Play interactive tour

Edit tour

Analysis Report uxtheme.bin

Overview

General Information

Sample Name:	uxtheme.bin (renamed file extension from bin to dll)
Analysis ID:	356525
MD5:	ceb5fbc654f39a7b9ea9c62eeecdfa19
SHA1:	e1f19599ea001f2f7ee8d336edb7b114e0ef437e
SHA256:	c6cfb034a82e6e4fa018dd063e7e91e47f4034248b6ad90b62219e3c367a3673
Tags:	OOOFobos
Most interesting Screenshot:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Classification

Startup

System is w10x64

loaddll64.exe (PID: 3040 cmdline: loaddll64.exe 'C:\Users\user\Desktop\uxtheme.dll' MD5: 40E30D559A47CDA935973FA18C34ABA6)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: uxtheme.dll

Static PE information: Number of sections : 17 > 10

Source: classification engine

Classification label: clean2.winDLL@1/0@0/0

Source: uxtheme.dll

Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: uxtheme.dll

Static PE information: Image base 0x64880000 > 0x60000000

Source: uxtheme.dll

Static PE information: real checksum: 0x18e9e should be: 0xc2cd

Source: uxtheme.dll	Static PE information: section name: .xdata
Source: uxtheme.dll	Static PE information: section name: /4
Source: uxtheme.dll	Static PE information: section name: /19
Source: uxtheme.dll	Static PE information: section name: /31
Source: uxtheme.dll	Static PE information: section name: /45
Source: uxtheme.dll	Static PE information: section name: /57
Source: uxtheme.dll	Static PE information: section name: /70

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_648815C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,

0_2_648815C0

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_648814E0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_648814E0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Time Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
uxtheme.dll	1%	Virustotal		Browse
uxtheme.dll	2%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356525
Start date:	23.02.2021
Start time:	09:30:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	uxtheme.bin (renamed file extension from bin to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.winDLL@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 88.9% (good quality ratio 64.4%) Quality average: 61.3% Quality standard deviation: 41.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	4.76233421620799
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.41% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% VXD Driver (31/22) 0.03%
File name:	uxtheme.dll
File size:	47980
MD5:	ceb5fbc654f39a7b9ea9c62eeecdfa19
SHA1:	e1f19599ea001f2f7ee8d336edb7b114e0ef437e
SHA256:	c6cfb034a82e6e4fa018dd063e7e91e47f4034248b6ad90b62219e3c367a3673
SHA512:	2c8753cb76cb8b359f4f8f3bfc9c1c181270c65335b77b00a5b31753493bed5db446290ea88f1bad46ffb70f6f6ca8b5302a49364142c0f33155489625998962
SSDEEP:	384:9wbmN5sAYR04+ePkZz3oKxpfEqTIY5Fv4iBKflxMrdFPV7PxbTEcAAPrFMQlYjL:9gAs/cZz3DfEqTIYv4gKNwFPxPe5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...&..].h........& .........6......0..........d.............................@................ ............................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x64881330
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x64880000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5DECAA26 [Sun Dec 8 07:45:42 2019 UTC]
TLS Callbacks:	0x648816f0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a55cf28123aec4893f9cb49d5e6312dd

Entrypoint Preview

Instruction
dec eax
sub esp, 48h
dec eax
mov eax, dword ptr [00002F55h]
mov dword ptr [eax], 00000000h
cmp edx, 01h
je 00007FE8B0B2905Ch
dec eax
add esp, 48h
jmp 00007FE8B0B28F06h
nop
dec esp
mov dword ptr [esp+38h], eax
mov dword ptr [esp+34h], edx
dec eax
mov dword ptr [esp+28h], ecx
call 00007FE8B0B291D2h
call 00007FE8B0B29ABDh
dec esp
mov eax, dword ptr [esp+38h]
mov edx, dword ptr [esp+34h]
dec eax
mov ecx, dword ptr [esp+28h]
dec eax
add esp, 48h
jmp 00007FE8B0B28ED6h
nop
dec eax
mov edx, ecx
dec eax
lea ecx, dword ptr [00005C76h]
jmp 00007FE8B0B2A4A6h
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FE8B0B29039h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
mov edx, 00000001h
dec eax
lea ecx, dword ptr [00002C3Ch]
dec eax
mov eax, dword ptr [00007E69h]
call eax
mov ecx, 00000000h
dec eax
mov eax, dword ptr [00007DB3h]
call eax
nop
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
mov dword ptr [ebp+10h], ecx
mov dword ptr [ebp+18h], edx
dec esp
mov dword ptr [ebp+20h], eax
cmp dword ptr [ebp+18h], 01h
jne 00007FE8B0B29057h
call 00007FE8B0B3900Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8000	0x52	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9000	0x5f0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5000	0x228	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0x64	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4060	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x917c	0x140	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ac8	0x1c00	False	0.570033482143	data	5.86144287266	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.data	0x3000	0x80	0x200	False	0.115234375	data	0.749836229165	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x2e0	0x400	False	0.337890625	data	3.0125063975	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.pdata	0x5000	0x228	0x400	False	0.318359375	data	2.38404815471	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.xdata	0x6000	0x1ac	0x200	False	0.36328125	data	3.42645904001	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.bss	0x7000	0x920	0x0	False	0	empty	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.edata	0x8000	0x52	0x200	False	0.1484375	data	0.888027638897	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.idata	0x9000	0x5f0	0x600	False	0.384765625	data	4.0283471072	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.CRT	0xa000	0x58	0x200	False	0.056640625	data	0.201539378135	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.tls	0xb000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.reloc	0xc000	0x64	0x200	False	0.19921875	data	1.06801655505	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/4	0xd000	0x50	0x200	False	0.072265625	data	0.23653878451	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/19	0xe000	0x1f08	0x2000	False	0.459350585938	data	5.82440214057	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/31	0x10000	0x149	0x200	False	0.375	data	3.28729179067	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/45	0x11000	0x222	0x400	False	0.2900390625	data	3.2353162452	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/57	0x12000	0x48	0x200	False	0.12109375	data	0.707951245148	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/70	0x13000	0x9b	0x200	False	0.259765625	data	2.32078044454	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

DeleteCriticalSection, EnterCriticalSection, ExitProcess, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WinExec

msvcrt.dll

__iob_func, _amsg_exit, _initterm, _lock, _unlock, abort, calloc, free, fwrite, realloc, signal, strlen, strncmp, vfprintf

Exports

Name	Ordinal	Address
GetCurrentThemeName	1	0x648813b0

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 3040 Parent PID: 5692

General

Start time:	09:31:24
Start date:	23/02/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\uxtheme.dll'
Imagebase:	0x7ff73f1f0000
File size:	147456 bytes
MD5 hash:	40E30D559A47CDA935973FA18C34ABA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll64.exe PID: 3040 Parent PID: 5692 loaddll64.exeCOMMON

Executed Functions

Function 648813B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(?,?,?,648813FA), ref: 648813CB
ExitProcess.KERNEL32(?,?,?,648813FA), ref: 648813D9

Strings

C:\ProgramData\pass.exe, xrefs: 648813BD

Memory Dump Source

Source File: 00000000.00000002.208969284.0000000064881000.00000020.00020000.sdmp, Offset: 64880000, based on PE: true

Associated: 00000000.00000002.208964391.0000000064880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208973820.0000000064884000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208979215.0000000064889000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208983870.000000006488E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208989408.0000000064893000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecExitProcess
String ID: C:\ProgramData\pass.exe
API String ID: 4112423671-1891163720
Opcode ID: 52b86fa6078312e856b2b7e00b7738f8e6d97b859807380faa9d96faef4d3494
Instruction ID: b61984cfe778fbc24c15316c064740d61ff31f79c4f3e015eb430b3f5d56ab4e
Opcode Fuzzy Hash: 52b86fa6078312e856b2b7e00b7738f8e6d97b859807380faa9d96faef4d3494
Instruction Fuzzy Hash: ABE01235610600DEF714AB65FC513993769E794744F940524E66C4B764EF39C5B187C0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 648815C0, Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 648815D4
RtlLookupFunctionEntry.KERNEL32 ref: 648815EB
RtlVirtualUnwind.KERNEL32 ref: 6488162D
SetUnhandledExceptionFilter.KERNEL32 ref: 64881671
UnhandledExceptionFilter.KERNEL32 ref: 6488167E
GetCurrentProcess.KERNEL32 ref: 64881684
TerminateProcess.KERNEL32 ref: 64881692
abort.MSVCRT ref: 64881698

Memory Dump Source

Source File: 00000000.00000002.208969284.0000000064881000.00000020.00020000.sdmp, Offset: 64880000, based on PE: true

Associated: 00000000.00000002.208964391.0000000064880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208973820.0000000064884000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208979215.0000000064889000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208983870.000000006488E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208989408.0000000064893000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: 99248bb6454a7592e356694ac04e7b8edddaeb2de0c7d78bb815fc60a79657c7
Instruction ID: 88c23e1d74f73703687645223a5a32878b9194998333b52dc3ee7a35701e2395
Opcode Fuzzy Hash: 99248bb6454a7592e356694ac04e7b8edddaeb2de0c7d78bb815fc60a79657c7
Instruction Fuzzy Hash: A021F079215B05CDEB00AB65FC8438C37B6B708B88F944126DA5E53B64EF3EC525C300

Uniqueness

Uniqueness Score: -1.00%

Function 648814E0, Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 64881525
GetCurrentProcessId.KERNEL32 ref: 64881530
GetCurrentThreadId.KERNEL32 ref: 64881539
GetTickCount.KERNEL32 ref: 64881541
QueryPerformanceCounter.KERNEL32 ref: 6488154E

Memory Dump Source

Source File: 00000000.00000002.208969284.0000000064881000.00000020.00020000.sdmp, Offset: 64880000, based on PE: true

Associated: 00000000.00000002.208964391.0000000064880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208973820.0000000064884000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208979215.0000000064889000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208983870.000000006488E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208989408.0000000064893000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 90a3640be7d548d683315fc01b15171e0738c0d8a315b23e826c4ce28ba7a1c9
Instruction ID: 36a3debc4710aec436561bd5ba2a4d17440b5bcf7244ff97b6fa5efc1eae8ae3
Opcode Fuzzy Hash: 90a3640be7d548d683315fc01b15171e0738c0d8a315b23e826c4ce28ba7a1c9
Instruction Fuzzy Hash: F811912A765A108DFB105B25FC0831972A1B7497B0F8857309E9C43BA4EF3EC995C300

Uniqueness

Uniqueness Score: -1.00%

Function 64881970, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283
memoryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E64881970(int __eax, signed long long __rax, void* __rbx, signed short* __rcx, void* __rdi, void* __rsi, signed long long __r8, void* __r12, void* __r13, void* __r14, void* __r15) {
				int _t30;
				int _t33;
				intOrPtr _t37;
				signed int _t41;
				signed int _t53;
				int _t68;
				signed int _t78;
				void* _t81;
				void* _t82;
				signed long long _t85;
				intOrPtr* _t91;
				signed short* _t96;
				intOrPtr* _t98;
				signed long long _t100;
				int _t109;
				int _t114;
				void* _t116;
				void* _t118;
				void* _t120;
				void* _t121;
				signed long long _t130;
				intOrPtr _t135;
				intOrPtr _t142;
				void* _t147;
				intOrPtr _t151;
				intOrPtr _t152;
				int _t155;
				signed long long _t156;

				_t157 = __r15;
				_t130 = __r8;
				_t96 = __rcx;
				_t94 = __rbx;
				_t85 = __rax;
				_t30 = __eax;
				_push(__r15);
				_push(__rbx);
				_t121 = _t120 - 0x38;
				_t118 = _t121 + 0x80;
				_t53 =  *0x648875e0;
				if(_t53 == 0) {
					 *0x648875e0 = 1;
					E648824C0();
					_t30 = E64882710(_t85);
					_t142 =  *0x648841e0; // 0x648842e0
					 *0x648875e4 = 0;
					_t114 =  *0x648841f0; // 0x648842e0
					 *0x648875e8 = _t121 - (0x0000001e + (_t85 + _t85 * 0x00000004) * 0x00000008 & 0xfffffff0) + 0x20;
					_t91 = _t142 - _t114;
					__eflags = _t91 - 7;
					if(_t91 <= 7) {
						goto L1;
					} else {
						__eflags = _t91 - 0xb;
						_t68 =  *_t114;
						if(_t91 <= 0xb) {
							L18:
							__eflags = _t68;
							if(_t68 != 0) {
								goto L5;
							} else {
								_t20 = _t114 + 4; // 0x302e312e3820
								_t30 =  *_t20;
								__eflags = _t30;
								if(_t30 != 0) {
									goto L5;
								} else {
									goto L20;
								}
							}
						} else {
							__eflags = _t68;
							if(_t68 == 0) {
								_t17 = _t114 + 4; // 0x0
								__eflags =  *_t17;
								if( *_t17 != 0) {
									goto L5;
								} else {
									_t18 = _t114 + 8; // 0x0
									__eflags =  *_t18;
									if( *_t18 != 0) {
										L20:
										_t21 = _t114 + 8; // 0x302e
										__eflags =  *_t21 - 1;
										if(__eflags != 0) {
											L34:
											_t98 = "  Unknown pseudo relocation protocol version %d.\n";
											E64882A20(__eflags, _t98, _t100, _t130, _t135);
											_t37 =  *_t98;
											__eflags = _t37 - 0xc0000091;
											if(_t37 > 0xc0000091) {
												__eflags = _t37 - 0xc0000094;
												if(__eflags == 0) {
													L64882778();
													__eflags = _t91 - 1;
													if(_t91 != 1) {
														goto L49;
													} else {
														L64882778();
														_t41 = 0;
														goto L43;
													}
												} else {
													if(__eflags > 0) {
														__eflags = _t37 - 0xc0000095;
														if(_t37 == 0xc0000095) {
															goto L60;
														} else {
															__eflags = _t37 - 0xc0000096;
															if(_t37 != 0xc0000096) {
																goto L58;
															} else {
																goto L53;
															}
														}
													} else {
														__eflags = _t37 - 0xc0000092;
														if(_t37 == 0xc0000092) {
															goto L60;
														} else {
															__eflags = _t37 - 0xc0000093;
															if(_t37 != 0xc0000093) {
																goto L58;
															} else {
																goto L48;
															}
														}
													}
												}
											} else {
												__eflags = _t37 - 0xc000008d;
												if(_t37 >= 0xc000008d) {
													L48:
													L64882778();
													__eflags = _t91 - 1;
													if(_t91 == 1) {
														L64882778();
														E64882700(_t37);
														goto L60;
													} else {
														L49:
														__eflags = _t91;
														if(_t91 == 0) {
															goto L58;
														} else {
															 *_t91();
															__eflags = 0;
															return 0;
														}
													}
												} else {
													__eflags = _t37 - 0xc0000008;
													if(__eflags == 0) {
														L60:
														__eflags = 0;
														return 0;
													} else {
														if(__eflags > 0) {
															__eflags = _t37 - 0xc000001d;
															if(_t37 == 0xc000001d) {
																L53:
																L64882778();
																__eflags = _t91 - 1;
																if(_t91 == 1) {
																	L64882778();
																	_t41 = 0;
																	goto L43;
																} else {
																	__eflags = _t91;
																	if(_t91 == 0) {
																		goto L65;
																	} else {
																		 *_t91();
																		__eflags = 0;
																		return 0;
																	}
																}
															} else {
																__eflags = _t37 - 0xc000008c;
																if(_t37 == 0xc000008c) {
																	goto L60;
																} else {
																	goto L58;
																}
															}
														} else {
															__eflags = _t37 - 0x80000002;
															if(_t37 == 0x80000002) {
																goto L60;
															} else {
																__eflags = _t37 - 0xc0000005;
																if(_t37 != 0xc0000005) {
																	L58:
																	return 1;
																} else {
																	L64882778();
																	__eflags = _t91 - 1;
																	if(_t91 == 1) {
																		L64882778();
																		_t41 = 0;
																	} else {
																		__eflags = _t91;
																		if(_t91 == 0) {
																			L65:
																			_t41 = 4;
																		} else {
																			 *_t91();
																			_t41 = 0;
																			__eflags = 0;
																		}
																	}
																	L43:
																	return _t41;
																}
															}
														}
													}
												}
											}
										} else {
											_t152 =  *0x64884210; // 0x64880000
											_t116 = _t114 + 0xc;
											_t156 = _t118 - 0x58;
											__eflags = _t116 - _t142;
											if(_t116 < _t142) {
												do {
													_t25 = _t116 + 8; // 0x297463656a6f7270
													_t78 =  *_t25 & 0x000000ff;
													_t96 = _t96 + _t152;
													_t91 = _t91 + _t152;
													__eflags = _t78 - 0x10;
													_t135 =  *_t91;
													if(__eflags != 0) {
														if(__eflags <= 0) {
															__eflags = _t78 - 8;
															if(__eflags != 0) {
																goto L33;
															} else {
																r8d =  *_t96 & 0x000000ff;
																_t100 = _t156;
																_t112 = _t156;
																__eflags = r8b;
																_t131 =  <  ? _t130 | 0xffffff00 : _t130;
																_t132 = ( <  ? _t130 | 0xffffff00 : _t130) - _t91;
																_t130 = ( <  ? _t130 | 0xffffff00 : _t130) - _t91 + _t135;
																 *(_t118 - 0x58) = _t130;
																r8d = 1;
																E648817A0(_t81, _t82, _t94, _t96, _t100, _t156, _t116, _t130, _t142, _t152, _t156, 0);
																goto L27;
															}
														} else {
															__eflags = _t78 - 0x20;
															if(_t78 == 0x20) {
																_t112 = _t156;
																_t130 = _t100;
																__eflags = r8d;
																_t104 =  >=  ? _t130 : _t100 | 0x00000000;
																r8d = 4;
																_t105 = ( >=  ? _t130 : _t100 | 0x00000000) - _t91;
																_t106 = ( >=  ? _t130 : _t100 | 0x00000000) - _t91 + _t135;
																 *(_t118 - 0x58) = ( >=  ? _t130 : _t100 | 0x00000000) - _t91 + _t135;
																_t100 = _t156;
																E648817A0(_t81, _t82, _t94, _t96, _t100, _t156, _t116, _t130, _t142, _t152, _t156, 0);
																goto L27;
															} else {
																__eflags = _t78 - 0x40;
																if(__eflags != 0) {
																	L33:
																	 *(_t118 - 0x58) = 0;
																	E64882A20(__eflags, "  Unknown pseudo relocation bit size %d.\n", _t100, _t130, _t135);
																	goto L34;
																} else {
																	r8d = 8;
																	_t112 = _t156;
																	_t109 =  *_t96 - _t91 + _t135;
																	__eflags = _t109;
																	 *(_t118 - 0x58) = _t109;
																	_t100 = _t156;
																	E648817A0(_t81, _t82, _t94, _t96, _t100, _t156, _t116, _t130, _t142, _t152, _t156, 0);
																	goto L27;
																}
															}
														}
													} else {
														r8d =  *_t96 & 0x0000ffff;
														_t100 = _t156;
														_t112 = _t156;
														__eflags = r8w;
														_t133 =  <  ? _t130 | 0xffff0000 : _t130;
														_t134 = ( <  ? _t130 | 0xffff0000 : _t130) - _t91;
														_t130 = ( <  ? _t130 | 0xffff0000 : _t130) - _t91 + _t135;
														 *(_t118 - 0x58) = _t130;
														r8d = 2;
														E648817A0(_t81, _t82, _t94, _t96, _t100, _t156, _t116, _t130, _t142, _t152, _t156, 0);
														goto L27;
													}
													goto L66;
													L27:
													_t114 = _t116 + 0xc;
													__eflags = _t114 - _t142;
												} while (_t114 < _t142);
												goto L9;
											} else {
												goto L1;
											}
										}
									} else {
										_t19 = _t114 + 0xc; // 0x0
										_t68 =  *_t19;
										_t114 = _t114 + 0xc;
										__eflags = _t114;
										goto L18;
									}
								}
							} else {
								L5:
								__eflags = _t114 - _t142;
								if(_t114 < _t142) {
									_t8 = _t114 + 8; // 0x648842e8
									_t155 = _t8;
									_t151 =  *0x64884210; // 0x64880000
									_t112 = _t118 - 0x58;
									_t11 = (_t142 + 7 - _t155 >> 3) * 8; // 0x648842e8
									_t147 = _t114 + _t11 + 8;
									while(1) {
										r8d = 4;
										_t33 =  *_t114;
										_t114 = _t155;
										_t96 = _t96 + _t151;
										 *(_t118 - 0x58) = _t33 +  *_t96;
										E648817A0(_t81, _t82, _t94, _t96, _t112, _t112, _t114, _t130, _t147, _t151, _t155, _t157);
										__eflags = _t155 - _t147;
										if(_t155 == _t147) {
											break;
										}
										_t155 = _t155 + 8;
										__eflags = _t155;
									}
									L9:
									_t30 =  *0x648875e4;
									__eflags = _t30;
									if(_t30 > 0) {
										do {
											r8d =  *( *0x648875e8 + _t114);
											__eflags = r8d;
											if(r8d != 0) {
												_t30 = VirtualProtect();
											}
											_t53 = _t53 + 1;
											_t114 = _t114 + 0x28;
											__eflags = _t53 -  *0x648875e4;
										} while (_t53 <  *0x648875e4);
									}
								}
								goto L1;
							}
						}
					}
				} else {
					L1:
					return _t30;
				}
				L66:
			}

0x64881970
0x64881970
0x64881970
0x64881970
0x64881970
0x64881970
0x64881971
0x6488197b
0x6488197c
0x64881980
0x64881988
0x64881990
0x648819a3
0x648819ad
0x648819c4
0x648819c9
0x648819d0
0x648819da
0x648819e9
0x648819f3
0x648819f6
0x648819fa
0x00000000
0x648819fc
0x648819fc
0x64881a00
0x64881a02
0x64881ad0
0x64881ad0
0x64881ad2
0x00000000
0x64881ad8
0x64881ad8
0x64881ad8
0x64881adb
0x64881add
0x00000000
0x00000000
0x00000000
0x00000000
0x64881add
0x64881a08
0x64881a08
0x64881a0a
0x64881ab4
0x64881ab7
0x64881ab9
0x00000000
0x64881abf
0x64881abf
0x64881ac2
0x64881ac4
0x64881ae3
0x64881ae3
0x64881ae6
0x64881ae9
0x64881c1e
0x64881c1e
0x64881c25
0x64881c34
0x64881c36
0x64881c3b
0x64881ca0
0x64881ca5
0x64881d67
0x64881d6c
0x64881d70
0x00000000
0x64881d76
0x64881d80
0x64881d85
0x00000000
0x64881d85
0x64881cab
0x64881cab
0x64881ce4
0x64881ce9
0x00000000
0x64881ceb
0x64881ceb
0x64881cf0
0x00000000
0x00000000
0x00000000
0x00000000
0x64881cf0
0x64881cad
0x64881cad
0x64881cb2
0x00000000
0x64881cb8
0x64881cb8
0x64881cbd
0x00000000
0x00000000
0x00000000
0x00000000
0x64881cbd
0x64881cb2
0x64881cab
0x64881c3d
0x64881c3d
0x64881c42
0x64881cbf
0x64881cc6
0x64881ccb
0x64881ccf
0x64881d4a
0x64881d4f
0x00000000
0x64881cd1
0x64881cd1
0x64881cd1
0x64881cd4
0x00000000
0x64881cd6
0x64881cdb
0x64881cdd
0x64881ce3
0x64881ce3
0x64881cd4
0x64881c44
0x64881c44
0x64881c49
0x64881d54
0x64881d54
0x64881d5a
0x64881c4f
0x64881c4f
0x64881d20
0x64881d25
0x64881cf2
0x64881cf9
0x64881cfe
0x64881d02
0x64881d9a
0x64881d9f
0x00000000
0x64881d08
0x64881d08
0x64881d0b
0x00000000
0x64881d11
0x64881d16
0x64881d18
0x64881d1e
0x64881d1e
0x64881d0b
0x64881d27
0x64881d27
0x64881d2c
0x00000000
0x00000000
0x00000000
0x00000000
0x64881d2c
0x64881c55
0x64881c55
0x64881c5a
0x00000000
0x64881c60
0x64881c60
0x64881c65
0x64881d2e
0x64881d37
0x64881c6b
0x64881c72
0x64881c77
0x64881c7b
0x64881dba
0x64881dbf
0x64881c81
0x64881c81
0x64881c84
0x64881dc6
0x64881dc6
0x64881c8a
0x64881c8f
0x64881c91
0x64881c91
0x64881c91
0x64881c84
0x64881c93
0x64881c97
0x64881c97
0x64881c65
0x64881c5a
0x64881c4f
0x64881c49
0x64881c42
0x64881aef
0x64881aef
0x64881af6
0x64881b04
0x64881b08
0x64881b0b
0x64881b55
0x64881b5a
0x64881b5a
0x64881b5e
0x64881b61
0x64881b64
0x64881b67
0x64881b6a
0x64881b12
0x64881bd0
0x64881bd3
0x00000000
0x64881bd5
0x64881bd5
0x64881bd9
0x64881bdc
0x64881be9
0x64881bec
0x64881bf0
0x64881bf3
0x64881bf6
0x64881bfa
0x64881c00
0x00000000
0x64881c00
0x64881b18
0x64881b18
0x64881b1b
0x64881ba2
0x64881ba5
0x64881bab
0x64881bae
0x64881bb2
0x64881bb8
0x64881bbb
0x64881bbe
0x64881bc2
0x64881bc5
0x00000000
0x64881b21
0x64881b21
0x64881b24
0x64881c0a
0x64881c11
0x64881c19
0x00000000
0x64881b2a
0x64881b2d
0x64881b33
0x64881b39
0x64881b39
0x64881b3c
0x64881b40
0x64881b43
0x00000000
0x64881b43
0x64881b24
0x64881b1b
0x64881b6c
0x64881b6c
0x64881b70
0x64881b73
0x64881b80
0x64881b84
0x64881b88
0x64881b8b
0x64881b8e
0x64881b92
0x64881b98
0x00000000
0x64881b98
0x00000000
0x64881b48
0x64881b48
0x64881b4c
0x64881b4c
0x00000000
0x64881b0d
0x00000000
0x64881b0d
0x64881b0b
0x64881ac6
0x64881ac6
0x64881ac6
0x64881ac9
0x64881ac9
0x00000000
0x64881ac9
0x64881ac4
0x64881a10
0x64881a10
0x64881a10
0x64881a13
0x64881a19
0x64881a19
0x64881a21
0x64881a28
0x64881a33
0x64881a33
0x64881a44
0x64881a47
0x64881a50
0x64881a52
0x64881a55
0x64881a5a
0x64881a5d
0x64881a62
0x64881a65
0x00000000
0x00000000
0x64881a40
0x64881a40
0x64881a40
0x64881a67
0x64881a67
0x64881a76
0x64881a78
0x64881a80
0x64881a8a
0x64881a8d
0x64881a90
0x64881a9d
0x64881a9d
0x64881aa0
0x64881aa3
0x64881aa7
0x64881aa7
0x64881aaf
0x64881a78
0x00000000
0x64881a13
0x64881a0a
0x64881a02
0x64881992
0x64881992
0x648819a2
0x648819a2
0x00000000

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,64881278), ref: 64881A9D

Strings

Unknown pseudo relocation bit size %d., xrefs: 64881C0A
Unknown pseudo relocation protocol version %d., xrefs: 64881C1E

Memory Dump Source

Source File: 00000000.00000002.208969284.0000000064881000.00000020.00020000.sdmp, Offset: 64880000, based on PE: true

Associated: 00000000.00000002.208964391.0000000064880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208973820.0000000064884000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208979215.0000000064889000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208983870.000000006488E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208989408.0000000064893000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: e4841f130c1e05290b2f3ad1466d74d351e8511f79076ac9ceaab3b3a6b52bef
Instruction ID: b13751e1a3f1fe124bc285e1e477947756cf82e8ebdbdde051549522bc85507b
Opcode Fuzzy Hash: e4841f130c1e05290b2f3ad1466d74d351e8511f79076ac9ceaab3b3a6b52bef
Instruction Fuzzy Hash: 3991F362B106408EFB14977AD98079D7BA2BB857A8F908F15CE3D87798EF3DD4858301

Uniqueness

Uniqueness Score: -1.00%

Function 64881EC0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E64881EC0(long long* __rax, intOrPtr* __rcx) {
				signed int _t3;
				void* _t40;
				void* _t46;
				signed int* _t55;
				void* _t56;

				_t51 = __rax;
				_t55 =  *((intOrPtr*)(__rcx));
				_t3 =  *_t55;
				if((_t3 & 0x20ffffff) == 0x20474343) {
					if((_t55[1] & 0x00000001) != 0) {
						goto L1;
					}
				} else {
					L1:
					if(_t3 > 0xc0000091) {
						_t46 = _t3 - 0xc0000094;
						if(_t46 == 0) {
							L64882778();
							if(_t51 != 1) {
								goto L16;
							}
							L64882778();
							return 0xffffffff;
						}
						if(_t46 > 0) {
							if(_t3 != 0xc0000095) {
								if(_t3 != 0xc0000096) {
									goto L9;
								}
								goto L23;
							}
						} else {
							if(_t3 != 0xc0000092) {
								if(_t3 != 0xc0000093) {
									goto L9;
								}
								goto L15;
							}
						}
					} else {
						if(_t3 >= 0xc000008d) {
							L15:
							L64882778();
							if(_t51 != 1) {
								L16:
								if(_t51 == 0) {
									goto L9;
								}
								 *_t51();
								return 0xffffffff;
							}
							L64882778();
							E64882700(_t3);
						} else {
							_t40 = _t3 - 0xc0000008;
							if(_t40 != 0) {
								if(_t40 > 0) {
									if(_t3 == 0xc000001d) {
										L23:
										L64882778();
										if(_t51 == 1) {
											L64882778();
											return _t3 | 0xffffffff;
										}
										if(_t51 == 0) {
											goto L9;
										}
										 *_t51();
										return 0xffffffff;
									}
									if(_t3 != 0xc000008c) {
										goto L9;
									}
								} else {
									if(_t3 != 0x80000002) {
										if(_t3 != 0xc0000005) {
											L9:
											_t51 =  *0x64887600;
											if( *0x64887600 == 0) {
												return 0;
											}
											_t56 = _t56 + 0x20;
											goto __rax;
										}
										L64882778();
										if(_t51 == 1) {
											L64882778();
											return _t3 | 0xffffffff;
										}
										if(_t51 != 0) {
											 *_t51();
											return 0xffffffff;
										}
										goto L9;
									}
								}
							}
						}
					}
				}
				return 0xffffffff;
			}

0x64881ec0
0x64881ec5
0x64881ec8
0x64881edb
0x64881fa4
0x00000000
0x00000000
0x64881ee1
0x64881ee1
0x64881ee6
0x64881f50
0x64881f55
0x64882017
0x64882020
0x00000000
0x00000000
0x64882030
0x00000000
0x64882035
0x64881f5b
0x64881fba
0x64881fc1
0x00000000
0x00000000
0x00000000
0x64881fc1
0x64881f5d
0x64881f62
0x64881f69
0x00000000
0x00000000
0x00000000
0x64881f69
0x64881f62
0x64881ee8
0x64881eed
0x64881f6b
0x64881f72
0x64881f7b
0x64881f81
0x64881f84
0x00000000
0x00000000
0x64881f8b
0x00000000
0x64881f8d
0x6488206a
0x6488206f
0x64881eef
0x64881eef
0x64881ef4
0x64881efa
0x64881ff9
0x64881fc7
0x64881fce
0x64881fd7
0x6488209a
0x00000000
0x6488209f
0x64881fe0
0x00000000
0x00000000
0x64881feb
0x00000000
0x64881fed
0x64882000
0x00000000
0x00000000
0x64881f00
0x64881f05
0x64881f10
0x64881f31
0x64881f31
0x64881f3b
0x00000000
0x64882051
0x64881f44
0x64881f49
0x64881f49
0x64881f19
0x64881f22
0x64882083
0x00000000
0x64882088
0x64881f2b
0x64882045
0x00000000
0x64882047
0x00000000
0x64881f2b
0x64881f05
0x64881efa
0x64881ef4
0x64881eed
0x64881ee6
0x64881fb4

APIs

signal.MSVCRT ref: 64881F19
signal.MSVCRT ref: 64881F72
signal.MSVCRT ref: 64881FCE
signal.MSVCRT ref: 64882083

Strings

CCG , xrefs: 64881ED5

Memory Dump Source

Source File: 00000000.00000002.208969284.0000000064881000.00000020.00020000.sdmp, Offset: 64880000, based on PE: true

Associated: 00000000.00000002.208964391.0000000064880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208973820.0000000064884000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208979215.0000000064889000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208983870.000000006488E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208989408.0000000064893000.00000002.00020000.sdmp Download File

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 93f1ec11cd9f84e861dae2ff5e495ad97e66a4fa60d43edde2a6f7a6ef1d53ff
Instruction ID: a59c96542e0e5dd3a8384b6814ea7552515a09fdf5caca117abaa44fe435b059
Opcode Fuzzy Hash: 93f1ec11cd9f84e861dae2ff5e495ad97e66a4fa60d43edde2a6f7a6ef1d53ff
Instruction Fuzzy Hash: 0231A220B555054EFB2462BE85503A82A82AFCA37CF248F25ED3DC73E6DF6DC8C44212

Uniqueness

Uniqueness Score: -1.00%

Function 648817A0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148
memoryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E648817A0(int __edi, int __esi, void* __rbx, signed long long __rcx, signed char* __rdx, void* __rdi, void* __rsi, signed long long __r8, void* __r12, void* __r13, void* __r14, void* __r15) {
				int _t67;
				int _t70;
				intOrPtr _t74;
				signed int _t78;
				int _t93;
				int _t94;
				int _t99;
				void* _t115;
				int _t116;
				signed int _t126;
				int _t134;
				signed int _t135;
				signed int _t136;
				int _t137;
				signed long long _t153;
				intOrPtr* _t159;
				int* _t163;
				intOrPtr* _t164;
				signed long long _t167;
				signed long long _t171;
				signed short* _t172;
				intOrPtr* _t174;
				signed long long _t182;
				int _t191;
				void* _t192;
				long long _t193;
				intOrPtr _t195;
				signed long long _t198;
				signed long long _t203;
				int _t204;
				void* _t206;
				void* _t209;
				signed char* _t211;
				void* _t212;
				void* _t215;
				void* _t216;
				void* _t217;
				signed long long _t227;
				intOrPtr _t232;
				void* _t234;
				signed long long _t240;
				intOrPtr _t241;
				void* _t246;
				void* _t249;
				intOrPtr _t251;
				intOrPtr _t252;
				void* _t253;
				int _t255;
				signed long long _t256;
				void* _t257;

				_t257 = __r15;
				_t253 = __r14;
				_t249 = __r13;
				_t227 = __r8;
				_t137 = __esi;
				_t134 = __edi;
				_t216 = _t215 - 0x50;
				_t203 =  *0x648875e4;
				_t167 = __rcx;
				_t211 = __rdx;
				_t198 = __r8;
				if(__esi <= 0) {
					_t137 = 0;
					goto L5;
				} else {
					_t115 = 0;
					_t164 =  *0x648875e8 + 0x18;
					do {
						_t195 =  *_t164;
						if(_t167 < _t195) {
							goto L4;
						} else {
							_t227 =  *((intOrPtr*)(_t164 + 8));
							r8d =  *(_t227 + 8);
							if(_t167 < _t195 + _t227) {
								L10:
								if(_t134 >= 8) {
									_t93 = _t134;
									_t135 = _t134 - 1;
									_t193 = _t211[_t164 - 8];
									__eflags = _t135 - 8;
									 *((long long*)(_t167 + _t164 - 8)) = _t193;
									if(_t135 >= 8) {
										_t136 = _t135 & 0xfffffff8;
										_t94 = 0;
										__eflags = 0;
										do {
											_t94 = _t94 + 8;
											__eflags = _t94 - _t136;
											 *((long long*)(_t167 + _t193)) = _t211[_t193];
										} while (_t94 < _t136);
									}
								} else {
									if((dil & 0x00000004) != 0) {
										L21:
										 *_t167 =  *_t211;
										_t93 = _t211[_t198 - 4];
										 *(_t167 + _t198 - 4) = _t93;
									} else {
										if(_t134 != 0) {
											_t93 =  *_t211 & 0x000000ff;
											 *_t167 = _t93;
											if((dil & 0x00000002) != 0) {
												_t93 = _t211[_t198 - 2] & 0x0000ffff;
												 *(_t167 + _t198 - 2) = _t93;
											}
										}
									}
								}
								L14:
								return _t93;
							} else {
								goto L4;
							}
						}
						goto L92;
						L4:
						_t115 = _t115 + 1;
						_t164 = _t164 + 0x28;
					} while (_t115 != _t137);
					L5:
					_t171 = _t167;
					E64882440(_t171);
					_t240 = _t153;
					if(_t153 == 0) {
						L25:
						_t172 = "Address %p has no image-section";
						_t182 = _t167;
						_t67 = E64882A20(__eflags, _t172, _t182, _t227, _t232);
						_push(_t211);
						_push(_t257);
						_push(_t253);
						_push(_t249);
						_push(_t240);
						_push(_t198);
						_push(_t203);
						_push(_t167);
						_t217 = _t216 - 0x38;
						_t212 = _t217 + 0x80;
						_t99 =  *0x648875e0;
						__eflags = _t99;
						if(_t99 == 0) {
							 *0x648875e0 = 1;
							E648824C0();
							_t67 = E64882710(_t153);
							_t241 =  *0x648841e0; // 0x648842e0
							 *0x648875e4 = 0;
							_t204 =  *0x648841f0; // 0x648842e0
							 *0x648875e8 = _t217 - (0x0000001e + (_t153 + _t153 * 0x00000004) * 0x00000008 & 0xfffffff0) + 0x20;
							_t159 = _t241 - _t204;
							__eflags = _t159 - 7;
							if(_t159 <= 7) {
								goto L27;
							} else {
								__eflags = _t159 - 0xb;
								_t116 =  *_t204;
								if(_t159 <= 0xb) {
									L44:
									__eflags = _t116;
									if(_t116 != 0) {
										goto L31;
									} else {
										_t56 = _t204 + 4; // 0x302e312e3820
										_t67 =  *_t56;
										__eflags = _t67;
										if(_t67 != 0) {
											goto L31;
										} else {
											goto L46;
										}
									}
								} else {
									__eflags = _t116;
									if(_t116 == 0) {
										_t53 = _t204 + 4; // 0x0
										__eflags =  *_t53;
										if( *_t53 != 0) {
											goto L31;
										} else {
											_t54 = _t204 + 8; // 0x0
											__eflags =  *_t54;
											if( *_t54 != 0) {
												L46:
												_t57 = _t204 + 8; // 0x302e
												__eflags =  *_t57 - 1;
												if(__eflags != 0) {
													L60:
													_t174 = "  Unknown pseudo relocation protocol version %d.\n";
													E64882A20(__eflags, _t174, _t182, _t227, _t232);
													_t74 =  *_t174;
													__eflags = _t74 - 0xc0000091;
													if(_t74 > 0xc0000091) {
														__eflags = _t74 - 0xc0000094;
														if(__eflags == 0) {
															L64882778();
															__eflags = _t159 - 1;
															if(_t159 != 1) {
																goto L75;
															} else {
																L64882778();
																_t78 = 0;
																goto L69;
															}
														} else {
															if(__eflags > 0) {
																__eflags = _t74 - 0xc0000095;
																if(_t74 == 0xc0000095) {
																	goto L86;
																} else {
																	__eflags = _t74 - 0xc0000096;
																	if(_t74 != 0xc0000096) {
																		goto L84;
																	} else {
																		goto L79;
																	}
																}
															} else {
																__eflags = _t74 - 0xc0000092;
																if(_t74 == 0xc0000092) {
																	goto L86;
																} else {
																	__eflags = _t74 - 0xc0000093;
																	if(_t74 != 0xc0000093) {
																		goto L84;
																	} else {
																		goto L74;
																	}
																}
															}
														}
													} else {
														__eflags = _t74 - 0xc000008d;
														if(_t74 >= 0xc000008d) {
															L74:
															L64882778();
															__eflags = _t159 - 1;
															if(_t159 == 1) {
																L64882778();
																E64882700(_t74);
																goto L86;
															} else {
																L75:
																__eflags = _t159;
																if(_t159 == 0) {
																	goto L84;
																} else {
																	 *_t159();
																	__eflags = 0;
																	return 0;
																}
															}
														} else {
															__eflags = _t74 - 0xc0000008;
															if(__eflags == 0) {
																L86:
																__eflags = 0;
																return 0;
															} else {
																if(__eflags > 0) {
																	__eflags = _t74 - 0xc000001d;
																	if(_t74 == 0xc000001d) {
																		L79:
																		L64882778();
																		__eflags = _t159 - 1;
																		if(_t159 == 1) {
																			L64882778();
																			_t78 = 0;
																			goto L69;
																		} else {
																			__eflags = _t159;
																			if(_t159 == 0) {
																				goto L91;
																			} else {
																				 *_t159();
																				__eflags = 0;
																				return 0;
																			}
																		}
																	} else {
																		__eflags = _t74 - 0xc000008c;
																		if(_t74 == 0xc000008c) {
																			goto L86;
																		} else {
																			goto L84;
																		}
																	}
																} else {
																	__eflags = _t74 - 0x80000002;
																	if(_t74 == 0x80000002) {
																		goto L86;
																	} else {
																		__eflags = _t74 - 0xc0000005;
																		if(_t74 != 0xc0000005) {
																			L84:
																			return 1;
																		} else {
																			L64882778();
																			__eflags = _t159 - 1;
																			if(_t159 == 1) {
																				L64882778();
																				_t78 = 0;
																			} else {
																				__eflags = _t159;
																				if(_t159 == 0) {
																					L91:
																					_t78 = 4;
																				} else {
																					 *_t159();
																					_t78 = 0;
																					__eflags = 0;
																				}
																			}
																			L69:
																			return _t78;
																		}
																	}
																}
															}
														}
													}
												} else {
													_t252 =  *0x64884210; // 0x64880000
													_t206 = _t204 + 0xc;
													_t256 = _t212 - 0x58;
													__eflags = _t206 - _t241;
													if(_t206 < _t241) {
														do {
															_t61 = _t206 + 8; // 0x297463656a6f7270
															_t126 =  *_t61 & 0x000000ff;
															_t172 = _t172 + _t252;
															_t159 = _t159 + _t252;
															__eflags = _t126 - 0x10;
															_t232 =  *_t159;
															if(__eflags != 0) {
																if(__eflags <= 0) {
																	__eflags = _t126 - 8;
																	if(__eflags != 0) {
																		goto L59;
																	} else {
																		r8d =  *_t172 & 0x000000ff;
																		_t182 = _t256;
																		_t200 = _t256;
																		__eflags = r8b;
																		_t228 =  <  ? _t227 | 0xffffff00 : _t227;
																		_t229 = ( <  ? _t227 | 0xffffff00 : _t227) - _t159;
																		_t227 = ( <  ? _t227 | 0xffffff00 : _t227) - _t159 + _t232;
																		 *(_t212 - 0x58) = _t227;
																		r8d = 1;
																		E648817A0(_t134, _t137, _t167, _t172, _t182, _t256, _t206, _t227, _t241, _t252, _t256, 0);
																		goto L53;
																	}
																} else {
																	__eflags = _t126 - 0x20;
																	if(_t126 == 0x20) {
																		_t200 = _t256;
																		_t227 = _t182;
																		__eflags = r8d;
																		_t186 =  >=  ? _t227 : _t182 | 0x00000000;
																		r8d = 4;
																		_t187 = ( >=  ? _t227 : _t182 | 0x00000000) - _t159;
																		_t188 = ( >=  ? _t227 : _t182 | 0x00000000) - _t159 + _t232;
																		 *(_t212 - 0x58) = ( >=  ? _t227 : _t182 | 0x00000000) - _t159 + _t232;
																		_t182 = _t256;
																		E648817A0(_t134, _t137, _t167, _t172, _t182, _t256, _t206, _t227, _t241, _t252, _t256, 0);
																		goto L53;
																	} else {
																		__eflags = _t126 - 0x40;
																		if(__eflags != 0) {
																			L59:
																			 *(_t212 - 0x58) = 0;
																			E64882A20(__eflags, "  Unknown pseudo relocation bit size %d.\n", _t182, _t227, _t232);
																			goto L60;
																		} else {
																			r8d = 8;
																			_t200 = _t256;
																			_t191 =  *_t172 - _t159 + _t232;
																			__eflags = _t191;
																			 *(_t212 - 0x58) = _t191;
																			_t182 = _t256;
																			E648817A0(_t134, _t137, _t167, _t172, _t182, _t256, _t206, _t227, _t241, _t252, _t256, 0);
																			goto L53;
																		}
																	}
																}
															} else {
																r8d =  *_t172 & 0x0000ffff;
																_t182 = _t256;
																_t200 = _t256;
																__eflags = r8w;
																_t230 =  <  ? _t227 | 0xffff0000 : _t227;
																_t231 = ( <  ? _t227 | 0xffff0000 : _t227) - _t159;
																_t227 = ( <  ? _t227 | 0xffff0000 : _t227) - _t159 + _t232;
																 *(_t212 - 0x58) = _t227;
																r8d = 2;
																E648817A0(_t134, _t137, _t167, _t172, _t182, _t256, _t206, _t227, _t241, _t252, _t256, 0);
																goto L53;
															}
															goto L92;
															L53:
															_t204 = _t206 + 0xc;
															__eflags = _t204 - _t241;
														} while (_t204 < _t241);
														goto L35;
													} else {
														goto L27;
													}
												}
											} else {
												_t55 = _t204 + 0xc; // 0x0
												_t116 =  *_t55;
												_t204 = _t204 + 0xc;
												__eflags = _t204;
												goto L44;
											}
										}
									} else {
										L31:
										__eflags = _t204 - _t241;
										if(_t204 < _t241) {
											_t44 = _t204 + 8; // 0x648842e8
											_t255 = _t44;
											_t251 =  *0x64884210; // 0x64880000
											_t200 = _t212 - 0x58;
											_t47 = (_t241 + 7 - _t255 >> 3) * 8; // 0x648842e8
											_t246 = _t204 + _t47 + 8;
											while(1) {
												r8d = 4;
												_t70 =  *_t204;
												_t204 = _t255;
												_t172 = _t172 + _t251;
												 *(_t212 - 0x58) = _t70 +  *_t172;
												E648817A0(_t134, _t137, _t167, _t172, _t200, _t200, _t204, _t227, _t246, _t251, _t255, _t257);
												__eflags = _t255 - _t246;
												if(_t255 == _t246) {
													break;
												}
												_t255 = _t255 + 8;
												__eflags = _t255;
											}
											L35:
											_t67 =  *0x648875e4;
											__eflags = _t67;
											if(_t67 > 0) {
												do {
													r8d =  *( *0x648875e8 + _t204);
													__eflags = r8d;
													if(r8d != 0) {
														_t67 = VirtualProtect();
													}
													_t99 = _t99 + 1;
													_t204 = _t204 + 0x28;
													__eflags = _t99 -  *0x648875e4;
												} while (_t99 <  *0x648875e4);
											}
										}
										goto L27;
									}
								}
							}
						} else {
							L27:
							return _t67;
						}
					} else {
						_t203 = _t203 + _t203 * 4 << 3;
						_t163 =  *0x648875e8 + _t203;
						_t163[8] = _t240;
						 *_t163 = 0;
						E64882570(_t163);
						_t192 = _t216 + 0x20;
						r8d = 0x30;
						_t164 =  *0x648875e8;
						 *((long long*)(_t164 + _t203 + 0x18)) = _t163 + _t171;
						VirtualQuery(??, ??, ??);
						if(_t164 == 0) {
							_t153 =  *0x648875e8;
							_t227 =  *((intOrPtr*)(_t153 + _t203 + 0x18));
							E64882A20(__eflags, "  VirtualQuery failed for %d bytes at address %p", _t192, _t227, _t232);
							goto L25;
						} else {
							_t93 =  *(_t216 + 0x44);
							if((_t164 - 0x00000004 & 0xfffffffb) == 0) {
								L9:
								 *0x648875e4 =  *0x648875e4 + 1;
								goto L10;
							} else {
								_t93 = _t93 - 0x00000040 & 0xffffffbf;
								if(_t93 != 0) {
									_t209 = _t203 +  *0x648875e8;
									r8d = 0x40;
									_t194 =  *((intOrPtr*)(_t216 + 0x38));
									_t234 = _t209;
									 *((long long*)(_t209 + 8)) =  *((intOrPtr*)(_t216 + 0x20));
									 *((long long*)(_t209 + 0x10)) =  *((intOrPtr*)(_t216 + 0x38));
									_t93 = VirtualProtect(??, ??, ??, ??);
									__eflags = _t93;
									if(__eflags != 0) {
										goto L9;
									} else {
										GetLastError();
										E64882A20(__eflags, "  VirtualProtect failed with code 0x%x", _t194, _t227, _t234);
										goto L21;
									}
								} else {
									goto L9;
								}
							}
							goto L14;
						}
					}
				}
				L92:
			}

0x648817a0
0x648817a0
0x648817a0
0x648817a0
0x648817a0
0x648817a0
0x648817a6
0x648817aa
0x648817b3
0x648817b6
0x648817b9
0x648817bc
0x64881928
0x00000000
0x648817c2
0x648817c9
0x648817cb
0x648817d0
0x648817d0
0x648817d6
0x00000000
0x648817d8
0x648817d8
0x648817dc
0x648817e6
0x64881875
0x64881878
0x648818a3
0x648818a5
0x648818a8
0x648818ad
0x648818b0
0x648818b5
0x648818b7
0x648818ba
0x648818ba
0x648818bc
0x648818be
0x648818c6
0x648818c8
0x648818c8
0x648818ce
0x6488187a
0x6488187e
0x64881914
0x64881919
0x6488191b
0x6488191f
0x64881884
0x64881886
0x64881888
0x64881890
0x64881892
0x64881931
0x64881936
0x64881936
0x64881892
0x64881886
0x6488187e
0x64881898
0x648818a2
0x00000000
0x00000000
0x00000000
0x648817e6
0x00000000
0x648817ec
0x648817ec
0x648817ef
0x648817f3
0x648817f7
0x648817f7
0x648817fa
0x64881802
0x64881805
0x6488195d
0x6488195d
0x64881964
0x64881967
0x64881970
0x64881971
0x64881973
0x64881975
0x64881977
0x64881979
0x6488197a
0x6488197b
0x6488197c
0x64881980
0x64881988
0x6488198e
0x64881990
0x648819a3
0x648819ad
0x648819c4
0x648819c9
0x648819d0
0x648819da
0x648819e9
0x648819f3
0x648819f6
0x648819fa
0x00000000
0x648819fc
0x648819fc
0x64881a00
0x64881a02
0x64881ad0
0x64881ad0
0x64881ad2
0x00000000
0x64881ad8
0x64881ad8
0x64881ad8
0x64881adb
0x64881add
0x00000000
0x00000000
0x00000000
0x00000000
0x64881add
0x64881a08
0x64881a08
0x64881a0a
0x64881ab4
0x64881ab7
0x64881ab9
0x00000000
0x64881abf
0x64881abf
0x64881ac2
0x64881ac4
0x64881ae3
0x64881ae3
0x64881ae6
0x64881ae9
0x64881c1e
0x64881c1e
0x64881c25
0x64881c34
0x64881c36
0x64881c3b
0x64881ca0
0x64881ca5
0x64881d67
0x64881d6c
0x64881d70
0x00000000
0x64881d76
0x64881d80
0x64881d85
0x00000000
0x64881d85
0x64881cab
0x64881cab
0x64881ce4
0x64881ce9
0x00000000
0x64881ceb
0x64881ceb
0x64881cf0
0x00000000
0x00000000
0x00000000
0x00000000
0x64881cf0
0x64881cad
0x64881cad
0x64881cb2
0x00000000
0x64881cb8
0x64881cb8
0x64881cbd
0x00000000
0x00000000
0x00000000
0x00000000
0x64881cbd
0x64881cb2
0x64881cab
0x64881c3d
0x64881c3d
0x64881c42
0x64881cbf
0x64881cc6
0x64881ccb
0x64881ccf
0x64881d4a
0x64881d4f
0x00000000
0x64881cd1
0x64881cd1
0x64881cd1
0x64881cd4
0x00000000
0x64881cd6
0x64881cdb
0x64881cdd
0x64881ce3
0x64881ce3
0x64881cd4
0x64881c44
0x64881c44
0x64881c49
0x64881d54
0x64881d54
0x64881d5a
0x64881c4f
0x64881c4f
0x64881d20
0x64881d25
0x64881cf2
0x64881cf9
0x64881cfe
0x64881d02
0x64881d9a
0x64881d9f
0x00000000
0x64881d08
0x64881d08
0x64881d0b
0x00000000
0x64881d11
0x64881d16
0x64881d18
0x64881d1e
0x64881d1e
0x64881d0b
0x64881d27
0x64881d27
0x64881d2c
0x00000000
0x00000000
0x00000000
0x00000000
0x64881d2c
0x64881c55
0x64881c55
0x64881c5a
0x00000000
0x64881c60
0x64881c60
0x64881c65
0x64881d2e
0x64881d37
0x64881c6b
0x64881c72
0x64881c77
0x64881c7b
0x64881dba
0x64881dbf
0x64881c81
0x64881c81
0x64881c84
0x64881dc6
0x64881dc6
0x64881c8a
0x64881c8f
0x64881c91
0x64881c91
0x64881c91
0x64881c84
0x64881c93
0x64881c97
0x64881c97
0x64881c65
0x64881c5a
0x64881c4f
0x64881c49
0x64881c42
0x64881aef
0x64881aef
0x64881af6
0x64881b04
0x64881b08
0x64881b0b
0x64881b55
0x64881b5a
0x64881b5a
0x64881b5e
0x64881b61
0x64881b64
0x64881b67
0x64881b6a
0x64881b12
0x64881bd0
0x64881bd3
0x00000000
0x64881bd5
0x64881bd5
0x64881bd9
0x64881bdc
0x64881be9
0x64881bec
0x64881bf0
0x64881bf3
0x64881bf6
0x64881bfa
0x64881c00
0x00000000
0x64881c00
0x64881b18
0x64881b18
0x64881b1b
0x64881ba2
0x64881ba5
0x64881bab
0x64881bae
0x64881bb2
0x64881bb8
0x64881bbb
0x64881bbe
0x64881bc2
0x64881bc5
0x00000000
0x64881b21
0x64881b21
0x64881b24
0x64881c0a
0x64881c11
0x64881c19
0x00000000
0x64881b2a
0x64881b2d
0x64881b33
0x64881b39
0x64881b39
0x64881b3c
0x64881b40
0x64881b43
0x00000000
0x64881b43
0x64881b24
0x64881b1b
0x64881b6c
0x64881b6c
0x64881b70
0x64881b73
0x64881b80
0x64881b84
0x64881b88
0x64881b8b
0x64881b8e
0x64881b92
0x64881b98
0x00000000
0x64881b98
0x00000000
0x64881b48
0x64881b48
0x64881b4c
0x64881b4c
0x00000000
0x64881b0d
0x00000000
0x64881b0d
0x64881b0b
0x64881ac6
0x64881ac6
0x64881ac6
0x64881ac9
0x64881ac9
0x00000000
0x64881ac9
0x64881ac4
0x64881a10
0x64881a10
0x64881a10
0x64881a13
0x64881a19
0x64881a19
0x64881a21
0x64881a28
0x64881a33
0x64881a33
0x64881a44
0x64881a47
0x64881a50
0x64881a52
0x64881a55
0x64881a5a
0x64881a5d
0x64881a62
0x64881a65
0x00000000
0x00000000
0x64881a40
0x64881a40
0x64881a40
0x64881a67
0x64881a67
0x64881a76
0x64881a78
0x64881a80
0x64881a8a
0x64881a8d
0x64881a90
0x64881a9d
0x64881a9d
0x64881aa0
0x64881aa3
0x64881aa7
0x64881aa7
0x64881aaf
0x64881a78
0x00000000
0x64881a13
0x64881a0a
0x64881a02
0x64881992
0x64881992
0x648819a2
0x648819a2
0x6488180b
0x64881816
0x6488181a
0x6488181d
0x64881821
0x64881827
0x64881831
0x64881836
0x6488183f
0x64881846
0x6488184b
0x64881854
0x64881940
0x64881953
0x64881958
0x00000000
0x6488185a
0x6488185a
0x64881864
0x6488186e
0x6488186e
0x00000000
0x64881866
0x64881869
0x6488186c
0x648818d0
0x648818d7
0x648818e2
0x648818e7
0x648818ea
0x648818ee
0x648818f2
0x648818f8
0x648818fa
0x00000000
0x64881900
0x64881900
0x6488190f
0x00000000
0x6488190f
0x00000000
0x00000000
0x00000000
0x6488186c
0x00000000
0x64881864
0x64881854
0x64881805
0x00000000

APIs

VirtualQuery.KERNEL32 ref: 6488184B
VirtualProtect.KERNEL32 ref: 648818F2
GetLastError.KERNEL32 ref: 64881900

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 64881947
VirtualProtect failed with code 0x%x, xrefs: 64881906
Address %p has no image-section, xrefs: 6488195D

Memory Dump Source

Source File: 00000000.00000002.208969284.0000000064881000.00000020.00020000.sdmp, Offset: 64880000, based on PE: true

Associated: 00000000.00000002.208964391.0000000064880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208973820.0000000064884000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208979215.0000000064889000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208983870.000000006488E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208989408.0000000064893000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: f8dae06a7dcc55349e1de3268317cf1c598e530029087a529dedf6f885ba5f41
Instruction ID: 8cc6b214871289b327164f19ebb735148c54bb6c57c86d835829dbd1be7221a7
Opcode Fuzzy Hash: f8dae06a7dcc55349e1de3268317cf1c598e530029087a529dedf6f885ba5f41
Instruction Fuzzy Hash: 5C51F177701A548EEB118F26EC4179D7BB2EB85BA4F848A16DE2D47358EF38C581C300

Uniqueness

Uniqueness Score: -1.00%

Function 64881010, Relevance: 6.1, APIs: 4, Instructions: 131sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 64881057
_amsg_exit.MSVCRT ref: 64881081

Memory Dump Source

Source File: 00000000.00000002.208969284.0000000064881000.00000020.00020000.sdmp, Offset: 64880000, based on PE: true

Associated: 00000000.00000002.208964391.0000000064880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208973820.0000000064884000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208979215.0000000064889000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208983870.000000006488E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208989408.0000000064893000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 416f79a31ade663877f1ebc1097a387ddac42043bca650757a78157cb3fc7dd2
Instruction ID: 00191d3fa424e9c7b6fa643c1194bd193ae7c77c3ca170bf9c242d74cf852461
Opcode Fuzzy Hash: 416f79a31ade663877f1ebc1097a387ddac42043bca650757a78157cb3fc7dd2
Instruction Fuzzy Hash: E24180377056548DF702AB1AFD8075926A6B784BA5F844A26CE2C87355EF7DD8D2C300

Uniqueness

Uniqueness Score: -1.00%

Function 648821A0, Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 648821C7
free.MSVCRT ref: 64882218
LeaveCriticalSection.KERNEL32 ref: 64882224

Memory Dump Source

Source File: 00000000.00000002.208969284.0000000064881000.00000020.00020000.sdmp, Offset: 64880000, based on PE: true

Associated: 00000000.00000002.208964391.0000000064880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208973820.0000000064884000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208979215.0000000064889000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208983870.000000006488E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208989408.0000000064893000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 6a2995508a0320a4fbea5d0f98c620049ab2128213cb513d690c5edc099b4d1d
Instruction ID: a01fdc758dff4a84cc1270ccb0a6be5b13cd8105d1c8490294884cc788fc9986
Opcode Fuzzy Hash: 6a2995508a0320a4fbea5d0f98c620049ab2128213cb513d690c5edc099b4d1d
Instruction Fuzzy Hash: 17012C69304609CEEB08EB99ECD079963F2F784B80F904D25C92987320EF3DD9A1D754

Uniqueness

Uniqueness Score: -1.00%

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report uxtheme.bin

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: loaddll64.exe PID: 3040 Parent PID: 5692

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: loaddll64.exe PID: 3040 Parent PID: 5692 loaddll64.exeCOMMON

Executed Functions

Function 648813B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Non-executed Functions

Function 648815C0, Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Function 648814E0, Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Function 64881970, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283memoryCOMMON

Function 64881EC0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111COMMON

Function 648817A0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148memoryCOMMON

Function 64881010, Relevance: 6.1, APIs: 4, Instructions: 131sleepCOMMON

Function 648821A0, Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Function 64881970, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283
memoryCOMMON

Function 64881EC0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111
COMMON

Function 648817A0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148
memoryCOMMON