x064d99a0
0x064d9878
0x064d99aa
0x064d99b2
0x064d99af
0x064d99af
0x064d99c8
0x064d99cd
0x064d99d3
0x064d99e2
0x064d99ea
0x064d99f0
0x00000000
0x064d99f0
0x064d99f9

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47069813619ade45fa69f8f0a760e7f1ab5128fa5539f765a61484b0069d0af7
Instruction ID: c6a1fbd0624ac6bfb5cbe1334dbe0e3a5b0cd151c158fa366483ed5120039570
Opcode Fuzzy Hash: 47069813619ade45fa69f8f0a760e7f1ab5128fa5539f765a61484b0069d0af7
Instruction Fuzzy Hash: 3461B2B4A086429FD345DF19C980A5AB7E2FFC8710F148A2EE8A8C7315D731ED15CB92

Uniqueness

Uniqueness Score: -1.00%

Function 064C6C14 Relevance: .1, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E064C6C14(void* __eax, char* __ecx, signed int __edx) {
				signed int _t33;
				signed int _t34;
				char _t42;
				char _t50;
				void* _t58;
				char* _t59;
				void* _t65;
				signed int _t99;
				signed int _t101;

				_t59 = __ecx;
				_t99 = __edx;
				if(__edx > 0) {
					_t58 = __eax;
					_t101 = __edx / 3;
					if(_t101 <= 0) {
						L3:
						_t33 = _t99;
						_t34 = _t33 / 3;
						_t65 = _t33 % 3 - 1;
						if(_t65 == 0) {
							 *_t59 =  *((intOrPtr*)(0x453681));
							 *((char*)(_t59 + 1)) =  *((intOrPtr*)(0x1001201));
							 *((char*)(_t59 + 2)) =  *0x453694;
							_t42 =  *0x453694;
							 *((char*)(_t59 + 3)) = _t42;
							return _t42;
						}
						if(_t65 == 1) {
							 *_t59 =  *((intOrPtr*)(0x453681));
							 *((char*)(_t59 + 1)) =  *((intOrPtr*)(0x453681));
							 *((char*)(_t59 + 2)) =  *((intOrPtr*)(0x1001201));
							_t50 =  *0x453694;
							 *((char*)(_t59 + 3)) = _t50;
							return _t50;
						}
						return _t34;
					} else {
						goto L2;
					}
					do {
						L2:
						 *_t59 =  *((intOrPtr*)(0x453681));
						 *((char*)(_t59 + 1)) =  *((intOrPtr*)(0x453681));
						 *((char*)(_t59 + 2)) =  *((intOrPtr*)(0x453681));
						 *((char*)(_t59 + 3)) =  *((intOrPtr*)(0x45366e));
						_t59 = _t59 + 4;
						_t58 = _t58 + 3;
						_t101 = _t101 - 1;
					} while (_t101 != 0);
					goto L3;
				}
				return __eax;
			}

0x064c6c14
0x064c6c17
0x064c6c1b
0x064c6c21
0x064c6c2e
0x064c6c32
0x064c6c93
0x064c6c93
0x064c6c9c
0x064c6c9e
0x064c6c9f
0x064c6cbe
0x064c6ccc
0x064c6cd4
0x064c6cd7
0x064c6cdc
0x00000000
0x064c6cdc
0x064c6ca2
0x064c6d00
0x064c6d10
0x064c6d1f
0x064c6d22
0x064c6d27
0x00000000
0x064c6d27
0x00000000
0x00000000
0x00000000
0x00000000
0x064c6c34
0x064c6c34
0x064c6c5a
0x064c6c6a
0x064c6c7b
0x064c6c87
0x064c6c8a
0x064c6c8d
0x064c6c90
0x064c6c90
0x00000000
0x064c6c34
0x064c6d2d

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653818a4830a0b9e5cef35c6531698125b9ca98da6a8a4b087519b3818b77cdc
Instruction ID: c5e607c27a398bb2c6131e43cee02aa37c47344b7c60822dcbd304a9ef1403a4
Opcode Fuzzy Hash: 653818a4830a0b9e5cef35c6531698125b9ca98da6a8a4b087519b3818b77cdc
Instruction Fuzzy Hash: 5831B85AA1D5D109E3978E3D0950261EFA389FA04A35ED2EED4D88F30BE426C62FD350

Uniqueness

Uniqueness Score: -1.00%

Function 064C6D30 Relevance: .1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E064C6D30(unsigned int __eax, unsigned int* __ecx, unsigned int __edx) {
				unsigned int _t11;
				signed int _t12;
				unsigned int _t16;
				unsigned int _t18;
				signed int _t19;
				unsigned int* _t32;
				unsigned int _t35;
				unsigned int _t36;
				unsigned int _t39;
				void* _t42;
				unsigned int _t43;

				_t32 = __ecx;
				_t11 = __eax;
				if(__edx > 0 && (__edx & 0x00000003) == 0) {
					_t43 = __eax;
					_t42 = (__edx >> 2) - 1;
					if(_t42 <= 0) {
						L6:
						_t35 = 0;
						_t12 = _t11 | 0xffffffff;
						while(1) {
							_t12 = _t12 + 1;
							_t36 = _t35 << 6;
							if( *((intOrPtr*)(_t43 + _t12)) ==  *0x453694) {
								break;
							}
							_t35 = _t36 |  *0x00453698 & 0x000000ff;
							if(_t12 != 3) {
								continue;
							}
							 *_t32 = _t35 >> 0x10;
							_t16 = _t35 >> 8;
							_t32[0] = _t16;
							_t32[0] = _t35;
							return _t16;
						}
						if(_t12 != 3) {
							 *_t32 = _t36 >> 0xa;
							return _t12;
						}
						_t18 = _t36 >> 0x10;
						 *_t32 = _t18;
						_t32[0] = _t36 >> 8;
						return _t18;
					} else {
						goto L3;
					}
					do {
						L3:
						_t39 = 0;
						_t19 = _t11 | 0xffffffff;
						do {
							_t19 = _t19 + 1;
							_t39 = _t39 << 0x00000006 |  *0x00453698 & 0x000000ff;
						} while (_t19 != 3);
						 *_t32 = _t39 >> 0x10;
						_t11 = _t39 >> 8;
						_t32[0] = _t11;
						_t32[0] = _t39;
						_t43 = _t43 + 4;
						_t32 =  &(_t32[0]);
						_t42 = _t42 - 1;
					} while (_t42 != 0);
					goto L6;
				}
				return _t11;
			}

0x064c6d30
0x064c6d30
0x064c6d35
0x064c6d4b
0x064c6d4f
0x064c6d52
0x064c6d8b
0x064c6d8b
0x064c6d8d
0x064c6d90
0x064c6d90
0x064c6d91
0x064c6d9d
0x00000000
0x00000000
0x064c6dc6
0x064c6dcb
0x00000000
0x00000000
0x064c6dd2
0x064c6dd6
0x064c6dd9
0x064c6ddc
0x00000000
0x064c6ddc
0x064c6da2
0x064c6db6
0x00000000
0x064c6db6
0x064c6da6
0x064c6da9
0x064c6dae
0x00000000
0x00000000
0x00000000
0x00000000
0x064c6d54
0x064c6d54
0x064c6d54
0x064c6d56
0x064c6d59
0x064c6d59
0x064c6d69
0x064c6d6b
0x064c6d75
0x064c6d79
0x064c6d7c
0x064c6d7f
0x064c6d82
0x064c6d85
0x064c6d88
0x064c6d88
0x00000000
0x064c6d54
0x064c6de2

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24dcc87f69106a420290403f16c7f706bfabdf5034762238d9b8fdc114aea13
Instruction ID: 7efcf1baebefefd62ca4b8fe077eb51d084c1763866d0b72884422c72dd4dabd
Opcode Fuzzy Hash: f24dcc87f69106a420290403f16c7f706bfabdf5034762238d9b8fdc114aea13
Instruction Fuzzy Hash: B511B21AA2ABD409E3E7893908901636E13C9E307537DC7EED5D98F387C1128457C361

Uniqueness

Uniqueness Score: -1.00%

Function 064C98A4 Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E064C98A4() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t16;
				signed int _t17;

				_v12 = 0;
				_v8 = 0;
				_t16 = 0;
				_t17 =  *( *[fs:0x30] + 2) & 0x000000ff;
				if(_t17 == 0 || _t17 == 0) {
					_v8 = 1;
				}
				_v12 = 1;
				if(_v12 == 1) {
					_t16 = 1;
				}
				if(_v8 == 1) {
					_t16 = 0;
				}
				return _t16;
			}

0x064c98ac
0x064c98b1
0x064c98b4
0x064c98c1
0x064c98c3
0x064c98c7
0x064c98c7
0x064c98ce
0x064c98d9
0x064c98db
0x064c98db
0x064c98e1
0x064c98e3
0x064c98e3
0x064c98ea

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cdb339b8f5f2eed9107cf0b62158905ad85675d967276b48556d974edb5c24b
Instruction ID: 7d92d13aa8a2cf193f11bc009bd6376e8735079730c821e9f366d97fca25244a
Opcode Fuzzy Hash: 0cdb339b8f5f2eed9107cf0b62158905ad85675d967276b48556d974edb5c24b
Instruction Fuzzy Hash: 56E06D35D28208EEDFE5CFA9854569ABBF69B41324F24C4AAC018D3381E6329748D610

Uniqueness

Uniqueness Score: -1.00%

Function 064F626C Relevance: 17.9, Strings: 14, Instructions: 403
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E064F626C(intOrPtr __eax, void* __ebx, void* __edi, intOrPtr __esi) {
				intOrPtr _v8;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				intOrPtr _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				intOrPtr _t295;
				void* _t360;
				void* _t361;
				intOrPtr _t384;
				intOrPtr* _t459;
				intOrPtr _t462;
				intOrPtr _t463;

				_t460 = __esi;
				_t458 = __edi;
				_t359 = __ebx;
				_t462 = _t463;
				_t361 = 0x1a;
				do {
					_push(0);
					_push(0);
					_t361 = _t361 - 1;
					_t464 = _t361;
				} while (_t361 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v8 = __eax;
				_push(_t462);
				_push(0x4368da);
				_push( *[fs:eax]);
				 *[fs:eax] = _t463;
				E06504214(0x436900, __ebx,  &_v52, 0x4368f4, __edi, __esi);
				E06504214(0x436920, __ebx,  &_v56, 0x436914, __edi, __esi);
				_t364 =  &_v72;
				E06504214(0x436944, __ebx,  &_v72, 0x436938, __edi, __esi);
				E064C3A84( &_v68, _v72);
				E0650310C(_v68, _t359,  &_v72,  &_v64, _t458, _t460, _t464);
				E064C3550( &_v60, _v64);
				E064C335C(_v8);
				E064C335C( &_v48);
				_t360 = 1;
				_v12 = E064F5FE8(5);
				_t465 = _v12;
				if(_v12 == 0) {
					L27:
					_pop(_t384);
					 *[fs:eax] = _t384;
					_push(0x4368e4);
					E064C3380( &_v212, 4);
					E064C3914( &_v196);
					E064C3380( &_v192, 2);
					E064C3914( &_v184);
					E064C3380( &_v180, 2);
					E064C3914( &_v172);
					E064C3380( &_v168, 2);
					E064C392C( &_v160, 3);
					E064C335C( &_v148);
					E064C3914( &_v144);
					E064C335C( &_v140);
					E064C3914( &_v136);
					E064C335C( &_v132);
					E064C3914( &_v128);
					E064C335C( &_v124);
					E064C392C( &_v120, 3);
					E064C3380( &_v108, 2);
					E064C392C( &_v100, 7);
					E064C335C( &_v72);
					E064C392C( &_v68, 2);
					E064C3380( &_v60, 4);
					return E064C392C( &_v44, 8);
				}
				_t459 = _v12;
				E065074D8( &_v76);
				E0650310C(_v76, 1,  &_v72,  &_v28, _t459, _t460, _t465);
				E06505404( &_v80);
				E0650310C(_v80, 1,  &_v72,  &_v32, _t459, _t460, _t465);
				E0650541C( &_v84);
				E0650310C(_v84, 1, _t364,  &_v24, _t459, _t460, _t465);
				E065053EC( &_v88);
				E0650310C(_v88, 1, _t364,  &_v36, _t459, _t460, _t465);
				E064C3C58(_v36, E064C3AA4(_v36) - 1, 1, _t465,  &_v44);
				_t369 = E0650545C(_v44, 1, E064C3AA4(_v36) - 1, 0x5c, _t459, _t460, _t465);
				E064C3C58(_v44, _t251, 1, _t465,  &_v40);
				E064C3BBC(_v28, 0);
				if(0 != 0) {
					L8:
					if(_t360 != 1) {
						L26:
						_push(0x8000);
						_push(0);
						_push(_v12);
						L064C6580();
						E064C33B0(_v8, _v48);
						goto L27;
					} else {
						goto L9;
					}
					do {
						L9:
						if( *_t459 == 0) {
							_t360 = 0;
						}
						_t474 =  *((intOrPtr*)(_t459 + 0x44));
						if( *((intOrPtr*)(_t459 + 0x44)) != 0) {
							E064C3A2C( &_v16,  *((intOrPtr*)(_t459 + 0x3c)));
							E0650310C(_v16, _t360, _t369,  &_v92, _t459, _t460, _t474);
							E064C3950( &_v16, _v92);
							_push(_v48);
							_push(0x436954);
							E06504214(0x43696c, _t360,  &_v108, 0x436960, _t459, _t460);
							_push(_v108);
							E064C3624();
							E064C3A84( &_v100, _v104);
							_push(_v100);
							E064F6114( *((intOrPtr*)(_t459 + 0x44)),  &_v108,  &_v116);
							E0650310C(_v116, _t360,  &_v108,  &_v112, _t459, _t460, _t474);
							_push(_v112);
							E06504214(0x436988, _t360,  &_v124, 0x43697c, _t459, _t460);
							E064C3A84( &_v120, _v124);
							_push(_v120);
							E06505434( *((intOrPtr*)(_t459 + 0x44)),  &_v132);
							E064C3A84( &_v128, _v132);
							_push(_v128);
							_t369 =  &_v140;
							E06504214(0x4369a4, _t360,  &_v140, 0x436998, _t459, _t460);
							E064C3A84( &_v136, _v140);
							_push(_v136);
							E06505434( *((intOrPtr*)(_t459 + 0x48)),  &_v148);
							E064C3A84( &_v144, _v148);
							_push(_v144);
							_push(0x4369b4);
							_push(_v16);
							E064C3B74();
							E064C3550( &_v48, _v96);
							_t295 =  *((intOrPtr*)(_t459 + 0x44));
							_push(_t295);
							_push(0);
							_push(0x410);
							L064C6500();
							_t460 = _t295;
							_t475 = _t460;
							if(_t460 != 0) {
								E064F1E7C(_t460, _t360,  &_v20, _t460, _t475);
								E064C3BBC(_v20, 0);
								if(0 == 0) {
									E064F1CE0(_t460, _t360,  &_v20, _t459, _t460, 0);
								}
								E0650310C(_v20, _t360, _t369,  &_v152, _t459, _t460, 0);
								E064C3950( &_v20, _v152);
								E06504214(0x4369cc, _t360,  &_v168, 0x4369c0, _t459, _t460);
								E064C35B0( &_v164, _v168, _v48);
								E064C3A84( &_v160, _v164);
								_push(_v160);
								_push(_v20);
								_push(0x4369b4);
								E064C3B74();
								E064C3550( &_v48, _v156);
								E064C3A84( &_v172, _v52);
								if(E064CDFB0(_t460, _t360, _v168, _v172, _t459, _t460) == 0) {
									_push(_v48);
									_t374 =  &_v180;
									E06504214(0x436a10, _t360,  &_v180, 0x436a04, _t459, _t460);
									_push(_v180);
									_push(0x4369f8);
									E064C3624();
								} else {
									_push(_v48);
									_t374 =  &_v176;
									E06504214(0x4369e8, _t360,  &_v176, 0x4369dc, _t459, _t460);
									_push(_v176);
									_push(0x4369f8);
									E064C3624();
								}
								E064C3A84( &_v184, _v56);
								if(E064CDFB0(_t460, _t360, _t374, _v184, _t459, _t460) == 0) {
									_push(_v48);
									_t375 =  &_v192;
									E06504214(0x436a48, _t360,  &_v192, 0x436a3c, _t459, _t460);
									_push(_v192);
									_push(0x4369f8);
									E064C3624();
								} else {
									_push(_v48);
									_t375 =  &_v188;
									E06504214(0x436a2c, _t360,  &_v188, 0x436a20, _t459, _t460);
									_push(_v188);
									_push(0x4369f8);
									E064C3624();
								}
								E064C3A84( &_v196, _v60);
								if(E064CDFB0(_t460, _t360, _t375, _v196, _t459, _t460) == 0) {
									_push(_v48);
									E06504214(0x436a80, _t360,  &_v204, 0x436a74, _t459, _t460);
									_push(_v204);
									_push(0x4369f8);
									E064C3624();
								} else {
									_push(_v48);
									E06504214(0x436a64, _t360,  &_v200, 0x436a58, _t459, _t460);
									_push(_v200);
									_push(0x4369f8);
									E064C3624();
								}
								_push(_v48);
								_t369 =  &_v208;
								E06504214(0x436a9c, _t360,  &_v208, 0x436a90, _t459, _t460);
								_push(_v208);
								E06505434(E064F61F8(_t460),  &_v212);
								_push(_v212);
								E064C3624();
								_push(_t460);
								L064C6330();
							}
						}
						_t459 = _t459 +  *_t459;
					} while (_t360 == 1);
					goto L26;
				}
				E064C3BBC(_v32, 0);
				if(0 != 0) {
					goto L8;
				}
				E064C3BBC(_v24, 0);
				if(0 != 0) {
					goto L8;
				}
				E064C3BBC(_v36, 0);
				if(0 != 0) {
					goto L8;
				}
				E064C3BBC(_v40, 0);
				if(0 == 0) {
					goto L26;
				}
				goto L8;
			}

0x064f626c
0x064f626c
0x064f626c
0x064f626d
0x064f626f
0x064f6274
0x064f6274
0x064f6276
0x064f6278
0x064f6278
0x064f6278
0x064f627b
0x064f627c
0x064f627d
0x064f627e
0x064f6283
0x064f6284
0x064f6289
0x064f628c
0x064f629c
0x064f62ae
0x064f62b3
0x064f62c0
0x064f62cb
0x064f62d6
0x064f62e1
0x064f62e9
0x064f62f1
0x064f62f6
0x064f6302
0x064f6305
0x064f6309
0x064f67c1
0x064f67c3
0x064f67c6
0x064f67c9
0x064f67d9
0x064f67e4
0x064f67f4
0x064f67ff
0x064f680f
0x064f681a
0x064f682a
0x064f683a
0x064f6845
0x064f6850
0x064f685b
0x064f6866
0x064f686e
0x064f6876
0x064f687e
0x064f688b
0x064f6898
0x064f68a5
0x064f68ad
0x064f68ba
0x064f68c7
0x064f68d9
0x064f68d9
0x064f630f
0x064f6315
0x064f6320
0x064f6328
0x064f6333
0x064f633b
0x064f6346
0x064f634e
0x064f6359
0x064f6375
0x064f638a
0x064f6394
0x064f639e
0x064f63a3
0x064f63d9
0x064f63dc
0x064f67a6
0x064f67a6
0x064f67ab
0x064f67b0
0x064f67b1
0x064f67bc
0x00000000
0x00000000
0x00000000
0x00000000
0x064f63e2
0x064f63e2
0x064f63e5
0x064f63e7
0x064f63e7
0x064f63e9
0x064f63ed
0x064f63f9
0x064f6404
0x064f640f
0x064f6414
0x064f6417
0x064f6429
0x064f642e
0x064f6439
0x064f6444
0x064f6449
0x064f6452
0x064f645d
0x064f6462
0x064f6472
0x064f647d
0x064f6482
0x064f648b
0x064f6496
0x064f649b
0x064f649e
0x064f64ae
0x064f64bf
0x064f64c4
0x064f64d3
0x064f64e4
0x064f64e9
0x064f64ef
0x064f64f4
0x064f64ff
0x064f650a
0x064f650f
0x064f6512
0x064f6513
0x064f6515
0x064f651a
0x064f651f
0x064f6521
0x064f6523
0x064f652e
0x064f6538
0x064f653d
0x064f6544
0x064f6544
0x064f6552
0x064f6560
0x064f6575
0x064f6589
0x064f659a
0x064f659f
0x064f65a5
0x064f65a8
0x064f65b8
0x064f65c6
0x064f65d4
0x064f65e8
0x064f661c
0x064f661f
0x064f662f
0x064f6634
0x064f663a
0x064f6647
0x064f65ea
0x064f65ea
0x064f65ed
0x064f65fd
0x064f6602
0x064f6608
0x064f6615
0x064f6615
0x064f6655
0x064f6669
0x064f669d
0x064f66a0
0x064f66b0
0x064f66b5
0x064f66bb
0x064f66c8
0x064f666b
0x064f666b
0x064f666e
0x064f667e
0x064f6683
0x064f6689
0x064f6696
0x064f6696
0x064f66d6
0x064f66ea
0x064f671e
0x064f6731
0x064f6736
0x064f673c
0x064f6749
0x064f66ec
0x064f66ec
0x064f66ff
0x064f6704
0x064f670a
0x064f6717
0x064f6717
0x064f674e
0x064f6751
0x064f6761
0x064f6766
0x064f6779
0x064f677e
0x064f678c
0x064f6791
0x064f6792
0x064f6792
0x064f6523
0x064f679b
0x064f679d
0x00000000
0x064f63e2
0x064f63aa
0x064f63af
0x00000000
0x00000000
0x064f63b6
0x064f63bb
0x00000000
0x00000000
0x064f63c2
0x064f63c7
0x00000000
0x00000000
0x064f63ce
0x064f63d3
0x00000000
0x00000000
0x00000000

Strings

<jC, xrefs: 064F66A6
tjC, xrefs: 064F6727
iC, xrefs: 064F62A9
djC, xrefs: 064F66FA
HjC, xrefs: 064F66AB
,jC, xrefs: 064F6679
XjC, xrefs: 064F66F5
liC, xrefs: 064F6424
|iC, xrefs: 064F6468
8iC, xrefs: 064F62B6
`iC, xrefs: 064F641F
iC, xrefs: 064F65F8
jC, xrefs: 064F6674
DiC, xrefs: 064F62BB

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: iC$ jC$,jC$8iC$<jC$DiC$HjC$XjC$`iC$djC$liC$tjC$|iC$iC
API String ID: 0-178721798
Opcode ID: f44b58ea59ec0d66ea45159304b618bd4177399544f4d118e024d71154c84a89
Instruction ID: 1e51f413d1d1357f953969ebdf1bbadac826b798899c4c32f136782f6af2af27
Opcode Fuzzy Hash: f44b58ea59ec0d66ea45159304b618bd4177399544f4d118e024d71154c84a89
Instruction Fuzzy Hash: 2B020834A0011E9BDFD1EFA5CC80BDDB7B5AF88314F11C0AAD528A7354DB35AA468F61

Uniqueness

Uniqueness Score: -1.00%

Function 064DDEB8 Relevance: 15.2, Strings: 12, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E064DDEB8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				void* _t61;
				void* _t62;
				void* _t78;
				void* _t129;
				void* _t136;
				void* _t137;
				intOrPtr _t177;
				void* _t185;
				intOrPtr _t190;
				intOrPtr _t191;

				_t199 = __fp0;
				_t188 = __esi;
				_t187 = __edi;
				_t190 = _t191;
				_t137 = 0xb;
				goto L1;
				L6:
				_t138 =  &_v8;
				E06504214(0x41e190, _t136,  &_v8, 0x41e184, _t187, _t188);
				if(E06501F54(_t199) != 1) {
					_t61 = E06501FC4( &_v8);
					__eflags = _t61 - 1;
					if(_t61 != 1) {
						_t62 = E06501EF0(_t61, _t138);
						__eflags = _t62 - 1;
						if(_t62 == 1) {
							E06504214(0x41e1ec, _t136,  &_v8, 0x41e1e0, _t187, _t188);
						}
					} else {
						E06504214(0x41e1cc, _t136,  &_v8, 0x41e1c0, _t187, _t188);
					}
				} else {
					E06504214(0x41e1a8, _t136,  &_v8, 0x41e19c, _t187, _t188);
				}
				E06504214(0x41e190, _t136,  &_v16, 0x41e184, _t187, _t188);
				if( *((char*)( *0x4599ac)) != 0) {
					E06504214(0x41e20c, _t136,  &_v16, 0x41e200, _t187, _t188);
				}
				E06504214(0x41e224, _t136,  &_v32, 0x41e218, _t187, _t188);
				_push(_v32);
				_push(_v16);
				E06504214(0x41e240, _t136,  &_v36, 0x41e234, _t187, _t188);
				_push(_v36);
				E06505434( *((intOrPtr*)( *0x45999c)),  &_v40);
				_push(_v40);
				E06504214(0x41e260, _t136,  &_v44, 0x41e254, _t187, _t188);
				_push(_v44);
				E06505434(E064F6F68(_t136, _t187, _t188),  &_v48);
				_push(_v48);
				_t78 = E06504214(0x41e280, _t136,  &_v52, 0x41e274, _t187, _t188);
				_push(_v52);
				E06505434(E06502DAC(_t78),  &_v56);
				_push(_v56);
				E06504214(0x41e2a0, _t136,  &_v60, 0x41e294, _t187, _t188);
				_push(_v60);
				E06505434( *((intOrPtr*)( *0x45990c)),  &_v64);
				_push(_v64);
				E06504214(0x41e2c0, _t136,  &_v68, 0x41e2b4, _t187, _t188);
				_push(_v68);
				E06505434( *((intOrPtr*)( *0x4599fc)),  &_v72);
				_push(_v72);
				E06504214(0x41e2e0, _t136,  &_v76, 0x41e2d4, _t187, _t188);
				_push(_v76);
				E06505434( *((intOrPtr*)( *0x459b60)),  &_v80);
				_push(_v80);
				E06504214(0x41e300, _t136,  &_v84, 0x41e2f4, _t187, _t188);
				_push(_v84);
				E06505434(E0650C370(),  &_v88);
				_push(_v88);
				E06504214(0x41e31c, _t136,  &_v92, 0x41e310, _t187, _t188);
				_push(_v92);
				_push(_v8);
				E06504214(0x41e338, _t136,  &_v96, 0x41e32c, _t187, _t188);
				_push(_v96);
				_push( *((intOrPtr*)( *0x459a30)));
				_push( *0x453878);
				E064C3624();
				_pop(_t177);
				 *[fs:eax] = _t177;
				_push(0x41e176);
				E064C3380( &_v96, 0x12);
				E064C3914( &_v24);
				return E064C3380( &_v20, 4);
				L1:
				_push(0);
				_push(0);
				_t137 = _t137 - 1;
				_t192 = _t137;
				if(_t137 != 0) {
					goto L1;
				} else {
					_push(_t137);
					_push(__ebx);
					_t136 = __eax;
					_push(_t190);
					_push(0x41e16f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t191;
					E064D487C(_t137, __edx, _t192);
					E064C335C( &_v12);
					if( *0x453878 == 0 && E065040DC() != 1) {
						 *((char*)( *0x459ba8)) = 0;
						E0650722C( &_v24, _t136, __edi, __esi);
						E064C3550( &_v20, _v24);
						_push(E0650319C(_v20));
						_t129 = E06502FE0(__fp0);
						_pop(_t185);
						if(_t129 - _t185 < 0x93a80) {
							E064DBA14( &_v28, _t136, __edi, __esi);
							E064C33B0(0x453878, _v28);
						}
					}
					goto L6;
				}
			}

0x064ddeb8
0x064ddeb8
0x064ddeb8
0x064ddeb9
0x064ddebb
0x064ddebb
0x064ddf41
0x064ddf41
0x064ddf4e
0x064ddf5a
0x064ddf70
0x064ddf75
0x064ddf77
0x064ddf8d
0x064ddf92
0x064ddf94
0x064ddfa3
0x064ddfa3
0x064ddf79
0x064ddf86
0x064ddf86
0x064ddf5c
0x064ddf69
0x064ddf69
0x064ddfb5
0x064ddfc2
0x064ddfd1
0x064ddfd1
0x064ddfe3
0x064ddfe8
0x064ddfeb
0x064ddffb
0x064de000
0x064de00d
0x064de012
0x064de022
0x064de027
0x064de032
0x064de037
0x064de047
0x064de04c
0x064de057
0x064de05c
0x064de06c
0x064de071
0x064de07e
0x064de083
0x064de093
0x064de098
0x064de0a5
0x064de0aa
0x064de0ba
0x064de0bf
0x064de0cc
0x064de0d1
0x064de0e1
0x064de0e6
0x064de0f1
0x064de0f6
0x064de106
0x064de10b
0x064de10e
0x064de11e
0x064de123
0x064de12b
0x064de12d
0x064de13a
0x064de141
0x064de144
0x064de147
0x064de154
0x064de15c
0x064de16e
0x064ddec0
0x064ddec0
0x064ddec2
0x064ddec4
0x064ddec4
0x064ddec5
0x00000000
0x064ddec7
0x064ddec7
0x064ddec8
0x064ddec9
0x064ddecd
0x064ddece
0x064dded3
0x064dded6
0x064dded9
0x064ddee1
0x064ddeed
0x064ddefe
0x064ddf04
0x064ddf0f
0x064ddf1c
0x064ddf1d
0x064ddf22
0x064ddf2a
0x064ddf2f
0x064ddf3c
0x064ddf3c
0x064ddf2a
0x00000000
0x064ddeed

Strings

tA, xrefs: 064DE03D
4A, xrefs: 064DDFF1
x8E, xrefs: 064DDF37
A, xrefs: 064DDF9E
`A, xrefs: 064DE01D
A, xrefs: 064DDF99
TA, xrefs: 064DE018
8A, xrefs: 064DE119
,A, xrefs: 064DE114
$A, xrefs: 064DDFDE
@A, xrefs: 064DDFF6
A, xrefs: 064DE0B5

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: $A$,A$4A$8A$@A$TA$`A$tA$x8E$A$A$A
API String ID: 0-3542967583
Opcode ID: 9b65538d149a09ae394a31c6fea349acbd4173048206fbc7485805dabf0e3566
Instruction ID: d03424348fea855e43ae32b22718473ee4fddf6e4cfb93d08556d35f2effa470
Opcode Fuzzy Hash: 9b65538d149a09ae394a31c6fea349acbd4173048206fbc7485805dabf0e3566
Instruction Fuzzy Hash: 13713A38A0010AABDF85EFE5CC509DDB7B6FF94300F50846AE920A73A4DB35D946CB65

Uniqueness

Uniqueness Score: -1.00%

Function 06504C84 Relevance: 14.0, Strings: 11, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E06504C84(intOrPtr* __eax, void* __ebx, void* __ecx, void* __esi) {
				char _v8;
				char _v12;
				void* _v14;
				signed short _v20;
				intOrPtr _v160;
				intOrPtr _v164;
				char _v168;
				char _v172;
				char _v176;
				char* _t78;
				intOrPtr _t134;
				intOrPtr _t137;
				intOrPtr* _t147;
				intOrPtr _t153;
				void* _t181;

				_v176 = 0;
				_v172 = 0;
				_v8 = 0;
				_v12 = 0;
				_t147 = __eax;
				_push(_t181);
				_push(0x445024);
				_push( *[fs:eax]);
				 *[fs:eax] = _t181 + 0xffffff54;
				if(E06505338(0, __ecx) != 1) {
					E064C335C( &_v12);
				} else {
					E064C33F4( &_v12, 0x44503c);
				}
				E064C33B0(_t147, 0x44504c);
				_v168 = 0x9c;
				_t78 =  &_v168;
				_push(_t78);
				L064FEA08();
				if(_t78 == 0) {
					L62:
					_pop(_t153);
					 *[fs:eax] = _t153;
					_push(0x44502b);
					E064C3380( &_v176, 2);
					return E064C3380( &_v12, 2);
				} else {
					if(_v164 != 5 || _v160 != 0) {
						if(_v164 != 5 || _v160 != 1) {
							if(_v164 != 5 || _v160 != 2) {
								L14:
								if(_v164 != 5 || _v160 != 2) {
									L18:
									if(_v164 != 6 || _v160 != 0 || 0 !=  *0x4596b0) {
										if(_v164 != 6 || _v160 != 0 || 0 ==  *0x4596b0) {
											if(_v164 != 6 || _v160 != 1 || 0 ==  *0x4596b0) {
												if(_v164 != 6 || _v160 != 1 || 0 !=  *0x4596b0) {
													if(_v164 != 6 || _v160 != 2 || 0 ==  *0x4596b0) {
														if(_v164 != 6 || _v160 != 2 || 0 !=  *0x4596b0) {
															if(_v164 != 6 || _v160 != 3 || 0 ==  *0x4596b0) {
																if(_v164 != 6 || _v160 != 3 || 0 !=  *0x4596b0) {
																	if(_v164 != 6 || _v160 != 4 || 0 !=  *0x4596b0) {
																		if(_v164 != 0xa || 0 !=  *0x4596b0) {
																			E064C33F4( &_v8, 0x44504c);
																		} else {
																			E064C33F4( &_v8, 0x445160);
																		}
																	} else {
																		E064C33F4( &_v8, 0x445160);
																	}
																} else {
																	E064C33F4( &_v8, 0x445150);
																}
															} else {
																E064C33F4( &_v8, 0x445134);
															}
														} else {
															E064C33F4( &_v8, 0x445124);
														}
													} else {
														E064C33F4( &_v8, 0x44510c);
													}
												} else {
													E064C33F4( &_v8, 0x4450fc);
												}
											} else {
												E064C33F4( &_v8, 0x4450e0);
											}
										} else {
											E064C33F4( &_v8, 0x4450c8);
										}
									} else {
										E064C33F4( &_v8, 0x4450b4);
									}
									goto L58;
								} else {
									_t134 =  *0x4596ac;
									_push(_t134);
									L064C6620();
									if(_t134 == 0) {
										goto L18;
									} else {
										E064C33F4( &_v8, 0x445098);
										goto L58;
									}
								}
							} else {
								_t137 =  *0x4596ac;
								_push(_t137);
								L064C6620();
								if(_t137 != 0) {
									goto L14;
								} else {
									E064C33F4( &_v8, 0x445080);
									goto L58;
								}
							}
						} else {
							E064C33F4( &_v8, 0x445070);
							goto L58;
						}
					} else {
						E064C33F4( &_v8, 0x44505c);
						L58:
						_t178 = _v20;
						if(_v20 != 0) {
							_push(_v8);
							_push(0x445170);
							E06505434(_t178 & 0x0000ffff,  &_v172);
							_push(_v172);
							E064C3624();
						} else {
							E064C33B0(_t147, _v8);
						}
						_push( *_t147);
						_push(_v12);
						_push(0x445180);
						E06505434(E065040DC(),  &_v176);
						_push(_v176);
						E064C3624();
						goto L62;
					}
				}
			}

0x06504c91
0x06504c97
0x06504c9d
0x06504ca0
0x06504ca3
0x06504ca7
0x06504ca8
0x06504cad
0x06504cb0
0x06504cba
0x06504cce
0x06504cbc
0x06504cc4
0x06504cc4
0x06504cda
0x06504cdf
0x06504ce9
0x06504cef
0x06504cf0
0x06504cf7
0x06504ff9
0x06504ffb
0x06504ffe
0x06505001
0x06505011
0x06505023
0x06504cfd
0x06504d04
0x06504d28
0x06504d4c
0x06504d78
0x06504d7f
0x06504dab
0x06504db2
0x06504de3
0x06504e14
0x06504e45
0x06504e76
0x06504ea7
0x06504ed8
0x06504f09
0x06504f37
0x06504f65
0x06504f8b
0x06504f74
0x06504f7c
0x06504f7c
0x06504f4f
0x06504f57
0x06504f57
0x06504f21
0x06504f29
0x06504f29
0x06504ef0
0x06504ef8
0x06504ef8
0x06504ebf
0x06504ec7
0x06504ec7
0x06504e8e
0x06504e96
0x06504e96
0x06504e5d
0x06504e65
0x06504e65
0x06504e2c
0x06504e34
0x06504e34
0x06504dfb
0x06504e03
0x06504e03
0x06504dca
0x06504dd2
0x06504dd2
0x00000000
0x06504d8a
0x06504d8a
0x06504d8f
0x06504d90
0x06504d97
0x00000000
0x06504d99
0x06504da1
0x00000000
0x06504da1
0x06504d97
0x06504d57
0x06504d57
0x06504d5c
0x06504d5d
0x06504d64
0x00000000
0x06504d66
0x06504d6e
0x00000000
0x06504d6e
0x06504d64
0x06504d33
0x06504d3b
0x00000000
0x06504d3b
0x06504d0f
0x06504d17
0x06504f90
0x06504f90
0x06504f97
0x06504fa5
0x06504fa8
0x06504fb6
0x06504fbb
0x06504fc8
0x06504f99
0x06504f9e
0x06504f9e
0x06504fcd
0x06504fcf
0x06504fd2
0x06504fe2
0x06504fe7
0x06504ff4
0x00000000
0x06504ff4
0x06504d04

Strings

$QD, xrefs: 06504EC2
PQD, xrefs: 06504F24
`QD, xrefs: 06504F52
PD, xrefs: 06504E2F
`QD, xrefs: 06504F77
LPD, xrefs: 06504CD5
LPD, xrefs: 06504F86
pPD, xrefs: 06504D36
\PD, xrefs: 06504D12
<PD, xrefs: 06504CBF
4QD, xrefs: 06504EF3

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: $QD$4QD$<PD$LPD$LPD$PQD$\PD$`QD$`QD$pPD$PD
API String ID: 0-486083593
Opcode ID: 21354602998355153eb26b55b4d91de2f8f221bc0372f288b86b85c34188739c
Instruction ID: c7d0fc8ddf184707794fdfbcaed8be7d544c10d32387533f53669816da0345e2
Opcode Fuzzy Hash: 21354602998355153eb26b55b4d91de2f8f221bc0372f288b86b85c34188739c
Instruction Fuzzy Hash: 56915A38E20608DFEFE1DBA189417ADB3F5BB05211F9080EAC25492655E730CE85CE56

Uniqueness

Uniqueness Score: -1.00%

Function 06507520 Relevance: 11.5, Strings: 9, Instructions: 230
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E06507520(intOrPtr* __eax, void* __ebx, intOrPtr* __edi, intOrPtr* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr* _t50;
				void* _t52;
				void* _t129;
				void* _t131;
				void* _t133;
				void* _t135;
				void* _t137;
				intOrPtr* _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t177;
				intOrPtr* _t199;
				intOrPtr _t202;
				intOrPtr _t203;

				_t200 = __esi;
				_t199 = __edi;
				_t202 = _t203;
				_t158 = 7;
				goto L1;
				L4:
				if( *_t157 == 0) {
					L7:
					_push(0x447850);
					L064C64A8();
					_t200 = _t50;
					if(_t200 != 0) {
						_push(0x44785c);
						_push(_t200);
						L064C6448();
						_t199 = _t50;
					}
					if(_t199 != 0) {
						_v8 = 0x400;
						E064C3898( &_v12, _v8);
						_push( &_v8);
						_push(E064C3728(_v12));
						_push(0);
						if( *_t199() == 0) {
							E064C3898( &_v12, _v8 - 1);
							E064C33B0(_t157, _v12);
							if(E064C3564( *_t157) > 0xf5) {
								if(E064C3850(0x44787c,  *_t157) == 0) {
									_t129 = E064C3850(0x4478dc,  *_t157);
									__eflags = _t129;
									if(_t129 == 0) {
										_t131 = E064C3850(0x447940,  *_t157);
										__eflags = _t131;
										if(_t131 == 0) {
											_t133 = E064C3850(0x4479a4,  *_t157);
											__eflags = _t133;
											if(_t133 == 0) {
												_t135 = E064C3850(0x447a50,  *_t157);
												__eflags = _t135;
												if(_t135 == 0) {
													_t137 = E064C3850(0x447ae4,  *_t157);
													__eflags = _t137;
													if(_t137 == 0) {
														E064C33B0(_t157, 0x44788c);
													} else {
														E064C33B0(_t157, 0x447af8);
													}
												} else {
													E064C33B0(_t157, 0x447a64);
												}
											} else {
												E064C33B0(_t157, 0x4479b8);
											}
										} else {
											E064C33B0(_t157, 0x447954);
										}
									} else {
										E064C33B0(_t157, 0x4478f0);
									}
								} else {
									E064C33B0(_t157, 0x44788c);
								}
							}
						}
					}
					_t52 = E064C3564( *_t157);
					_t214 = _t52 - 0xa;
					if(_t52 < 0xa) {
						E064C33B0(_t157, 0x44788c);
					}
					L27:
					E06501974( *_t157, _t157,  &_v20, _t199, _t200, _t214);
					E064C3A84( &_v16, _v20);
					_push(_v16);
					_push(0);
					E064FF18C(0x447b4c, _t157,  &_v28, _t199, _t200, _t214);
					E064C3A84( &_v24, _v28);
					_push(_v24);
					_push(0x447b58);
					_push( *((intOrPtr*)( *0x459b2c)));
					E064C3624();
					E064C3A84( &_v32, _v36);
					_t159 = 0x447b6c;
					E064FDD90(0x80000002, _t157, _t159, _v32, _t200);
					E06501974( *_t157, _t157,  &_v44, _t199, _t200, _t214);
					E064C3A84( &_v40, _v44);
					_push(_v40);
					_push(0);
					E064FF18C(0x447b4c, _t157,  &_v52, _t199, _t200, _t214);
					E064C3A84( &_v48, _v52);
					_push(_v48);
					_push(0x447b58);
					_push( *((intOrPtr*)( *0x459b2c)));
					E064C3624();
					E064C3A84( &_v56, _v60);
					_t160 = 0x447b6c;
					E064FDD90(0x80000001, _t157, _t160, _v56, _t200);
					_pop(_t177);
					 *[fs:eax] = _t177;
					_push(0x447837);
					E064C335C( &_v60);
					E064C3914( &_v56);
					E064C335C( &_v52);
					E064C3914( &_v48);
					E064C335C( &_v44);
					E064C3914( &_v40);
					E064C335C( &_v36);
					E064C3914( &_v32);
					E064C335C( &_v28);
					E064C3914( &_v24);
					E064C335C( &_v20);
					E064C3914( &_v16);
					return E064C335C( &_v12);
				}
				_t50 = E064C3564( *_t157);
				if(_t50 > 0xf5) {
					goto L7;
				}
				_t50 = E064C3850(0x447848,  *_t157) - 1;
				if(_t50 == 0) {
					goto L27;
				}
				goto L7;
				L1:
				_push(0);
				_push(0);
				_t158 = _t158 - 1;
				if(_t158 != 0) {
					goto L1;
				} else {
					_push(__esi);
					_push(__edi);
					_t157 = __eax;
					_push(_t202);
					_push(0x447830);
					_push( *[fs:eax]);
					 *[fs:eax] = _t203;
					E064C335C(__eax);
					_t50 =  *0x459b50;
					if( *_t50 != 0) {
						_t50 = E064C33B0(_t157,  *((intOrPtr*)( *0x459b50)));
					}
					goto L4;
				}
			}

0x06507520
0x06507520
0x06507521
0x06507523
0x06507523
0x06507562
0x06507565
0x06507588
0x06507588
0x0650758d
0x06507592
0x06507596
0x06507598
0x0650759d
0x0650759e
0x065075a3
0x065075a3
0x065075a7
0x065075ad
0x065075ba
0x065075c2
0x065075cb
0x065075cc
0x065075d2
0x065075df
0x065075e9
0x065075fa
0x0650760e
0x06507628
0x0650762d
0x0650762f
0x06507649
0x0650764e
0x06507650
0x06507667
0x0650766c
0x0650766e
0x06507685
0x0650768a
0x0650768c
0x065076a3
0x065076a8
0x065076aa
0x065076c1
0x065076ac
0x065076b3
0x065076b3
0x0650768e
0x06507695
0x06507695
0x06507670
0x06507677
0x06507677
0x06507652
0x06507659
0x06507659
0x06507631
0x06507638
0x06507638
0x06507610
0x06507617
0x06507617
0x0650760e
0x065075fa
0x065075d2
0x065076c8
0x065076cd
0x065076d0
0x065076d9
0x065076d9
0x065076de
0x065076e3
0x065076ee
0x065076f6
0x065076f7
0x06507701
0x0650770c
0x06507714
0x06507715
0x0650771f
0x0650772e
0x06507739
0x06507746
0x06507747
0x06507751
0x0650775c
0x06507764
0x06507765
0x0650776f
0x0650777a
0x06507782
0x06507783
0x0650778d
0x0650779c
0x065077a7
0x065077b4
0x065077b5
0x065077bc
0x065077bf
0x065077c2
0x065077ca
0x065077d2
0x065077da
0x065077e2
0x065077ea
0x065077f2
0x065077fa
0x06507802
0x0650780a
0x06507812
0x0650781a
0x06507822
0x0650782f
0x0650782f
0x06507569
0x06507573
0x00000000
0x00000000
0x06507581
0x06507582
0x00000000
0x00000000
0x00000000
0x06507528
0x06507528
0x0650752a
0x0650752c
0x0650752d
0x00000000
0x0650752f
0x06507530
0x06507531
0x06507532
0x06507536
0x06507537
0x0650753c
0x0650753f
0x06507544
0x06507549
0x06507551
0x0650755d
0x0650755d
0x00000000
0x06507551

Strings

|xD, xrefs: 06507602
@yD, xrefs: 06507644
HxD, xrefs: 06507577
TyD, xrefs: 06507654
zD, xrefs: 0650769E
dzD, xrefs: 06507690
L{D, xrefs: 065076FC
PzD, xrefs: 06507680
L{D, xrefs: 0650776A

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: @yD$HxD$L{D$L{D$PzD$TyD$dzD$|xD$zD
API String ID: 0-1811510968
Opcode ID: bd85743fb1b16a0f4937292cbeaaef532227eea878ded6c3ded62c6fc56d957f
Instruction ID: 24369b725245c1319e14171755c7aebe96b6a02911b0b83cb61651d390239b78
Opcode Fuzzy Hash: bd85743fb1b16a0f4937292cbeaaef532227eea878ded6c3ded62c6fc56d957f
Instruction Fuzzy Hash: 0B810D38A001099BEBD1FF99DD80A9DB3A5FF48214F50846ED511A7364DB34ED0ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 064CE484 Relevance: 10.1, Strings: 8, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E064CE484(intOrPtr* __eax, void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr* _t14;
				intOrPtr* _t61;
				intOrPtr _t66;
				intOrPtr* _t85;
				intOrPtr* _t87;
				void* _t90;

				_t85 = __edi;
				_push(__edi);
				_v12 = 0;
				_t61 = __eax;
				_push(_t90);
				_push(0x40e615);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90 + 0xfffffff8;
				_t14 = E064C335C(__eax);
				_push(0x40e624);
				L064C64A8();
				_t87 = _t14;
				if(_t87 != 0) {
					_push(0x40e630);
					_push(_t87);
					L064C6448();
					_t85 = _t14;
				}
				if(_t85 != 0) {
					_v8 = 0x400;
					E064C3898( &_v12, _v8);
					_push( &_v8);
					_push(E064C3728(_v12));
					_push(0);
					if( *_t85() == 0) {
						E064C3898( &_v12, _v8 - 1);
						E064C33B0(_t61, _v12);
						if(E064C3564( *_t61) > 0xf5) {
							if(E064C3850(0x40e650,  *_t61) == 0) {
								if(E064C3850(0x40e6b0,  *_t61) == 0) {
									if(E064C3850(0x40e714,  *_t61) == 0) {
										if(E064C3850(0x40e778,  *_t61) == 0) {
											if(E064C3850(0x40e824,  *_t61) == 0) {
												if(E064C3850(0x40e8b8,  *_t61) == 0) {
													E064C33B0(_t61, 0x40e660);
												} else {
													E064C33B0(_t61, 0x40e8cc);
												}
											} else {
												E064C33B0(_t61, 0x40e838);
											}
										} else {
											E064C33B0(_t61, 0x40e78c);
										}
									} else {
										E064C33B0(_t61, 0x40e728);
									}
								} else {
									E064C33B0(_t61, 0x40e6c4);
								}
							} else {
								E064C33B0(_t61, 0x40e660);
							}
						}
					}
				}
				if(E064C3564( *_t61) < 0xa) {
					E064C33B0(_t61, 0x40e660);
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(0x40e61c);
				return E064C335C( &_v12);
			}

0x064ce484
0x064ce48c
0x064ce48f
0x064ce492
0x064ce496
0x064ce497
0x064ce49c
0x064ce49f
0x064ce4a4
0x064ce4a9
0x064ce4ae
0x064ce4b3
0x064ce4b7
0x064ce4b9
0x064ce4be
0x064ce4bf
0x064ce4c4
0x064ce4c4
0x064ce4c8
0x064ce4ce
0x064ce4db
0x064ce4e3
0x064ce4ec
0x064ce4ed
0x064ce4f3
0x064ce500
0x064ce50a
0x064ce51b
0x064ce52f
0x064ce550
0x064ce571
0x064ce58f
0x064ce5ad
0x064ce5cb
0x064ce5e2
0x064ce5cd
0x064ce5d4
0x064ce5d4
0x064ce5af
0x064ce5b6
0x064ce5b6
0x064ce591
0x064ce598
0x064ce598
0x064ce573
0x064ce57a
0x064ce57a
0x064ce552
0x064ce559
0x064ce559
0x064ce531
0x064ce538
0x064ce538
0x064ce52f
0x064ce51b
0x064ce4f3
0x064ce5f1
0x064ce5fa
0x064ce5fa
0x064ce601
0x064ce604
0x064ce607
0x064ce614

Strings

`@, xrefs: 064CE533
$@, xrefs: 064CE5A1
x@, xrefs: 064CE583
`@, xrefs: 064CE5DD
`@, xrefs: 064CE5F5
(@, xrefs: 064CE575
8@, xrefs: 064CE5B1
P@, xrefs: 064CE523

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: $@$(@$8@$P@$`@$`@$`@$x@
API String ID: 0-480216852
Opcode ID: e81a3e2e8eaac5072123235008a57e73bffe0dba01972e78113e1b7e4c6ca7fb
Instruction ID: 6d528281a0231927a7ea48ae842de92bd157ad8f290b83f1c503c5f49c9de432
Opcode Fuzzy Hash: e81a3e2e8eaac5072123235008a57e73bffe0dba01972e78113e1b7e4c6ca7fb
Instruction Fuzzy Hash: 2A4182397006049FD7D2BFAB8C8095E7295AB84324B50C87FA511EB794EF39DC06C66A

Uniqueness

Uniqueness Score: -1.00%

Function 064D7BC0 Relevance: 10.1, Strings: 8, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E064D7BC0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t88;

				_t85 = __esi;
				_t84 = __edi;
				_t55 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t88);
				_push(0x417cf1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t88;
				E06504214(0x417d10, __ebx,  &_v12, 0x417d04, __edi, __esi);
				E064C33B0( *0x459a94, _v12);
				E06504214(0x417d2c, __ebx,  &_v16, 0x417d20, __edi, __esi);
				E064C33B0( *0x459a90, _v16);
				E06504214(0x417d48, _t55,  &_v20, 0x417d3c, _t84, _t85);
				E064C33B0( *0x459b8c, _v20);
				E06504214(0x417d64, _t55,  &_v24, 0x417d58, _t84, _t85);
				E064C33B0( *0x459b88, _v24);
				E06504214(0x417d80, _t55,  &_v28, 0x417d74, _t84, _t85);
				E064C33B0( *0x459af8, _v28);
				E06504214(0x417da0, _t55,  &_v32, 0x417d94, _t84, _t85);
				E064C33B0( *0x459af4, _v32);
				E06504214(0x417dc0, _t55,  &_v36, 0x417db4, _t84, _t85);
				E064C33B0( *0x459a2c, _v36);
				E064CBFD8(0, _t55, _t84, _t85);
				E064D6A30(_t55, _t85);
				E064C3318(0, 0x417ae8, 0,  &_v8, 0, 0);
				 *[fs:eax] = 0;
				_push(0x417cf8);
				return E064C3380( &_v36, 7);
			}

0x064d7bc0
0x064d7bc0
0x064d7bc0
0x064d7bc5
0x064d7bc6
0x064d7bc7
0x064d7bc8
0x064d7bc9
0x064d7bca
0x064d7bcb
0x064d7bcc
0x064d7bcf
0x064d7bd0
0x064d7bd5
0x064d7bd8
0x064d7be8
0x064d7bf5
0x064d7c07
0x064d7c14
0x064d7c26
0x064d7c33
0x064d7c45
0x064d7c52
0x064d7c64
0x064d7c71
0x064d7c83
0x064d7c90
0x064d7ca2
0x064d7caf
0x064d7cb6
0x064d7cbb
0x064d7cd1
0x064d7cdb
0x064d7cde
0x064d7cf0

Strings

,}A, xrefs: 064D7C02
H}A, xrefs: 064D7C21
d}A, xrefs: 064D7C40
X}A, xrefs: 064D7C3B
zA, xrefs: 064D7CC8
}A, xrefs: 064D7BFD
<}A, xrefs: 064D7C1C
t}A, xrefs: 064D7C5A

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: }A$,}A$<}A$H}A$X}A$d}A$t}A$zA
API String ID: 0-1479003399
Opcode ID: 8fbb0fc4158af932569550ece70d38ccbe540abbf699ea60cfaa7d16fea7ae4a
Instruction ID: 041848a759efc093d7c515896790c19b7dad79c227f87820891f4289a4db0763
Opcode Fuzzy Hash: 8fbb0fc4158af932569550ece70d38ccbe540abbf699ea60cfaa7d16fea7ae4a
Instruction Fuzzy Hash: 99312C387041498BDBC5EFE4EC419EE73B5EF84310B50C06AD91597B60DB38ED45CA68

Uniqueness

Uniqueness Score: -1.00%

Function 06502860 Relevance: 9.0, Strings: 7, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E06502860(char __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _t89;
				intOrPtr _t115;
				void* _t121;
				void* _t129;
				void* _t132;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr _t150;
				void* _t161;
				void* _t163;
				intOrPtr _t176;
				intOrPtr* _t189;
				intOrPtr _t191;
				intOrPtr _t192;
				void* _t199;

				_t199 = __fp0;
				_t187 = __edi;
				_t191 = _t192;
				_push(__ecx);
				_t150 = 8;
				do {
					_push(0);
					_push(0);
					_t150 = _t150 - 1;
					_t193 = _t150;
				} while (_t150 != 0);
				_push(_t150);
				_t1 =  &_v8;
				 *_t1 = _t150;
				_push(__ebx);
				_push(__esi);
				_t145 =  *_t1;
				_t189 = __edx;
				_v8 = __eax;
				E064C3E64( &_v8);
				_push(_t191);
				_push(0x442b0c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t192;
				_push(0x442b24);
				E06504214(0x442b3c, _t145,  &_v28, 0x442b30, __edi, _t189);
				_push(_v28);
				_push( *((intOrPtr*)( *0x459b70)));
				E06504214(0x442b58, _t145,  &_v32, 0x442b4c, __edi, _t189);
				_push(_v32);
				E06504214(0x442b74, _t145,  &_v36, 0x442b68, _t187, _t189);
				_push(_v36);
				_push( *((intOrPtr*)( *0x459ae8)));
				E06504214(0x442b90, _t145,  &_v40, 0x442b84, _t187, _t189);
				_push(_v40);
				E06504214(0x442bac, _t145,  &_v44, 0x442ba0, _t187, _t189);
				_push(_v44);
				_push( *((intOrPtr*)( *0x459a3c)));
				E06504214(0x442bc8, _t145,  &_v48, 0x442bbc, _t187, _t189);
				_push(_v48);
				E064C3624();
				E064C3A84( &_v20, _v24);
				E064C3B10( &_v8, _v8, _v20, _t193);
				_v12 = 0;
				 *_t189 = 0;
				if(_t145 != 1) {
					_push( *0x4598f0);
					L064C6388();
					E064C33F4( &_v16,  *((intOrPtr*)( *0x459b74)));
					_push( *0x4598f0);
					L064C64A0();
					_t89 = E064C3564(_v16);
					__eflags = _t89;
					if(_t89 > 0) {
						_t147 = 2;
						while(1) {
							_push(E064C3564(_v16));
							_push(_t189);
							_push(1);
							_push(0);
							E064CEE24( &_v72, _t147, _t187, _t189);
							_push(_v72);
							_push(E064C3734( &_v16));
							E06503654( &_v76, _t147, __eflags);
							_pop(_t161);
							_t115 = E064F9C3C(_v76, _t147, _t161, _v8, _t187, _t189, _t199);
							__eflags = _t115;
							if(_t115 != 0) {
								break;
							}
							_push(0x3e8);
							L064C6560();
							_t147 = _t147 - 1;
							__eflags = _t147;
							if(_t147 != 0) {
								continue;
							}
							goto L15;
						}
						_v12 = _t115;
					}
				} else {
					_push( *0x4598f0);
					L064C6388();
					E064C33F4( &_v16,  *((intOrPtr*)( *0x459934)));
					_push( *0x4598f0);
					L064C64A0();
					_t121 = E064C3564(_v16);
					_t195 = _t121;
					if(_t121 > 0) {
						_t148 = 2;
						do {
							E064CEE24( &_v52, _t148, _t187, _t189);
							_push( &_v52);
							_t162 =  &_v60;
							E06504214(0x442be4, _t148,  &_v60, 0x442bd8, _t187, _t189);
							E064C3A84( &_v56, _v60);
							_pop(_t129);
							E064C3AB0(_t129,  &_v60, _v56, _t195);
							_t132 = E06504A7C(_v52, _t148, _t162, _t189);
							_t196 = _t132;
							if(_t132 == 0) {
								goto L8;
							} else {
								_push(E064C3564(_v16));
								_push(_t189);
								_push(1);
								_push(0);
								E064CEE24( &_v64, _t148, _t187, _t189);
								_push(_v64);
								_push(E064C3734( &_v16));
								E06503654( &_v68, _t148, _t196);
								_pop(_t163);
								_t143 = E064F9C3C(_v68, _t148, _t163, _v8, _t187, _t189, _t199);
								if(_t143 == 0) {
									goto L8;
								} else {
									_v12 = _t143;
								}
							}
							goto L15;
							L8:
							_push(0x3e8);
							L064C6560();
							_t148 = _t148 - 1;
							__eflags = _t148;
						} while (_t148 != 0);
					}
				}
				L15:
				_pop(_t176);
				 *[fs:eax] = _t176;
				_push(0x442b13);
				E064C392C( &_v76, 4);
				E064C335C( &_v60);
				E064C392C( &_v56, 2);
				E064C3380( &_v48, 7);
				E064C3914( &_v20);
				E064C335C( &_v16);
				return E064C3914( &_v8);
			}

0x06502860
0x06502860
0x06502861
0x06502863
0x06502864
0x06502869
0x06502869
0x0650286b
0x0650286d
0x0650286d
0x0650286d
0x06502870
0x06502871
0x06502871
0x06502874
0x06502875
0x06502876
0x06502878
0x0650287a
0x06502880
0x06502887
0x06502888
0x0650288d
0x06502890
0x06502893
0x065028a5
0x065028aa
0x065028b2
0x065028c1
0x065028c6
0x065028d6
0x065028db
0x065028e3
0x065028f2
0x065028f7
0x06502907
0x0650290c
0x06502914
0x06502923
0x06502928
0x06502933
0x0650293e
0x0650294c
0x06502953
0x06502958
0x0650295b
0x06502a38
0x06502a39
0x06502a49
0x06502a53
0x06502a54
0x06502a5c
0x06502a61
0x06502a63
0x06502a65
0x06502a6a
0x06502a72
0x06502a73
0x06502a74
0x06502a76
0x06502a7b
0x06502a83
0x06502a8c
0x06502a90
0x06502a9b
0x06502a9c
0x06502aa1
0x06502aa3
0x00000000
0x00000000
0x06502aaa
0x06502aaf
0x06502ab4
0x06502ab4
0x06502ab5
0x00000000
0x00000000
0x00000000
0x06502ab5
0x06502aa5
0x06502aa5
0x06502961
0x06502966
0x06502967
0x06502977
0x06502981
0x06502982
0x0650298a
0x0650298f
0x06502991
0x06502997
0x0650299c
0x0650299f
0x065029a7
0x065029a8
0x065029b5
0x065029c0
0x065029c8
0x065029c9
0x065029d1
0x065029d6
0x065029d8
0x00000000
0x065029da
0x065029e2
0x065029e3
0x065029e4
0x065029e6
0x065029eb
0x065029f3
0x065029fc
0x06502a00
0x06502a0b
0x06502a0c
0x06502a13
0x00000000
0x06502a15
0x06502a15
0x06502a15
0x06502a13
0x00000000
0x06502a1d
0x06502a1d
0x06502a22
0x06502a27
0x06502a27
0x06502a27
0x06502a2e
0x06502991
0x06502ab7
0x06502ab9
0x06502abc
0x06502abf
0x06502acc
0x06502ad4
0x06502ae1
0x06502aee
0x06502af6
0x06502afe
0x06502b0b

Strings

t+D, xrefs: 065028D1
0+D, xrefs: 0650289B
h+D, xrefs: 065028CC
<+D, xrefs: 065028A0
X+D, xrefs: 065028BC
L+D, xrefs: 065028B7
+D, xrefs: 065029B0

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: 0+D$<+D$L+D$X+D$h+D$t+D$+D
API String ID: 0-4013542659
Opcode ID: 006305d4adefbe1cce48a11117791319c9c950094edd0c6e3da2eae5e5887d2d
Instruction ID: 614675000258929e942e98ce3cd265fc3e125857e20f762d22deb42bae6e7251
Opcode Fuzzy Hash: 006305d4adefbe1cce48a11117791319c9c950094edd0c6e3da2eae5e5887d2d
Instruction Fuzzy Hash: BD712C74A0024AEBEBD1EFA5DD80A9EB3B9FF44310F60816AE510A7351DB74EE05CB54

Uniqueness

Uniqueness Score: -1.00%

Function 064E4048 Relevance: 6.4, Strings: 5, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E064E4048(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				void* _t82;
				void* _t146;
				void* _t147;
				void* _t149;
				void* _t151;
				intOrPtr _t175;
				void* _t185;
				intOrPtr _t187;
				intOrPtr _t188;

				_t183 = __edi;
				_t145 = __ebx;
				_t187 = _t188;
				_t147 = 0xa;
				do {
					_push(0);
					_push(0);
					_t147 = _t147 - 1;
					_t189 = _t147;
				} while (_t147 != 0);
				_push(_t147);
				_push(__ebx);
				_push(__esi);
				_t185 = __edx;
				_v8 = __eax;
				E064C3718(_v8);
				_push(_t187);
				_push(0x4242bf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t188;
				E06504214(0x4242e0, __ebx,  &_v48, 0x4242d4, __edi, _t185);
				E064C3A84( &_v44, _v48);
				_push(_v44);
				E06504C54( &_v52);
				_pop(_t149);
				E064C3B10( &_v40, _t149, _v52, _t189);
				_t82 = E06504A7C(_v40, _t145, _t149, _t185);
				_t190 = _t82 - 1;
				if(_t82 != 1) {
					E06504214(0x424310, _t145,  &_v60, 0x424304, __edi, _t185);
					E064C3A84( &_v56, _v60);
					_push(_v56);
					E06504C54( &_v64);
					_pop(_t151);
					E064C3B10( &_v40, _t151, _v64, __eflags);
					__eflags = E06504A7C(_v40, _t145, _t151, _t185) - 1;
					if(__eflags != 0) {
						E06504214(0x424338, _t145,  &_v68, 0x42432c, _t183, _t185);
						E064C3A84( &_v40, _v68);
					} else {
						_push(0x4242f8);
						_push(_v40);
						_push(0x4242f8);
						E064C3B74();
					}
				} else {
					_push(0x4242f8);
					_push(_v40);
					_push(0x4242f8);
					E064C3B74();
				}
				E064C3B10( &_v72, 0x424348, _v40, _t190);
				E064C3550( &_v12, _v72);
				E064E2DC0(2, _t145,  &_v32, _t185, _t190);
				E064E2DC0(4, _t145,  &_v36, _t185, _t190);
				E064C35B0( &_v16, 0x42436c, _v32);
				_push(_v36);
				_push(0x42439c);
				_push(_v32);
				_push(0x4243a8);
				_push(_v8);
				_push(0x4243bc);
				E064C3624();
				_push(0x4243c8);
				_push(_v36);
				_push(0x4243d8);
				E064C3624();
				_t146 = 0xff;
				while(1) {
					_push(_v12);
					E064E3B7C( &_v76, _t146, 0x42436c, _t185, _t190);
					_push(_v76);
					_push(_v16);
					E064E3B7C( &_v80, _t146, 0x42436c, _t185, _t190);
					_push(_v80);
					_push(_v20);
					E064E3B7C( &_v84, _t146, 0x42436c, _t185, _t190);
					_push(_v84);
					_push(_v24);
					E064E3B7C( &_v88, _t146, 0x42436c, _t185, _t190);
					_push(_v88);
					_push(0x4243e4);
					E064C3624();
					if(E064C3564(_v28) < 0xe6) {
						break;
					}
					_t146 = _t146 - 1;
					__eflags = _t146;
					if(__eflags != 0) {
						continue;
					}
					_push(_v12);
					_push(_v16);
					_push(_v20);
					_push(_v24);
					E064C3624();
					L12:
					_pop(_t175);
					 *[fs:eax] = _t175;
					_push(0x4242c6);
					E064C3380( &_v88, 4);
					E064C3914( &_v72);
					E064C335C( &_v68);
					E064C3914( &_v64);
					E064C335C( &_v60);
					E064C392C( &_v56, 2);
					E064C335C( &_v48);
					E064C392C( &_v44, 2);
					return E064C3380( &_v36, 8);
				}
				E064C33B0(_t185, _v28);
				goto L12;
			}

0x064e4048
0x064e4048
0x064e4049
0x064e404b
0x064e4050
0x064e4050
0x064e4052
0x064e4054
0x064e4054
0x064e4054
0x064e4057
0x064e4058
0x064e4059
0x064e405a
0x064e405c
0x064e4062
0x064e4069
0x064e406a
0x064e406f
0x064e4072
0x064e4082
0x064e408d
0x064e4095
0x064e4099
0x064e40a4
0x064e40a5
0x064e40ad
0x064e40b2
0x064e40b4
0x064e40df
0x064e40ea
0x064e40f2
0x064e40f6
0x064e4101
0x064e4102
0x064e410f
0x064e4111
0x064e413c
0x064e4147
0x064e4113
0x064e4113
0x064e4118
0x064e411b
0x064e4128
0x064e4128
0x064e40b6
0x064e40b6
0x064e40bb
0x064e40be
0x064e40cb
0x064e40cb
0x064e4157
0x064e4162
0x064e416f
0x064e417c
0x064e418c
0x064e4191
0x064e4194
0x064e4199
0x064e419c
0x064e41a1
0x064e41a4
0x064e41b1
0x064e41b6
0x064e41bb
0x064e41be
0x064e41cb
0x064e41d0
0x064e41d5
0x064e41d5
0x064e41db
0x064e41e0
0x064e41e3
0x064e41e9
0x064e41ee
0x064e41f1
0x064e41f7
0x064e41fc
0x064e41ff
0x064e4205
0x064e420a
0x064e420d
0x064e421a
0x064e422c
0x00000000
0x00000000
0x064e423a
0x064e423a
0x064e423b
0x00000000
0x00000000
0x064e423d
0x064e4240
0x064e4243
0x064e4246
0x064e4250
0x064e4255
0x064e4257
0x064e425a
0x064e425d
0x064e426a
0x064e4272
0x064e427a
0x064e4282
0x064e428a
0x064e4297
0x064e429f
0x064e42ac
0x064e42be
0x064e42be
0x064e4233
0x00000000

Strings

8CB, xrefs: 064E4137
lCB, xrefs: 064E4184
BB, xrefs: 064E407D
HCB, xrefs: 064E414F
,CB, xrefs: 064E4132

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: ,CB$8CB$HCB$lCB$BB
API String ID: 0-950452389
Opcode ID: 888872ef81bf3ec46e863258a102df0ed890efa33fff27ce36602c47d06e5585
Instruction ID: edc9ea10c6a302464386d03d490351dd21acacd02a53980eba71bf136052e493
Opcode Fuzzy Hash: 888872ef81bf3ec46e863258a102df0ed890efa33fff27ce36602c47d06e5585
Instruction Fuzzy Hash: 5261D734A0011D9ADFC2EBD1DC40ADDB7B9EF88310F60816AE520B3654DA75AE168B65

Uniqueness

Uniqueness Score: -1.00%

Function 064D6654 Relevance: 6.4, Strings: 5, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E064D6654(intOrPtr __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				void* _t82;
				intOrPtr _t97;
				intOrPtr _t117;
				intOrPtr _t133;
				void* _t134;
				void* _t137;
				void* _t145;

				_t145 = __fp0;
				_v52 = 0;
				_v48 = 0;
				_v24 = 0;
				_v28 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t131 = _a4;
				E064C3718(_v8);
				E064C3718(_v12);
				E064C3E84( &_v44,  *0x416304);
				_push(_t137);
				_push(0x416806);
				_push( *[fs:eax]);
				 *[fs:eax] = _t137 + 0xffffffd0;
				E064C335C(_a4);
				E064C33F4( &_v28, _v8);
				E064C376C(_v28, E064C3850(0x416820, _v28) - 1, 1,  &_v24);
				E064C376C(_v28, 0xff, E064C3850(0x416820, _v28) + 1,  &_v48);
				_t133 = E0650319C(_v48);
				_t97 = E064C2A30(1);
				if(_t97 != 0) {
					E064C33F4( &_v44, _v24);
					_v40 = _t133;
					_v36 = _t97;
					E064C33F4( &_v32, _v12);
					_t82 = E064C3318(0, 0x416574, 0,  &_v20, 0,  &_v44);
					_t134 = _t82;
					_push(0xea60);
					_push(_t134);
					L064C6598();
					if(_t82 != 0x102) {
						E064C33B0(_t131, _v32);
					} else {
						if(_t97 != 0) {
							E064CB1A4(_t97);
						}
						_push(0x1388);
						_push(_t134);
						L064C6598();
					}
					E06507408(0x416838, _t97,  &_v52, 0x41682c, _t131, _t134);
					if(E064C3850(_v52,  *_t131) == 0) {
						E064CC670(_v24, _t97, _v16, 0, _t131, _t134, _t145);
					} else {
						E064CC670(_v24, _t97, _v16, 1, _t131, _t134, _t145);
					}
					_push(_t134);
					L064C6330();
				}
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(0x41680d);
				E064C3380( &_v52, 2);
				E064C3F50( &_v44,  *0x416304);
				E064C3380( &_v28, 2);
				return E064C3380( &_v12, 2);
			}

0x064d6654
0x064d665f
0x064d6662
0x064d6665
0x064d6668
0x064d666b
0x064d666e
0x064d6671
0x064d6674
0x064d667a
0x064d6682
0x064d6690
0x064d6697
0x064d6698
0x064d669d
0x064d66a0
0x064d66a5
0x064d66b0
0x064d66d1
0x064d66f2
0x064d66ff
0x064d670d
0x064d6711
0x064d671d
0x064d6722
0x064d6725
0x064d672e
0x064d6746
0x064d674b
0x064d674d
0x064d6752
0x064d6753
0x064d675d
0x064d677c
0x064d675f
0x064d6761
0x064d6765
0x064d6765
0x064d676a
0x064d676f
0x064d6770
0x064d6770
0x064d678e
0x064d679f
0x064d67b8
0x064d67a1
0x064d67a9
0x064d67a9
0x064d67bd
0x064d67be
0x064d67be
0x064d67c5
0x064d67c8
0x064d67cb
0x064d67d8
0x064d67e6
0x064d67f3
0x064d6805

Strings

hA, xrefs: 064D66DD
,hA, xrefs: 064D6784
teA, xrefs: 064D673D
8hA, xrefs: 064D6789
hA, xrefs: 064D66BC

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: hA$ hA$,hA$8hA$teA
API String ID: 0-3703006404
Opcode ID: 1d6a4023426aed78bb30873fb0ccfa605f8ffec715495a0818223ca6eedc3088
Instruction ID: cab3489691037309696022dd4e5aa8fdb9314a522948e4d7b9e1be34032c240c
Opcode Fuzzy Hash: 1d6a4023426aed78bb30873fb0ccfa605f8ffec715495a0818223ca6eedc3088
Instruction Fuzzy Hash: EC41ED78E002099BDBC1EFA9CC819EEB7B9EF48320F51803ED414A7754DB34AD458AA5

Uniqueness

Uniqueness Score: -1.00%

Function 064D6BA0 Relevance: 6.3, Strings: 5, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E064D6BA0(char __eax, void* __ebx) {
				char _v8;
				void* __ecx;
				intOrPtr _t41;
				intOrPtr _t50;

				_v8 = __eax;
				E064C3718(_v8);
				_push(_t50);
				_push(0x416c43);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50;
				if(E064C3850(0x416c58, _v8) != 0) {
					E064C37AC( &_v8, E064C3850(0x416c58, _v8), 1);
					if(E064C3850(0x416c58, _v8) != 0) {
						E064C37AC( &_v8, E064C3850(0x416c58, _v8), 1);
						if(E064C3850(0x416c58, _v8) != 0) {
						}
					}
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(0x416c4a);
				return E064C335C( &_v8);
			}

0x064d6ba5
0x064d6bab
0x064d6bb2
0x064d6bb3
0x064d6bb8
0x064d6bbb
0x064d6bcf
0x064d6be8
0x064d6bfc
0x064d6c15
0x064d6c29
0x064d6c29
0x064d6c29
0x064d6bfc
0x064d6c2f
0x064d6c32
0x064d6c35
0x064d6c42

Strings

XlA, xrefs: 064D6BC3
XlA, xrefs: 064D6C1D
XlA, xrefs: 064D6BF0
XlA, xrefs: 064D6C01
XlA, xrefs: 064D6BD4

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: XlA$XlA$XlA$XlA$XlA
API String ID: 0-3249216884
Opcode ID: 6b2eb6a71850caf5f7e7c8ce084d1efb410dfde6a6f8e8850ec151e77dc56130
Instruction ID: a318bd1dc70b173da464a16cded7766a3b49c7942febd79319a371cb186663ed
Opcode Fuzzy Hash: 6b2eb6a71850caf5f7e7c8ce084d1efb410dfde6a6f8e8850ec151e77dc56130
Instruction Fuzzy Hash: B3013C78B01104AB9BC2FFA6C9509DF72E5DB88610B62807F9810D3344EA34EE00A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 064D6C5C Relevance: 5.1, Strings: 4, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E064D6C5C(char __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void* _t75;
				intOrPtr* _t77;
				char* _t78;
				char* _t81;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t125;
				intOrPtr _t145;
				void* _t148;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v32 = 0;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E064C3718(_v8);
				_push(_t148);
				_push(0x416e12);
				_push( *[fs:eax]);
				 *[fs:eax] = _t148 + 0xffffffcc;
				E064C335C(_v12);
				E06504214(0x416e34, __ebx,  &_v32, 0x416e28, __edi, __esi);
				E064C376C(_v8, 0x7fffffff, E064C3850(_v32, _v8) + 7,  &_v16);
				_t107 =  *((intOrPtr*)(E064C3734( &_v16)));
				E064C376C(_v16, 0x7fffffff, 5,  &_v16);
				if(_t107 >= 0) {
					_t108 = _t107 + 1;
					while(1) {
						_t75 = E064C3564(_v16);
						_t153 = _t75 - 5;
						if(_t75 <= 5) {
							goto L7;
						}
						_t77 = E064C3734( &_v16);
						_t78 =  &_v36;
						 *((char*)(_t78 + 1)) =  *((intOrPtr*)(_v16 + 4));
						 *_t78 = 1;
						E064C2760( &_v40,  &_v36);
						_t81 =  &_v44;
						 *((char*)(_t81 + 1)) =  *((intOrPtr*)(_v16 + 5));
						 *_t81 = 1;
						E064C2730( &_v40, 2,  &_v44);
						E064C2760( &_v48,  &_v40);
						E064C2730( &_v48, 3, 0x416e3c);
						E064C2760( &_v56,  &_v48);
						E064C2730( &_v56, 4, 0x416e3c);
						E064C3544( &_v28,  &_v56, _t153);
						_t145 =  *((intOrPtr*)(E064C3734( &_v28)));
						E064CC7C0( *_t77, _t108,  &_v20, _t145);
						E06505434(_t145,  &_v24);
						if(E064D6BA0(_v20, _t108) != 0 && _t145 > 0) {
							_push( *_v12);
							_push(_v20);
							_push(0x416e48);
							_push(_v24);
							_push(0x416e54);
							E064C3624();
						}
						E064C37AC( &_v16, 6, 1);
						_t108 = _t108 - 1;
						if(_t108 != 0) {
							continue;
						}
						goto L7;
					}
				}
				L7:
				_pop(_t125);
				 *[fs:eax] = _t125;
				_push(0x416e19);
				E064C3380( &_v32, 5);
				return E064C335C( &_v8);
			}

0x064d6c62
0x064d6c63
0x064d6c64
0x064d6c67
0x064d6c6a
0x064d6c6d
0x064d6c70
0x064d6c73
0x064d6c76
0x064d6c79
0x064d6c7f
0x064d6c86
0x064d6c87
0x064d6c8c
0x064d6c8f
0x064d6c95
0x064d6cab
0x064d6cc8
0x064d6cd5
0x064d6ce8
0x064d6cef
0x064d6cf5
0x064d6cf6
0x064d6cf9
0x064d6cfe
0x064d6d01
0x00000000
0x00000000
0x064d6d0a
0x064d6d11
0x064d6d1a
0x064d6d1d
0x064d6d26
0x064d6d2b
0x064d6d34
0x064d6d37
0x064d6d42
0x064d6d4d
0x064d6d5c
0x064d6d67
0x064d6d76
0x064d6d81
0x064d6d8e
0x064d6d95
0x064d6d9f
0x064d6dae
0x064d6db7
0x064d6db9
0x064d6dbc
0x064d6dc1
0x064d6dc4
0x064d6dd1
0x064d6dd1
0x064d6de3
0x064d6de8
0x064d6de9
0x00000000
0x00000000
0x00000000
0x064d6de9
0x064d6cf6
0x064d6def
0x064d6df1
0x064d6df4
0x064d6df7
0x064d6e04
0x064d6e11

Strings

4nA, xrefs: 064D6CA6
<nA, xrefs: 064D6D52
(nA, xrefs: 064D6CA1
<nA, xrefs: 064D6D6C

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: (nA$4nA$<nA$<nA
API String ID: 0-2409051916
Opcode ID: 98e60fe7e93bde4feddb82a653b4e8997dc2b4baf6fbcd4668042391fb2d9dc4
Instruction ID: 44ea7e0281e9b5fbb4f34c84221dc86e913e414c75ca824d7b3fb3756b2e2c34
Opcode Fuzzy Hash: 98e60fe7e93bde4feddb82a653b4e8997dc2b4baf6fbcd4668042391fb2d9dc4
Instruction Fuzzy Hash: 6F512878D0124E9FCBC1FFA5D9909DEB7B9EF48310F61C16AD424A7350DB74AA058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 064DE3C4 Relevance: 5.1, Strings: 4, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E064DE3C4(signed int __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				void* _t84;
				void* _t85;
				void* _t88;
				intOrPtr _t95;
				intOrPtr _t107;
				intOrPtr _t108;
				void* _t109;

				_t105 = __esi;
				_t107 = _t108;
				_t84 = 5;
				do {
					_push(0);
					_push(0);
					_t84 = _t84 - 1;
					_t109 = _t84;
				} while (_t109 != 0);
				_push(__ebx);
				_push(_t107);
				_push("true");
				_push( *[fs:eax]);
				 *[fs:eax] = _t108;
				_push( &_v8);
				E064FF18C(0x41e528, __ebx,  &_v16, __edi, __esi, _t109);
				E064C3A84( &_v12, _v16);
				_push(_v12);
				_push( *((intOrPtr*)( *0x459984)));
				_push( *((intOrPtr*)( *0x459b2c)));
				E064C3624();
				E064C3A84( &_v20, _v24);
				_t85 = 0x41e534;
				E064FE0DC(0x80000002, __ebx, _t85, _v20, __esi);
				E064C3BBC(_v8, 0x41e53c);
				_t82 = __ebx & 0xffffff00 | _t109 == 0x00000000;
				_t110 = __ebx & 0xffffff00 | _t109 == 0x00000000;
				if((__ebx & 0xffffff00 | _t109 == 0x00000000) == 0) {
					_push( &_v28);
					E064FF18C(0x41e528, _t82,  &_v36, __edi, __esi, _t110);
					E064C3A84( &_v32, _v36);
					_push(_v32);
					_push( *((intOrPtr*)( *0x459984)));
					_push( *((intOrPtr*)( *0x459b2c)));
					E064C3624();
					E064C3A84( &_v40, _v44);
					_t88 = 0x41e534;
					E064FE0DC(0x80000001, _t82, _t88, _v40, _t105);
					E064C3BBC(_v28, 0x41e53c);
				}
				_pop(_t95);
				 *[fs:eax] = _t95;
				_push(0x41e517);
				E064C335C( &_v44);
				E064C3914( &_v40);
				E064C335C( &_v36);
				E064C392C( &_v32, 2);
				E064C335C( &_v24);
				E064C3914( &_v20);
				E064C335C( &_v16);
				return E064C392C( &_v12, 2);
			}

0x064de3c4
0x064de3c5
0x064de3c7
0x064de3cc
0x064de3cc
0x064de3ce
0x064de3d0
0x064de3d0
0x064de3d0
0x064de3d3
0x064de3d6
0x064de3d7
0x064de3dc
0x064de3df
0x064de3e5
0x064de3ee
0x064de3f9
0x064de401
0x064de407
0x064de40e
0x064de41d
0x064de428
0x064de435
0x064de436
0x064de443
0x064de448
0x064de44b
0x064de44d
0x064de452
0x064de45b
0x064de466
0x064de46e
0x064de474
0x064de47b
0x064de48a
0x064de495
0x064de4a2
0x064de4a3
0x064de4b0
0x064de4b5
0x064de4ba
0x064de4bd
0x064de4c0
0x064de4c8
0x064de4d0
0x064de4d8
0x064de4e5
0x064de4ed
0x064de4f5
0x064de4fd
0x064de50f

Strings

(A, xrefs: 064DE456
<A, xrefs: 064DE4AB
<A, xrefs: 064DE43E
(A, xrefs: 064DE3E9

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: (A$(A$<A$<A
API String ID: 0-3455706520
Opcode ID: ec250ee17574202001a217ef6e0429fdc271cbcee41778d2087f903630ab2eee
Instruction ID: 46c263ff5a0c8be1f6bebc2a38c4ae2c45624bbb7f77fee3ed0473831ec69624
Opcode Fuzzy Hash: ec250ee17574202001a217ef6e0429fdc271cbcee41778d2087f903630ab2eee
Instruction Fuzzy Hash: 9D310D79A00109AFDFC1EFD5DD40ADEB7B9EB88314F50806BE510A7360EA35EE058B65

Uniqueness

Uniqueness Score: -1.00%

Function 064D874C Relevance: 5.0, Strings: 4, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E064D874C() {
				intOrPtr _t15;
				intOrPtr _t18;

				_push(_t18);
				_push(0x4187a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t18;
				 *0x45a794 =  *0x45a794 + 1;
				if( *0x45a794 == 0) {
					E064C335C(0x453850);
					E064C335C(0x45384c);
					E064C335C(0x453848);
					E064C335C(0x453844);
					E064C57FC(0x45a790);
				}
				_pop(_t15);
				 *[fs:eax] = _t15;
				_push(0x4187ac);
				return 0;
			}

0x064d8751
0x064d8752
0x064d8757
0x064d875a
0x064d875d
0x064d8763
0x064d876a
0x064d8774
0x064d877e
0x064d8788
0x064d8792
0x064d8792
0x064d8799
0x064d879c
0x064d879f
0x064d87a4

Strings

P8E, xrefs: 064D8765
D8E, xrefs: 064D8783
L8E, xrefs: 064D876F
H8E, xrefs: 064D8779

Memory Dump Source

Source File: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 064C0000, based on PE: true

Associated: 00000000.00000002.251849589.00000000064C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251902082.0000000006513000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251915039.000000000651F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.251920924.0000000006521000.00000002.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: D8E$H8E$L8E$P8E
API String ID: 0-3817654031
Opcode ID: 92db1142f5ea2583b9187fd1634e8103cf57a06a27d9d2906677fa95022a14b6
Instruction ID: b65f159ade9cd3b19ece547c4a37b839387f378ccdfa445c1d2c9edbc06de57c
Opcode Fuzzy Hash: 92db1142f5ea2583b9187fd1634e8103cf57a06a27d9d2906677fa95022a14b6
Instruction Fuzzy Hash: F7E0DF3C3042002E53DB7FAA4C1242C36A8C389B6A355C47FF82882F62DE2CC824816E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report McDQxpmcsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Kovter

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_McDQxpmcsx.exe_e2a05888f0e57a2e21899ccd987a717a5affaba_69d5103c_16a0c691\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC5F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEF1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF4F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
McDQxpmcsx.exe

Function 064C620C Relevance: .0, Instructions: 14
COMMON

Function 064D6A30 Relevance: 1.4, Strings: 1, Instructions: 145
COMMONCrypto

Function 064C6FDC Relevance: .7, Instructions: 731
COMMONCrypto

Function 064D9AE0 Relevance: .3, Instructions: 323
COMMONCrypto

Function 064D4524 Relevance: .2, Instructions: 235
COMMONCrypto

Function 064C7DA8 Relevance: .2, Instructions: 194
COMMONCrypto

Function 064D9804 Relevance: .2, Instructions: 160
COMMONCrypto

Function 064C6C14 Relevance: .1, Instructions: 99
COMMONCrypto

Function 064C6D30 Relevance: .1, Instructions: 71
COMMONCrypto

Function 064C98A4 Relevance: .0, Instructions: 26
COMMON

Function 064F626C Relevance: 17.9, Strings: 14, Instructions: 403
COMMON

Function 064DDEB8 Relevance: 15.2, Strings: 12, Instructions: 186
COMMON

Function 06504C84 Relevance: 14.0, Strings: 11, Instructions: 236
COMMON

Function 06507520 Relevance: 11.5, Strings: 9, Instructions: 230
COMMON

Function 064CE484 Relevance: 10.1, Strings: 8, Instructions: 124
COMMON

Function 064D7BC0 Relevance: 10.1, Strings: 8, Instructions: 86
COMMON

Function 06502860 Relevance: 9.0, Strings: 7, Instructions: 202
COMMON

Function 064E4048 Relevance: 6.4, Strings: 5, Instructions: 177
COMMON

Function 064D6654 Relevance: 6.4, Strings: 5, Instructions: 134
COMMON

Function 064D6BA0 Relevance: 6.3, Strings: 5, Instructions: 52
COMMON

Function 064D6C5C Relevance: 5.1, Strings: 4, Instructions: 132
COMMON

Function 064DE3C4 Relevance: 5.1, Strings: 4, Instructions: 98
COMMON

Function 064D874C Relevance: 5.0, Strings: 4, Instructions: 26
COMMON