Play interactive tour

Edit tour

Windows Analysis Report Processwindo.DLL

Overview

General Information

Sample Name:	Processwindo.DLL
Analysis ID:	445292
MD5:	5522c21a05daf91658951bdf1c0e5271
SHA1:	fed4a9b4069cd2676928441ecf8c844cc7f4a9ee
SHA256:	eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993
Tags:	dllGozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5572 cmdline: loaddll32.exe 'C:\Users\user\Desktop\Processwindo.DLL' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 5884 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5996 cmdline: rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5984 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5560 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5540 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4308 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 1388 cmdline: 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\Processwindo.DLL' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5136 cmdline: timeout /t 5 MD5: EB9A65078396FB5D4E3813BB9198CB18)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5560	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5540	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5996	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 4308	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5984	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 37 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Processwindo.DLL	Virustotal: Detection: 29%			Perma Link
Source: Processwindo.DLL	ReversingLabs: Detection: 21%

Source: 0.3.loaddll32.exe.baa1db.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.3.rundll32.exe.315a1db.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.rundll32.exe.446a1db.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.3.rundll32.exe.27da1db.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.rundll32.exe.284a1db.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.3.rundll32.exe.29ca1db.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: Processwindo.DLL

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:

Binary string: c:\Post\806_Blood\Question\animal\four.pdb source: rundll32.exe, 00000002.00000002.546908161.000000006DDB8000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.545590218.000000006DDB8000.00000002.00020000.sdmp, Processwindo.DLL

Source: rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp	String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: rundll32.exe	String found in binary or memory: https://bussipod.xyz
Source: rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp	String found in binary or memory: https://bussipod.xyz8

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_6DD72411 NtQueryVirtualMemory,

6_2_6DD72411

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DD721F0	6_2_6DD721F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DD9BCA0	6_2_6DD9BCA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDAC5F4	6_2_6DDAC5F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDB48D1	6_2_6DDB48D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDA9813	6_2_6DDA9813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DD997C0	6_2_6DD997C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDB67FE	6_2_6DDB67FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDA4B80	6_2_6DDA4B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDB5359	6_2_6DDB5359
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDB4E15	6_2_6DDB4E15

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6DDA8D18 appears 47 times

Source: Processwindo.DLL

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal56.troj.winDLL@17/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_01

Source: Processwindo.DLL

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather

Source: Processwindo.DLL	Virustotal: Detection: 29%
Source: Processwindo.DLL	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\Processwindo.DLL'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\Processwindo.DLL'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Processwindo.DLL	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Processwindo.DLL	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Processwindo.DLL	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Processwindo.DLL	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Processwindo.DLL	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Processwindo.DLL	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Processwindo.DLL

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: Processwindo.DLL	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Processwindo.DLL	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Processwindo.DLL	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Processwindo.DLL	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Processwindo.DLL	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_6DD7132A GetModuleHandleW,LoadLibraryW,GetProcAddress,

6_2_6DD7132A

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DD721DF push ecx; ret	6_2_6DD721EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDA8D5D push ecx; ret	6_2_6DDA8D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DD80D55 push edi; iretd	6_2_6DD80D56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DD80CDF push 00000065h; retf	6_2_6DD80CE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDA54F2 push ecx; ret	6_2_6DDA5505
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DD80881 push ebx; ret	6_2_6DD80882
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDD0560 push eax; ret	6_2_6DDD0511
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDD04E1 push eax; ret	6_2_6DDD0511

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_6DDA4CBF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_6DDA4CBF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_6DD7132A GetModuleHandleW,LoadLibraryW,GetProcAddress,

6_2_6DD7132A

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDD1390 mov eax, dword ptr fs:[00000030h]	6_2_6DDD1390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDD0EC6 push dword ptr fs:[00000030h]	6_2_6DDD0EC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDD12BF mov eax, dword ptr fs:[00000030h]	6_2_6DDD12BF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_6DDB1CF3 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

6_2_6DDB1CF3

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDA5170 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6DDA5170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDA110C _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6DDA110C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDA4CBF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6DDA4CBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6DDA4724 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6DDA4724

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5			Jump to behavior

Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	6_2_6DDB119B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_6DDAA3AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	6_2_6DDA6F11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	6_2_6DDAAA19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	6_2_6DDAC059
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,	6_2_6DDAC403
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_6DDB482E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_6DDABFC1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_6DDAC3C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_6DDAC360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	6_2_6DDB1329
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,	6_2_6DDB46EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_6DDAC29F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	6_2_6DDB46BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	6_2_6DDABEAA

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_6DDAFB69 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

6_2_6DDAFB69

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection12	Rundll321	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	System Information Discovery13	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Processwindo.DLL	29%	Virustotal		Browse
Processwindo.DLL	22%	ReversingLabs	Win32.Trojan.Ursnif

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.rundll32.exe.6dd70000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.loaddll32.exe.baa1db.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
6.3.rundll32.exe.315a1db.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.3.rundll32.exe.446a1db.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.3.rundll32.exe.27da1db.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
4.3.rundll32.exe.284a1db.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.3.rundll32.exe.29ca1db.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
6.2.rundll32.exe.6dd70000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://bussipod.xyz	0%	Avira URL Cloud	safe
https://bussipod.xyz8	0%	Avira URL Cloud	safe
http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bussipod.xyz	rundll32.exe	false	Avira URL Cloud: safe	unknown
https://bussipod.xyz8	rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;	rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	445292
Start date:	07.07.2021
Start time:	14:59:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Processwindo.DLL
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.troj.winDLL@17/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.7% (good quality ratio 6.7%) Quality average: 87.7% Quality standard deviation: 20.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 33
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .DLL
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, backgroundTaskHost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.667040453584233
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Processwindo.DLL
File size:	404992
MD5:	5522c21a05daf91658951bdf1c0e5271
SHA1:	fed4a9b4069cd2676928441ecf8c844cc7f4a9ee
SHA256:	eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993
SHA512:	d97a8021b9688c612e280ffcb5443916b9d09857daf82a62bd5efac35efeff138125466a74579568dd655cd66cd5085e10cedb4caf7981f4ee9f240839b33d55
SSDEEP:	6144:h8vockvtMD67Dvy8CyOuq107KjWMTxdtcrsianUAqPt/MmG3G/GERIgg:SwhtCy50mpMTxdtV8AqPtM3gN
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f..."..."...".....:.#...<.9.7...<./.....+.?.+..."...V...<.(.....<.>.#...<.8.#...<.=.#...Rich"...........PE..L....6JJ...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x103514d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x4A4A368F [Tue Jun 30 16:00:15 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	789fcca066875e59aafcb5a18bb50d1b

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F0C40C01427h
call 00007F0C40C0BE31h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007F0C40C01311h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov eax, dword ptr [0105F454h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
test byte ptr [0105F4D0h], 00000001h
push esi
je 00007F0C40C0142Ah
push 0000000Ah
call 00007F0C40C0641Fh
pop ecx
call 00007F0C40C0BEDDh
test eax, eax
je 00007F0C40C0142Ah
push 00000016h
call 00007F0C40C0BEDFh
pop ecx
test byte ptr [0105F4D0h], 00000002h
je 00007F0C40C014F0h
mov dword ptr [ebp-00000220h], eax
mov dword ptr [ebp-00000224h], ecx
mov dword ptr [ebp-00000228h], edx
mov dword ptr [ebp-0000022Ch], ebx
mov dword ptr [ebp-00000230h], esi
mov dword ptr [ebp-00000234h], edi
mov word ptr [ebp-00000208h], ss
mov word ptr [ebp-00000214h], cs
mov word ptr [ebp-00000238h], ds
mov word ptr [ebp-0000023Ch], es
mov word ptr [ebp-00000240h], fs
mov word ptr [ebp-00000244h], gs
pushfd
pop dword ptr [ebp-00000210h]
mov esi, dword ptr [ebp+04h]
lea eax, dword ptr [ebp+04h]
mov dword ptr [ebp+00FFFDF4h], eax

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[ASM] VS2008 build 21022
[LNK] VS2008 build 21022
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[IMP] VS2008 SP1 build 30729
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5e610	0x81	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5dc34	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfc000	0xf20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfd000	0x227c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x48220	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5c3b8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x1b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x462fd	0x46400	False	0.664559469528	data	6.60751707607	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x16691	0x16800	False	0.645388454861	data	6.06930496404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5f000	0x9c208	0x1800	False	0.340494791667	data	3.97938828996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xfc000	0xf20	0x1000	False	0.352783203125	data	3.32902550096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfd000	0x3508	0x3600	False	0.521050347222	data	5.1466661049	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0xfc280	0xe4	data	English	United States
RT_DIALOG	0xfc368	0xf0	data	English	United States
RT_DIALOG	0xfc458	0xc4	dBase III DBT, next free block index 4294901761	English	United States
RT_DIALOG	0xfc520	0x142	data	English	United States
RT_DIALOG	0xfc668	0x11e	data	English	United States
RT_DIALOG	0xfc788	0x148	data	English	United States
RT_DIALOG	0xfc8d0	0x13c	data	English	United States
RT_DIALOG	0xfca10	0xf0	data	English	United States
RT_DIALOG	0xfcb00	0xcc	data	English	United States
RT_DIALOG	0xfcbd0	0x10a	data	English	United States
RT_DIALOG	0xfcce0	0xbe	data	English	United States
RT_MANIFEST	0xfcda0	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, LoadLibraryA, GetEnvironmentVariableA, VirtualProtectEx, GetModuleFileNameA, GetWindowsDirectoryA, SetConsoleCP, SetConsoleOutputCP, GetModuleHandleA, Sleep, GetLocaleInfoW, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, InitializeCriticalSectionAndSpinCount, GetProcessHeap, SetEndOfFile, GlobalLock, QueryPerformanceFrequency, GlobalAlloc, SetUnhandledExceptionFilter, CreatePipe, GlobalFree, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, InterlockedExchange, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, MultiByteToWideChar, GetLastError, CloseHandle, HeapAlloc, RtlUnwind, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetCurrentThreadId, GetCommandLineA, HeapFree, GetCPInfo, LCMapStringA, LCMapStringW, GetFileType, CreateFileA, SetStdHandle, SetHandleCount, GetStdHandle, GetStartupInfoA, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, HeapDestroy, GetModuleHandleW, ExitProcess, WriteFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetACP, GetOEMCP, IsValidCodePage, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeA, GetStringTypeW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, SetFilePointer
USER32.dll	SetForegroundWindow, CheckRadioButton, SetClipboardData, DestroyWindow, SendMessageA, GetClipboardData, SendDlgItemMessageA
ole32.dll	OleInitialize, OleUninitialize
IMM32.dll	ImmNotifyIME, ImmSetCompositionFontA, ImmGetContext, ImmGetCompositionStringA, ImmSetCompositionWindow, ImmReleaseContext

Exports

Name	Ordinal	Address
Formweather	1	0x102c6b0
Piecehear	2	0x102c420
Stickregion	3	0x102b3f0
Would	4	0x102c510

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5572 Parent PID: 5780

General

Start time:	15:00:09
Start date:	07/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\Processwindo.DLL'
Imagebase:	0xaa0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5884 Parent PID: 5572

General

Start time:	15:00:09
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5984 Parent PID: 5572

General

Start time:	15:00:09
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather
Imagebase:	0x170000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5996 Parent PID: 5884

General

Start time:	15:00:09
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
Imagebase:	0x170000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5560 Parent PID: 5572

General

Start time:	15:00:14
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear
Imagebase:	0x170000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5540 Parent PID: 5572

General

Start time:	15:00:20
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion
Imagebase:	0x170000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4308 Parent PID: 5572

General

Start time:	15:00:25
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would
Imagebase:	0x170000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1388 Parent PID: 3472

General

Start time:	15:02:09
Start date:	07/07/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\Processwindo.DLL'
Imagebase:	0x7ff7eef80000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1308 Parent PID: 1388

General

Start time:	15:02:10
Start date:	07/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: timeout.exe PID: 5136 Parent PID: 1388

General

Start time:	15:02:17
Start date:	07/07/2021
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):
Commandline:	timeout /t 5
Imagebase:
File size:	30720 bytes
MD5 hash:	EB9A65078396FB5D4E3813BB9198CB18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 4308 Parent PID: 5572 rundll32.exeCOMMON

Executed Functions

Function 6DDAA3AB, Relevance: 66.4, APIs: 44, Instructions: 432COMMON

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 6DDAA3E2
___getlocaleinfo.LIBCMT ref: 6DDAA3F7
___getlocaleinfo.LIBCMT ref: 6DDAA40C
___getlocaleinfo.LIBCMT ref: 6DDAA421
___getlocaleinfo.LIBCMT ref: 6DDAA439
___getlocaleinfo.LIBCMT ref: 6DDAA44E
___getlocaleinfo.LIBCMT ref: 6DDAA460
___getlocaleinfo.LIBCMT ref: 6DDAA475
___getlocaleinfo.LIBCMT ref: 6DDAA48D
___getlocaleinfo.LIBCMT ref: 6DDAA4A2

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: f63fe12d677cebfa18f51e34b6ae6efd83c987264cb8591f5ec6d07a1734044f
Instruction ID: ad4db52204b64a2647003aa610d5f6161e7ef8fe22da02844adff80a3222d38b
Opcode Fuzzy Hash: f63fe12d677cebfa18f51e34b6ae6efd83c987264cb8591f5ec6d07a1734044f
Instruction Fuzzy Hash: 97E1D3B290020DBEEF11DBE1CC44EFF77BDEB0478CF05491AB255E6040EA75AA159764

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD1390, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000006D5,00003000,00000040,000006D5,6DDD0DE0), ref: 6DDD144D
VirtualAlloc.KERNEL32(00000000,000000AD,00003000,00000040,6DDD0E42), ref: 6DDD1484
VirtualAlloc.KERNEL32(00000000,00013CE2,00003000,00000040), ref: 6DDD14E4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6DDD151A
VirtualProtect.KERNEL32(6DD70000,00000000,00000004,6DDD136F), ref: 6DDD161F
VirtualProtect.KERNEL32(6DD70000,00001000,00000004,6DDD136F), ref: 6DDD1646
VirtualProtect.KERNEL32(00000000,?,00000002,6DDD136F), ref: 6DDD1713
VirtualProtect.KERNEL32(00000000,?,00000002,6DDD136F,?), ref: 6DDD1769
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6DDD1785

Memory Dump Source

Source File: 00000006.00000002.545696110.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 68c123f1614c53dcd1bf60acf4ddc4891d709bf3657c4aa11eae2c44add3dece
Instruction ID: 591e7813a427613ffd5692f718c1bb326ecfb282b2b314ee36b179f987a48958
Opcode Fuzzy Hash: 68c123f1614c53dcd1bf60acf4ddc4891d709bf3657c4aa11eae2c44add3dece
Instruction Fuzzy Hash: A0D15CB2600701DFDF519F54C881B9177A6FF88718B0A45A4EE09DF75AD7B2E890CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DD9BCA0, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 492COMMON

Download Yara Rule

APIs

std::locale::locale.LIBCPMTD ref: 6DD9BCD3

Part of subcall function 6DD9CC90: std::locale::_Init.LIBCPMT ref: 6DD9CC97
Part of subcall function 6DD9CC90: std::locale::facet::_Incref.LIBCPMTD ref: 6DD9CCA8

_setlocale.LIBCMT ref: 6DD9BD08
SetConsoleOutputCP.KERNEL32(000004E3,6DDCF454), ref: 6DD9BD2A
GetWindowsDirectoryA.KERNEL32(6DDD07C0,000005A0), ref: 6DD9BD74
SetConsoleCP.KERNEL32(00000000), ref: 6DD9BDFC
GetEnvironmentVariableA.KERNEL32(6DDC9E6C,6DE68608,000005A0,00000004,00000000), ref: 6DD9BEB9

Strings

', xrefs: 6DD9C35A

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: Console$DirectoryEnvironmentIncrefInitOutputVariableWindows_setlocalestd::locale::_std::locale::facet::_std::locale::locale
String ID: '
API String ID: 1107211165-1997036262
Opcode ID: d64f034afda92f00b29c6efc58af210aaeccd634be214a99894f8e2217f89d6e
Instruction ID: 3a4825fb6ddc0cf72d9e4710b04656f7b4cf7e143738bf7d6bc39674a645f52e
Opcode Fuzzy Hash: d64f034afda92f00b29c6efc58af210aaeccd634be214a99894f8e2217f89d6e
Instruction Fuzzy Hash: DE32297194610ACFEF18EFB8C590BAEBBB9FB4AB00F10C119E5559B284D7346901EF94

Uniqueness

Uniqueness Score: -1.00%

Function 6DD99D70, Relevance: 10.0, APIs: 2, Strings: 3, Instructions: 1263COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6DD99FB0
GetWindowsDirectoryA.KERNEL32(?,000005A0), ref: 6DD9AA01

Strings

, xrefs: 6DD9B1AD
Y, xrefs: 6DD9A993
U, xrefs: 6DD99D76

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: DirectoryWindows_malloc
String ID: $U$Y
API String ID: 2078752423-2711291101
Opcode ID: db8acd7003cc29317bad858117c9631f113adad908a8eff9069c3243097f0bcd
Instruction ID: c8baf61410fe13da59fc8398fdc8fd7b07433db0e3323816d045c9b2d1c71ec9
Opcode Fuzzy Hash: db8acd7003cc29317bad858117c9631f113adad908a8eff9069c3243097f0bcd
Instruction Fuzzy Hash: E9D25B7694615ACFDB18EFB9C190BECBBF6FB4A700F14C11AE445A7248E3385644EB24

Uniqueness

Uniqueness Score: -1.00%

Function 6DD7166B, Relevance: 6.0, APIs: 4, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E6DD7166B(void* __ebx, intOrPtr _a4) {
				void* __edi;
				void* __esi;
				void* _t2;
				void* _t8;
				long _t16;
				void* _t17;

				_t16 = 0;
				_t2 = HeapCreate(0, 0x400000, 0); // executed
				 *0x6dd74030 = _t2;
				_t19 = _t2;
				if(_t2 == 0) {
					_t16 = GetLastError();
				} else {
					 *0x6dd74000 = __ebx;
					 *0x6dd74018 = E6DD7177B(_a4, 0, _t17, _t19);
					if(E6DD71F6D(__ebx, _t17, _t19) == 0) {
						_t16 = 0x7f;
					} else {
						asm("lock xadd [eax], ecx");
						_t8 = CreateThread(0, 0, E6DD71EA8, __ebx, 0, 0x6dd74024); // executed
						 *0x6dd74020 = _t8;
						if(_t8 == 0) {
							_t16 = GetLastError();
							asm("lock xadd [esi], eax");
						}
					}
				}
				return _t16;
			}

0x6dd7166d
0x6dd71676
0x6dd7167c
0x6dd71681
0x6dd71683
0x6dd716eb
0x6dd71685
0x6dd71689
0x6dd71696
0x6dd716a2
0x6dd716e2
0x6dd716a4
0x6dd716ae
0x6dd716c0
0x6dd716c6
0x6dd716cd
0x6dd716d5
0x6dd716da
0x6dd716da
0x6dd716cd
0x6dd716a2
0x6dd716f1

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,6DD71DB2,?,?,?,6DD71904,?,?,?), ref: 6DD71676
CreateThread.KERNELBASE ref: 6DD716C0
GetLastError.KERNEL32(?,00000001,6DD71DB2,?,?,?,6DD71904,?,?,?), ref: 6DD716CF
GetLastError.KERNEL32(?,00000001,6DD71DB2,?,?,?,6DD71904,?,?,?), ref: 6DD716E5

Memory Dump Source

Source File: 00000006.00000002.545470853.000000006DD71000.00000020.00020000.sdmp, Offset: 6DD70000, based on PE: true

Associated: 00000006.00000002.545460972.000000006DD70000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545485510.000000006DD73000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545496349.000000006DD75000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.545508050.000000006DD76000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLast$HeapThread
String ID:
API String ID: 4176170028-0
Opcode ID: ee3d3aefb4483e05f8f14fb80d0ff49ec0b93c2e1c83aa620cdbc858f10fa819
Instruction ID: 20d0eaf440a1dad0bbce6e1037197cc82f4e3aa8e255de60b851446e078d392b
Opcode Fuzzy Hash: ee3d3aefb4483e05f8f14fb80d0ff49ec0b93c2e1c83aa620cdbc858f10fa819
Instruction Fuzzy Hash: 0C018F31684220ABE7327F79DC58B2A3AB4F7CB76271917ADF556C2280DB3088058A64

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA9DD9, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6DDA4F37,?), ref: 6DDA9DEE

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7f4d0b02a66b3bb5c309b64ce21bf952a9c90cf24a55ff0430e256fb10d35c2b
Instruction ID: cde3c3de13cdc6565f3db6abf98ee15b0d4aadce148a166533a986eb4d18e154
Opcode Fuzzy Hash: 7f4d0b02a66b3bb5c309b64ce21bf952a9c90cf24a55ff0430e256fb10d35c2b
Instruction Fuzzy Hash: DBD05E729943569BEF006F759C09B323BECD785395F188436B90CC6140F671D580CA10

Uniqueness

Uniqueness Score: -1.00%

Function 6DDAAFAC, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 6DDAAFAE

Part of subcall function 6DDAAF3A: RtlEncodePointer.NTDLL(00000000,?,6DDAAFB3,00000000,6DDB298C,6DE697A8,00000000,00000314,?,6DDAA2FF,6DE697A8,6DDCB038,00012010), ref: 6DDAAFA1

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: e03921315bf54aea394bf68a5a9a480804fd1a3aef8beb44d3f2b932afba7c03
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6DDA4724, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6DDAE117
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6DDAE12C
UnhandledExceptionFilter.KERNEL32(6DDCBA2C), ref: 6DDAE137
GetCurrentProcess.KERNEL32(C0000409), ref: 6DDAE153
TerminateProcess.KERNEL32(00000000), ref: 6DDAE15A

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 194bfa95e83706b975eaab42a1d6e63159bc39ea1b41f8880286b4dee184b2b6
Instruction ID: c4a679b7266b770403edf47a459919b7874a0362e3339818bfb686183405de37
Opcode Fuzzy Hash: 194bfa95e83706b975eaab42a1d6e63159bc39ea1b41f8880286b4dee184b2b6
Instruction Fuzzy Hash: 932104B4945285DFDF00EF28C988BA63BF8FB4A318F10845AF50887340EBB19585CF99

Uniqueness

Uniqueness Score: -1.00%

Function 6DD7132A, Relevance: 4.6, APIs: 3, Instructions: 91
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DD7132A(void* __eax, void* __ebx, intOrPtr* __ecx) {
				intOrPtr* _t30;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				signed short _t34;
				CHAR* _t36;
				_Unknown_base(*)()* _t37;
				struct HINSTANCE__* _t39;
				void* _t40;
				short* _t42;
				intOrPtr _t44;
				short _t51;
				intOrPtr* _t53;
				signed short* _t57;
				void* _t59;
				void* _t61;
				signed short _t72;

				_t40 = __ebx;
				_t59 = _t61 - 0x74;
				 *(_t59 + 0x6c) =  *(_t59 + 0x6c) & 0x00000000;
				_t53 = __ecx;
				 *((intOrPtr*)(_t59 + 0x64)) = __eax + __ecx;
				do {
					_t30 =  *((intOrPtr*)(_t53 + 0xc)) + _t40;
					_t42 = _t59 - 0x20;
					do {
						_t51 =  *_t30;
						 *_t42 = _t51;
						_t30 = _t30 + 1;
						_t42 = _t42 + 2;
					} while (_t51 != 0);
					_t32 = GetModuleHandleW(_t59 - 0x20);
					 *(_t59 + 0x70) = _t32;
					if(_t32 != 0) {
						L5:
						_t33 =  *_t53;
						 *(_t59 + 0x68) =  *(_t59 + 0x68) & 0x00000000;
						_t44 =  *((intOrPtr*)(_t53 + 0x10));
						if(_t33 != 0) {
							L7:
							_t57 = _t33 + _t40;
							_t34 =  *_t57;
							if(_t34 == 0) {
								L21:
								_t53 = _t53 + 0x14;
								if(_t53 >=  *((intOrPtr*)(_t59 + 0x64))) {
									L25:
									return  *(_t59 + 0x6c);
								}
								goto L22;
							}
							 *((intOrPtr*)(_t59 + 0x60)) = _t44 - _t57 + _t40;
							_t72 = _t34;
							L9:
							L9:
							if(_t72 < 0) {
								if(_t34 < _t40 || _t34 >=  *((intOrPtr*)(_t59 + 0x7c)) + _t40) {
									_t34 = 0;
									 *(_t59 + 0x68) =  *_t57 & 0x0000ffff;
								}
							} else {
								_t34 = _t34 + _t40;
							}
							if(_t34 == 0) {
								_t36 =  *(_t59 + 0x68) & 0x0000ffff;
							} else {
								_t36 = _t34 + 2;
							}
							_t37 = GetProcAddress( *(_t59 + 0x70), _t36);
							if(_t37 == 0) {
								goto L20;
							}
							 *( *((intOrPtr*)(_t59 + 0x60)) + _t57) = _t37;
							_t57 =  &(_t57[2]);
							_t34 =  *_t57;
							if(_t34 != 0) {
								goto L9;
							}
							goto L21;
							L20:
							 *(_t59 + 0x6c) = 0x7f;
							goto L21;
						}
						_t33 = _t44;
						if(_t44 == 0) {
							goto L21;
						}
						goto L7;
					}
					_t39 = LoadLibraryW(_t59 - 0x20);
					 *(_t59 + 0x70) = _t39;
					if(_t39 == 0) {
						 *(_t59 + 0x6c) = 0x7e;
						goto L25;
					}
					goto L5;
					L22:
				} while ( *((intOrPtr*)(_t53 + 0xc)) != 0);
				goto L25;
			}

0x6dd7132a
0x6dd7132b
0x6dd71335
0x6dd7133b
0x6dd7133f
0x6dd71342
0x6dd71345
0x6dd71347
0x6dd7134a
0x6dd7134a
0x6dd71350
0x6dd71353
0x6dd71355
0x6dd71356
0x6dd7135e
0x6dd71364
0x6dd71369
0x6dd71380
0x6dd71380
0x6dd71382
0x6dd71386
0x6dd7138b
0x6dd71393
0x6dd71393
0x6dd71396
0x6dd7139a
0x6dd713f3
0x6dd713f3
0x6dd713f9
0x6dd7140e
0x6dd71417
0x6dd71417
0x00000000
0x6dd713f9
0x6dd713a0
0x6dd713a3
0x00000000
0x6dd713a5
0x6dd713a5
0x6dd713ad
0x6dd713bb
0x6dd713bd
0x6dd713bd
0x6dd713a7
0x6dd713a7
0x6dd713a7
0x6dd713c2
0x6dd713c9
0x6dd713c4
0x6dd713c4
0x6dd713c4
0x6dd713d1
0x6dd713d9
0x00000000
0x00000000
0x6dd713de
0x6dd713e1
0x6dd713e4
0x6dd713e8
0x00000000
0x00000000
0x00000000
0x6dd713ec
0x6dd713ec
0x00000000
0x6dd713ec
0x6dd7138d
0x6dd71391
0x00000000
0x00000000
0x00000000
0x6dd71391
0x6dd7136f
0x6dd71375
0x6dd7137a
0x6dd71407
0x00000000
0x6dd71407
0x00000000
0x6dd713fb
0x6dd713fb
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 6DD7135E
LoadLibraryW.KERNEL32(?), ref: 6DD7136F
GetProcAddress.KERNEL32(?,?), ref: 6DD713D1

Memory Dump Source

Source File: 00000006.00000002.545470853.000000006DD71000.00000020.00020000.sdmp, Offset: 6DD70000, based on PE: true

Associated: 00000006.00000002.545460972.000000006DD70000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545485510.000000006DD73000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545496349.000000006DD75000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.545508050.000000006DD76000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: aa2e1dee2c5d67d394042241e8d854376abe1539cd6a5a80e740fd6183c141fd
Instruction ID: eee96b53fd5b3ef45f4534104e8acb9a2bc77d5d2f0aff90e74a8126be787936
Opcode Fuzzy Hash: aa2e1dee2c5d67d394042241e8d854376abe1539cd6a5a80e740fd6183c141fd
Instruction Fuzzy Hash: DC318F76A0071ACBEB24EF29C8A07AA77F8BF05359F1012ADF865D7641E334D409CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6DD72411, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DD72411(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6dd74040;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6dd74088 = 1;
										__eflags =  *0x6dd74088;
										if( *0x6dd74088 != 0) {
											goto L60;
										}
										_t84 =  *0x6dd74040;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6dd74088 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6dd74040 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6dd74048 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6dd74044 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6dd74048 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6dd74048 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6dd74088 = 1;
							__eflags =  *0x6dd74088;
							if( *0x6dd74088 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6dd74048 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6dd74048 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6dd74088 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6dd74048 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6dd74040 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6dd74048 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6dd74048 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6dd7241b
0x6dd7241e
0x6dd72424
0x6dd72442
0x00000000
0x6dd72442
0x6dd7242c
0x6dd72435
0x6dd7243b
0x6dd7244a
0x6dd7244d
0x6dd72450
0x6dd7245a
0x6dd7245a
0x6dd7245c
0x6dd7245f
0x6dd72461
0x6dd72461
0x6dd72463
0x6dd72466
0x00000000
0x00000000
0x6dd72468
0x6dd7246a
0x6dd724d0
0x6dd724d0
0x6dd7262e
0x00000000
0x6dd7262e
0x6dd7246c
0x6dd7246c
0x6dd72470
0x6dd72472
0x6dd72472
0x6dd72472
0x6dd72472
0x6dd72475
0x6dd72476
0x6dd72479
0x6dd72479
0x6dd7247d
0x6dd72481
0x6dd7248f
0x6dd7248f
0x6dd72497
0x6dd7249d
0x6dd7249f
0x6dd724a1
0x6dd724b1
0x6dd724be
0x6dd724c2
0x6dd724c7
0x6dd724c9
0x6dd72547
0x6dd72547
0x6dd724cb
0x6dd724cb
0x6dd724cb
0x6dd72549
0x6dd7254b
0x6dd7262c
0x6dd7262c
0x00000000
0x6dd72551
0x6dd72551
0x6dd72558
0x00000000
0x00000000
0x6dd7255e
0x6dd72562
0x6dd725be
0x6dd725c0
0x6dd725c8
0x6dd725ca
0x6dd725cc
0x00000000
0x00000000
0x6dd725ce
0x6dd725d4
0x6dd725d6
0x6dd725d8
0x6dd725ed
0x6dd725ed
0x6dd725ef
0x6dd7261e
0x6dd72625
0x00000000
0x6dd72625
0x6dd725f3
0x6dd725f4
0x6dd725f6
0x6dd725f8
0x6dd725f8
0x6dd725fa
0x6dd725fc
0x6dd725fe
0x6dd72612
0x6dd72612
0x6dd72615
0x6dd72617
0x6dd72617
0x6dd72618
0x6dd72618
0x00000000
0x6dd72600
0x6dd72600
0x6dd72600
0x6dd72609
0x6dd7260a
0x6dd7260c
0x6dd7260e
0x6dd7260e
0x00000000
0x6dd72600
0x6dd725fe
0x6dd725da
0x6dd725e1
0x6dd725e1
0x6dd725e3
0x00000000
0x00000000
0x6dd725e5
0x6dd725e6
0x6dd725e9
0x6dd725eb
0x00000000
0x00000000
0x00000000
0x6dd725eb
0x00000000
0x6dd725e1
0x6dd72564
0x6dd72567
0x6dd7256c
0x00000000
0x00000000
0x6dd72575
0x6dd72577
0x6dd7257d
0x00000000
0x00000000
0x6dd72583
0x6dd72589
0x00000000
0x00000000
0x6dd7258f
0x6dd72591
0x6dd7259a
0x6dd7259e
0x00000000
0x00000000
0x6dd725a4
0x6dd725a7
0x6dd725a9
0x00000000
0x00000000
0x6dd725b0
0x6dd725b2
0x00000000
0x00000000
0x6dd725b4
0x6dd725b8
0x00000000
0x00000000
0x00000000
0x6dd725b8
0x00000000
0x00000000
0x00000000
0x6dd724a3
0x6dd724a3
0x6dd724a3
0x6dd724aa
0x00000000
0x00000000
0x6dd724ac
0x6dd724ad
0x6dd724af
0x00000000
0x00000000
0x00000000
0x6dd724af
0x6dd724d7
0x6dd724d9
0x00000000
0x00000000
0x6dd724e9
0x6dd724eb
0x6dd724ed
0x00000000
0x00000000
0x6dd724f3
0x6dd724fa
0x6dd72526
0x6dd72526
0x6dd72528
0x6dd7252a
0x6dd7253e
0x6dd72540
0x00000000
0x00000000
0x00000000
0x00000000
0x6dd7252c
0x6dd7252c
0x6dd7252c
0x6dd72535
0x6dd72536
0x6dd72538
0x6dd7253a
0x6dd7253a
0x00000000
0x6dd7252c
0x6dd724fc
0x6dd724ff
0x6dd72501
0x6dd72513
0x6dd72513
0x6dd72516
0x6dd72518
0x6dd72518
0x6dd72519
0x6dd72519
0x6dd7251f
0x00000000
0x00000000
0x00000000
0x00000000
0x6dd72503
0x6dd72503
0x6dd72503
0x6dd7250a
0x00000000
0x00000000
0x6dd7250c
0x6dd7250c
0x6dd7250d
0x00000000
0x00000000
0x00000000
0x6dd7250d
0x6dd7250f
0x6dd72511
0x6dd72524
0x00000000
0x00000000
0x00000000
0x6dd72524
0x00000000
0x6dd72511
0x6dd72483
0x6dd72486
0x6dd72489
0x00000000
0x00000000
0x6dd7248b
0x6dd7248d
0x00000000
0x00000000
0x00000000
0x6dd7248d
0x6dd72452
0x6dd72454
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6DD724C2

Memory Dump Source

Source File: 00000006.00000002.545470853.000000006DD71000.00000020.00020000.sdmp, Offset: 6DD70000, based on PE: true

Associated: 00000006.00000002.545460972.000000006DD70000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545485510.000000006DD73000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545496349.000000006DD75000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.545508050.000000006DD76000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 581bc6f7c045ebda6cbd080b016ebcdd8775b8e2ec56b1b984ae41794fbc11cb
Instruction ID: 6ad3e8e2fcb224fdcbcd5e2b1d6fbef3a5321753e7633f71d96442b0c626a67e
Opcode Fuzzy Hash: 581bc6f7c045ebda6cbd080b016ebcdd8775b8e2ec56b1b984ae41794fbc11cb
Instruction Fuzzy Hash: 9A61CE70B04692CBDB36EF28C8A07293BF9BB5731CF2484E9F955CB285E730D8428650

Uniqueness

Uniqueness Score: -1.00%

Function 6DD997C0, Relevance: 1.6, Strings: 1, Instructions: 393COMMON

Download Yara Rule

Strings

lU8, xrefs: 6DD998A7, 6DD99A1E, 6DD99A7E, 6DD99BF3, 6DD99C78, 6DD99D5F

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID:
String ID: lU8
API String ID: 0-124825105
Opcode ID: 02491dacb69610cd64a455f1347f5b2afc8209ceea70c1a51b9ad554415ad9d8
Instruction ID: 060e329bfa5b9c4d2bbf7c746d47f0c60945289802dc9e12caf53dc12fc5bfbb
Opcode Fuzzy Hash: 02491dacb69610cd64a455f1347f5b2afc8209ceea70c1a51b9ad554415ad9d8
Instruction Fuzzy Hash: 3D027D71A82016DFEF18EF78C990BE97BFABB4AB00F04C159E545DB284D7385A44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6DD721F0, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6DD721F0(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6DD72357(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6DD72411(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6DD722FC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6DD72357(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6DD723F3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6dd721f4
0x6dd721f5
0x6dd721f6
0x6dd721f9
0x6dd721fb
0x6dd721fe
0x6dd721ff
0x6dd72201
0x6dd72202
0x6dd72203
0x6dd72206
0x6dd72210
0x6dd722c1
0x6dd722c8
0x6dd722d1
0x6dd72216
0x6dd72216
0x6dd7221c
0x6dd72222
0x6dd72225
0x6dd72228
0x6dd7222c
0x6dd72231
0x6dd72236
0x6dd722b6
0x00000000
0x6dd72238
0x6dd72238
0x6dd72244
0x6dd72246
0x6dd722a1
0x6dd722a1
0x6dd722a7
0x00000000
0x6dd72248
0x6dd72257
0x6dd72259
0x6dd7225a
0x6dd7225b
0x6dd7225e
0x6dd7225e
0x6dd72260
0x00000000
0x6dd72262
0x6dd72262
0x6dd722ac
0x6dd72264
0x6dd72264
0x6dd72268
0x6dd72270
0x6dd72275
0x6dd7227a
0x6dd72286
0x6dd7228e
0x6dd72295
0x6dd7229b
0x6dd7229f
0x00000000
0x6dd7229f
0x6dd72262
0x6dd72260
0x00000000
0x6dd72246
0x6dd722ba
0x6dd722ba
0x6dd722ba
0x6dd72236
0x6dd722d6
0x6dd722dd

Memory Dump Source

Source File: 00000006.00000002.545470853.000000006DD71000.00000020.00020000.sdmp, Offset: 6DD70000, based on PE: true

Associated: 00000006.00000002.545460972.000000006DD70000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545485510.000000006DD73000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545496349.000000006DD75000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.545508050.000000006DD76000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 25a1801de4bf55d2881ac804926fa55eeec996f736723cbb5d8aaddd15752fa7
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 1E21A432904245EFCB20EF68C8C0967BBA5FF45314B4685A8ED599B245E730FA15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA4B80, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: a40047d555e597c7d0462715b2e0832ba1d0caa7f0bf2cd414fd114574a72597
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 8F11D6B7244083C3D300AB2DC8F07B6B795EACD22672DC3A7F15D4B656DD22B1559500

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD0EC6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.545696110.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 6f3add16a4c93ab43a3b918e591b8aee8e7c7584a037591747c9259a786a9acb
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: D51181733441059FDB94DF6ADC80EA273AAFBC92707258166ED08CB301E676E845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD12BF, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.545696110.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction ID: 29b14eaee1c8aec5c75546c5d49627f2c5af55d89cdf1a10ba094b5cae90920f
Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction Fuzzy Hash: 9E010472354602CFCB55EF19D884D79BBE4EBC2325B15C07EE48683A16D230E441CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA0DB0, Relevance: 12.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 6DDA0FA0: _localeconv.LIBCMT ref: 6DDA0FA7

std::_Locinfo::_Getcvt.LIBCPMTD ref: 6DDA0E16

Part of subcall function 6DDA1060: _strlen.LIBCMT ref: 6DDA106A

std::_Locinfo::_Getcvt.LIBCPMTD ref: 6DDA0E46
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6DDA0E7E
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6DDA0EDD
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6DDA0F03
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6DDA0F32
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6DDA0F54
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6DDA0F73

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: GetcvtLocinfo::_std::_$_localeconv_strlen
String ID:
API String ID: 3869368768-0
Opcode ID: d3180c9a876ca48839aad991766f51da82ddae083e5e78d8b2e4545a38abd204
Instruction ID: 7e09793bd68977cdcf83f6251e58b84ca7090e6e93045a2443f7340bffdf6e25
Opcode Fuzzy Hash: d3180c9a876ca48839aad991766f51da82ddae083e5e78d8b2e4545a38abd204
Instruction Fuzzy Hash: C75120B5D04248AFDB04DF95C850BAEBBB5EF88344F18C129F509AF385D731A949CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA5287, Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__decode_pointer.LIBCMT ref: 6DDA5296
__decode_pointer.LIBCMT ref: 6DDA52A6

Part of subcall function 6DDAAFB5: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6DDAA393,?,6DDA32BC,6DD99FB5,?,?,6DD99FB5,000005A0), ref: 6DDAAFF4
Part of subcall function 6DDAAFB5: __crt_waiting_on_module_handle.LIBCMT ref: 6DDAAFFF
Part of subcall function 6DDAAFB5: GetProcAddress.KERNEL32(00000000,6DDCB1F4), ref: 6DDAB00F

__msize.LIBCMT ref: 6DDA52C4
__realloc_crt.LIBCMT ref: 6DDA52E8
__realloc_crt.LIBCMT ref: 6DDA52FE
__encode_pointer.LIBCMT ref: 6DDA5310
__encode_pointer.LIBCMT ref: 6DDA531E
__encode_pointer.LIBCMT ref: 6DDA5329

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$AddressHandleModuleProc__crt_waiting_on_module_handle__msize
String ID:
API String ID: 1462085885-0
Opcode ID: 6997a3972a63cc63ce79bcc3683ed113a0fb5871a1cf99720de31d1aca8bb15d
Instruction ID: 3d62db0c0d625899c87eb6f80260c11d9c9ff8265e4aa913db1b69d634a8a98e
Opcode Fuzzy Hash: 6997a3972a63cc63ce79bcc3683ed113a0fb5871a1cf99720de31d1aca8bb15d
Instruction Fuzzy Hash: D911B1B2608211AFDB157B64E880CAE37AAEB81368329C526F505D7190EF25DD454660

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA2521, Relevance: 12.0, APIs: 8, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6DDA2528
std::_Lockit::_Lockit.LIBCPMT ref: 6DDA2532
int.LIBCPMTD ref: 6DDA2549

Part of subcall function 6DD9E6E0: std::_Lockit::_Lockit.LIBCPMT ref: 6DD9E6F6

ctype.LIBCPMT ref: 6DDA256C
std::bad_exception::bad_exception.LIBCMT ref: 6DDA2580
__CxxThrowException@8.LIBCMT ref: 6DDA258E
std::locale::facet::_Incref.LIBCPMTD ref: 6DDA259E
std::locale::facet::facet_Register.LIBCPMT ref: 6DDA25A4

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID:
API String ID: 1593823581-0
Opcode ID: e1e9e862a1b1600e85dab86312ec9af2ca9129a894a38dc3ca0967241055ff0f
Instruction ID: a5f591629a15bdb661f091fc52a656eb944da9949eb66ecc1f8b354c3d91d170
Opcode Fuzzy Hash: e1e9e862a1b1600e85dab86312ec9af2ca9129a894a38dc3ca0967241055ff0f
Instruction Fuzzy Hash: 4401C431849215D7CB05FBA5C850ABE77397F4472CF198508F2117B2C4CF34DA068761

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA2740, Relevance: 12.0, APIs: 8, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6DDA2747
std::_Lockit::_Lockit.LIBCPMT ref: 6DDA2751
int.LIBCPMTD ref: 6DDA2768

Part of subcall function 6DD9E6E0: std::_Lockit::_Lockit.LIBCPMT ref: 6DD9E6F6

codecvt.LIBCPMT ref: 6DDA278B
std::bad_exception::bad_exception.LIBCMT ref: 6DDA279F
__CxxThrowException@8.LIBCMT ref: 6DDA27AD
std::locale::facet::_Incref.LIBCPMTD ref: 6DDA27BD
std::locale::facet::facet_Register.LIBCPMT ref: 6DDA27C3

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID:
API String ID: 1213051545-0
Opcode ID: 7d2a4ef2692b32a4038813553dbeaca74fbca52fe6f65e409ac27525af172636
Instruction ID: 696021e74ad00a8933f3955dcb2c27c209dc92555fe61a0afff238177e92d36b
Opcode Fuzzy Hash: 7d2a4ef2692b32a4038813553dbeaca74fbca52fe6f65e409ac27525af172636
Instruction Fuzzy Hash: E101C031809116E7CB05FBB5CD40ABE7739AF80B28F5A8508F6117B2C4DF749A0687B1

Uniqueness

Uniqueness Score: -1.00%

Function 6DD9D230, Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6DD9D292

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 3c5391e8fed03dee199fa6430b631ca633b01d90cd2cc8bf4b5e20b441a31520
Instruction ID: 0c52ec60154fe56f67bfa393ec3d1339d4382f1ecffc3ae42e9de18318a0c4f0
Opcode Fuzzy Hash: 3c5391e8fed03dee199fa6430b631ca633b01d90cd2cc8bf4b5e20b441a31520
Instruction Fuzzy Hash: 3B418A71914108EBDB15EF94CD80FEDF774BB84314F50C29AB51A6B281EB356A49CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA652D, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6DDA6555

Part of subcall function 6DDA461F: __getptd.LIBCMT ref: 6DDA462D
Part of subcall function 6DDA461F: __getptd.LIBCMT ref: 6DDA463B

__getptd.LIBCMT ref: 6DDA655F

Part of subcall function 6DDAB201: __getptd_noexit.LIBCMT ref: 6DDAB204
Part of subcall function 6DDAB201: __amsg_exit.LIBCMT ref: 6DDAB211

__getptd.LIBCMT ref: 6DDA656D
__getptd.LIBCMT ref: 6DDA657B
__getptd.LIBCMT ref: 6DDA6586
_CallCatchBlock2.LIBCMT ref: 6DDA65AC

Part of subcall function 6DDA46C4: __CallSettingFrame@12.LIBCMT ref: 6DDA4710

Part of subcall function 6DDA6653: __getptd.LIBCMT ref: 6DDA6662
Part of subcall function 6DDA6653: __getptd.LIBCMT ref: 6DDA6670

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 4fc545c354f8a8764ad4f5469c3fedd470a42088784cf2f9a1fd085caba7475a
Instruction ID: 32f1bf90ce73a67700417c427dee682df32f7caf5919a298f05cc266ab69b5b9
Opcode Fuzzy Hash: 4fc545c354f8a8764ad4f5469c3fedd470a42088784cf2f9a1fd085caba7475a
Instruction Fuzzy Hash: 6711C971C04209DFDB00EFA4C444BAD7BB0FF18319F19C16AF964A7290DB3999159B60

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA0020, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6DDA004F

Part of subcall function 6DD9CFF0: std::locale::locale.LIBCPMTD ref: 6DD9D00A

Part of subcall function 6DDA0890: std::_Lockit::_Lockit.LIBCPMT ref: 6DDA08BA
Part of subcall function 6DDA0890: int.LIBCPMTD ref: 6DDA08D3

Part of subcall function 6DD9CD00: std::locale::facet::_Decref.LIBCPMTD ref: 6DD9CD16

numpunct.LIBCPMTD ref: 6DDA0089
_memmove_s.LIBCMT ref: 6DDA0188
std::ios_base::width.LIBCPMTD ref: 6DDA02FA

Strings

@, xrefs: 6DDA0201

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: DecrefLockitLockit::__memmove_snumpunctstd::_std::ios_base::getlocstd::ios_base::widthstd::locale::facet::_std::locale::locale
String ID: @
API String ID: 3659140288-2766056989
Opcode ID: 52f524d2d6ea806e67aefa2931bcbbdbeb8162e95221e2a36f56209e44b92f53
Instruction ID: baa32ebdec7ff309c3c82da849339e304816bb43394be1340135bea23981d8e8
Opcode Fuzzy Hash: 52f524d2d6ea806e67aefa2931bcbbdbeb8162e95221e2a36f56209e44b92f53
Instruction Fuzzy Hash: CAB157B1A04249DFCB04DFA9C990AFEBBB5BF49304F18821DF919AB255D735A901CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6DD71C7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6DD71C7C(unsigned int __eax, void* __ecx, void* _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				int _v12;
				unsigned int _t48;
				void* _t57;
				void* _t64;
				void* _t69;

				_t48 = __eax;
				_v8 = 0x57;
				_v12 = __eax + 0x00000fff & 0xfffff000;
				_t57 = E6DD7120F(__eax + 0x00000fff & 0xfffff000);
				if(_t57 == 0) {
					_v8 = 8;
				} else {
					memcpy(_t57, _a4, _a12 + 0x22);
					E6DD71C14(_a12 + 0x22, _t57, _a8);
					_t64 = CreateEventA(0, 1, 0, 0);
					if(_t64 != 0) {
						_a12 = E6DD715CE(_t57 + _a12, _t64);
						CloseHandle(_t64);
					}
					if(_a12 != 0xaefa8c44) {
						E6DD7124F(_t57);
					} else {
						asm("sbb esi, esi");
						_t69 =  ~( ~(_t48 & 0x00000fff)) + (_t48 >> 0xc);
						memcpy(_t57, _a4, _v12);
						_a12 = _a12 & 0x00000000;
						if(_t69 > 0) {
							_v8 = _t57;
							do {
								asm("ror eax, cl");
								E6DD71C14(0x1000, _v8, _a8);
								_a12 = _a12 + 1;
								_v8 = _v8 + 0x1000;
							} while (_a12 < _t69);
						}
						_v8 = _v8 & 0x00000000;
						 *0x6dd75000 = 0xaefa8c44;
						 *0x6dd74034 = _t57 - _a4;
					}
				}
				return _v8;
			}

0x6dd71c82
0x6dd71c92
0x6dd71c99
0x6dd71ca1
0x6dd71ca5
0x6dd71d6c
0x6dd71cab
0x6dd71cb6
0x6dd71cc5
0x6dd71cd7
0x6dd71cdb
0x6dd71ce9
0x6dd71cec
0x6dd71cec
0x6dd71cf9
0x6dd71d65
0x6dd71cfb
0x6dd71d0b
0x6dd71d13
0x6dd71d15
0x6dd71d1a
0x6dd71d23
0x6dd71d25
0x6dd71d2d
0x6dd71d36
0x6dd71d3b
0x6dd71d40
0x6dd71d43
0x6dd71d46
0x6dd71d2d
0x6dd71d4e
0x6dd71d52
0x6dd71d5c
0x6dd71d5c
0x6dd71cf9
0x6dd71d7a

APIs

Part of subcall function 6DD7120F: HeapAlloc.KERNEL32(00000000,?), ref: 6DD7121B

memcpy.NTDLL(00000000,?,?,?,?,?,?,?,?,6DD71EEA,?,?,6DD75004,?,?,?), ref: 6DD71CB6
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?), ref: 6DD71CD1
memcpy.NTDLL(00000000,?,?), ref: 6DD71D15

Part of subcall function 6DD715CE: WaitForSingleObject.KERNEL32(00000000,00000006,00000000,00000000,?,6DD71CE8,00000000), ref: 6DD715F3

CloseHandle.KERNEL32(00000000,00000000), ref: 6DD71CEC

Part of subcall function 6DD7124F: HeapFree.KERNEL32(00000000,?), ref: 6DD7125B

Strings

W, xrefs: 6DD71C92

Memory Dump Source

Source File: 00000006.00000002.545470853.000000006DD71000.00000020.00020000.sdmp, Offset: 6DD70000, based on PE: true

Associated: 00000006.00000002.545460972.000000006DD70000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545485510.000000006DD73000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545496349.000000006DD75000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.545508050.000000006DD76000.00000002.00020000.sdmp Download File

Similarity

API ID: Heapmemcpy$AllocCloseCreateEventFreeHandleObjectSingleWait
String ID: W
API String ID: 905428733-655174618
Opcode ID: d86052271e173988d11b0c15ca9e8d87b463198059781805d590f095391739c3
Instruction ID: 9f08dc80c892e90e7d9e27027d31f00f1096ffbdbad4ab0c3ee39f6c2a5f9122
Opcode Fuzzy Hash: d86052271e173988d11b0c15ca9e8d87b463198059781805d590f095391739c3
Instruction Fuzzy Hash: 3E31D272D01729EBDB21AF68CC64BAE7B78FF45704F1152A5FD14AB204D371CA109BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DD9E5F0, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DD9E61A
int.LIBCPMTD ref: 6DD9E633

Part of subcall function 6DD9E6E0: std::_Lockit::_Lockit.LIBCPMT ref: 6DD9E6F6

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 50c676b66f4499a2fab23ae107c563bcbce8230f69e9bf0fecf34665e44e9b2b
Instruction ID: e48037b3cd9afbc569ed2863d3eeea7e48725820d3d261c2c6c9cb1855c8059f
Opcode Fuzzy Hash: 50c676b66f4499a2fab23ae107c563bcbce8230f69e9bf0fecf34665e44e9b2b
Instruction Fuzzy Hash: 6E310C75D05209DBCB04EFA8D840AEEB7B4FB49714F108A29F525AB390DB356905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA0890, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DDA08BA
int.LIBCPMTD ref: 6DDA08D3

Part of subcall function 6DD9E6E0: std::_Lockit::_Lockit.LIBCPMT ref: 6DD9E6F6

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: b961d931364db07ab1b3aa2424be3869a2fecb5e837de252db04047bf5e7da31
Instruction ID: 026be9392c0cba4b6db2b27525c428acaa63ee8ef8e1a4e64bba475cdd808253
Opcode Fuzzy Hash: b961d931364db07ab1b3aa2424be3869a2fecb5e837de252db04047bf5e7da31
Instruction Fuzzy Hash: F831FB75D0410ADBCF04EFA9D880AFEB7B4FB49314F148619F925AB294DB346A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DDAB76B, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6DDAB777

Part of subcall function 6DDAB201: __getptd_noexit.LIBCMT ref: 6DDAB204
Part of subcall function 6DDAB201: __amsg_exit.LIBCMT ref: 6DDAB211

__amsg_exit.LIBCMT ref: 6DDAB797
__lock.LIBCMT ref: 6DDAB7A7
InterlockedDecrement.KERNEL32(?), ref: 6DDAB7C4
InterlockedIncrement.KERNEL32(6DDD0110), ref: 6DDAB7EF

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 60ea5b78efa5f817ef787d8aeb85cb694da4e6897c02a0540a89206d98f277ca
Instruction ID: 8f4bb7539f4a7b20bc0597a44a2589a621eae8a52ca09f460a5c0d3e563ce499
Opcode Fuzzy Hash: 60ea5b78efa5f817ef787d8aeb85cb694da4e6897c02a0540a89206d98f277ca
Instruction Fuzzy Hash: 9C01AD72D0571ADBEB01BB69C440B6D7770BF45764F0A8409F828A76C1CBB4A952CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA53C5, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 6DDA53E3

Part of subcall function 6DDA92E2: __mtinitlocknum.LIBCMT ref: 6DDA92F8
Part of subcall function 6DDA92E2: __amsg_exit.LIBCMT ref: 6DDA9304
Part of subcall function 6DDA92E2: RtlEnterCriticalSection.NTDLL(?), ref: 6DDA930C

___sbh_find_block.LIBCMT ref: 6DDA53EE
___sbh_free_block.LIBCMT ref: 6DDA53FD
HeapFree.KERNEL32(00000000,6DD99FB5,6DDCD5F8,0000000C,6DDA92C3,00000000,6DDCD908,0000000C,6DDA92FD,6DD99FB5,?,?,6DDB17FF,00000004,6DDCDB58,0000000C), ref: 6DDA542D
GetLastError.KERNEL32(?,6DDB17FF,00000004,6DDCDB58,0000000C,6DDA7D00,6DD99FB5,?,00000000,00000000,00000000,?,6DDAB1B3,00000001,00000214), ref: 6DDA543E

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 23abc1e2e699bdd37db8294a7cccf3e06510efa0f27a0e63610d07a4f7564b03
Instruction ID: 3ca50f96c77ac904cb1e8d45ec256c17fe43e65eb2e86ba0c7933c54425ef925
Opcode Fuzzy Hash: 23abc1e2e699bdd37db8294a7cccf3e06510efa0f27a0e63610d07a4f7564b03
Instruction Fuzzy Hash: 4C016271849613EBDF107FB4DC04B6E3BB8AF0236AF69C119F614AA0C1DB7495408BB5

Uniqueness

Uniqueness Score: -1.00%

Function 6DD9F250, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6DD9F430

Strings

$, xrefs: 6DD9F2AE
$, xrefs: 6DD9F2B4
l, xrefs: 6DD9F269

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$$l
API String ID: 233258989-1469801561
Opcode ID: 9d4cbf06c88f9b768e00a78030638bc430c29de9d08546407df094fe780318d7
Instruction ID: b6c5ee54cf82f50089adacbe69c9e855ed1c60424ca5cc7837ff6f9cb5fc654a
Opcode Fuzzy Hash: 9d4cbf06c88f9b768e00a78030638bc430c29de9d08546407df094fe780318d7
Instruction Fuzzy Hash: B5613B7090420EDBDF04EFA5D954BDE7BB8FF45305F0080D9F598AA281CB3A9AA5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6DD9F490, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6DD9F659

Strings

$, xrefs: 6DD9F4EE
l, xrefs: 6DD9F4A9
$, xrefs: 6DD9F4F4

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$$l
API String ID: 233258989-1469801561
Opcode ID: 66b710627a622ece519a739022534ab9f66b06250e1adbe27abcfefee27e5c6f
Instruction ID: b8808475c1ac4b9e69bdf9c51770b14c17188b2c1c33a7b99912b64f5f9672f5
Opcode Fuzzy Hash: 66b710627a622ece519a739022534ab9f66b06250e1adbe27abcfefee27e5c6f
Instruction Fuzzy Hash: 3E515C7090420EDBDB04EFA4D944BEE77B8FF49305F0081D8F598AA281CB359AA5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6DD9ED80, Relevance: 6.2, APIs: 4, Instructions: 188COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6DD9EE02
numpunct.LIBCPMTD ref: 6DD9EE5F

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: numpunctstd::ios_base::getloc
String ID:
API String ID: 1901892925-0
Opcode ID: 6cff94094f2ca16efad530fbc854320258db73a953927ed042305c68f2086c1b
Instruction ID: 18d37708fd96388485d15cccd4d202399a8daeeb90ec13332e48e2aab472bdb2
Opcode Fuzzy Hash: 6cff94094f2ca16efad530fbc854320258db73a953927ed042305c68f2086c1b
Instruction Fuzzy Hash: 3D814F71904119DFCB14EFA8C990BEEBBB5BF48304F108159F559AB291DB35AE44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA5B6C, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 6DDA5C30
__fileno.LIBCMT ref: 6DDA5C50
__locking.LIBCMT ref: 6DDA5C57
__flsbuf.LIBCMT ref: 6DDA5C82

Part of subcall function 6DDA6EC8: __getptd_noexit.LIBCMT ref: 6DDA6EC8

Part of subcall function 6DDA4DE7: __decode_pointer.LIBCMT ref: 6DDA4DF2

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 612b37c773236875e18fc6bdb961d6ee87c8847615d64e9d93fe3f6e8e85a233
Instruction ID: 90722fba2db36819b0d1c09c451e8248bf2abfcd499c5393fdb0c2ac8c97f25e
Opcode Fuzzy Hash: 612b37c773236875e18fc6bdb961d6ee87c8847615d64e9d93fe3f6e8e85a233
Instruction Fuzzy Hash: 41410571A04A06DFDB05AF69CC806BEBBB6EF80320F2EC529F46587145D771EA51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6DD7195B, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 123
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E6DD7195B(void* __ecx, void* __edx, void* __esi, intOrPtr* _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr _t70;
				void* _t75;
				signed int _t76;
				long _t78;
				signed int _t87;
				intOrPtr _t89;
				void* _t91;

				_v16 = _v16 & 0x00000000;
				_t87 =  *0x6dd75000; // 0xaefa8c44
				_v12 = _t87;
				if(E6DD71B84(__ecx,  &_v20,  &_v28, _t87 ^ 0x6bcf54fb) == 0) {
					_v8 = 0x7e;
					L19:
					return _v8;
				}
				_t91 = _v20;
				_t7 = _t91 + 0x10; // 0x50fc458d
				_t8 = _t87 + 0x510573c0; // 0x100000004
				_t78 = _t8;
				_v24 = _t78;
				_t10 = _t87 + 0x510583bc; // 0x100001000
				_t75 = VirtualAlloc(0,  *_t7, _t10, _t78);
				_v20 = _t75;
				if(_t75 != 0) {
					E6DD7141A(_t91, _t75);
					_t13 = _t91 + 0x5c; // 0x6a03eb08
					_t14 = _t91 + 0x58; // 0x56fffc75
					E6DD71FD4( *_t14,  *_t13 + _t91, _t75);
					_t15 = _t91 + 0x20; // 0x875c085
					_t16 = _t91 + 0x10; // 0x50fc458d
					_push( *_t16);
					_t17 = _t91 + 0x1c; // 0xc56ff08
					_t54 = E6DD7132A( *_t17, _t75,  *_t15 + _t91);
					_v8 = _t54;
					if(_t54 != 0) {
						L15:
						if(_t75 != 0) {
							VirtualFree(_t75, 0, _t87 + 0x5105f3bc);
						}
						L17:
						E6DD71628(_t91, _v28);
						goto L19;
					}
					_t58 = E6DD720CD(_t91, _t75);
					_v8 = _t58;
					if(_t58 != 0) {
						goto L15;
					}
					_t20 = _t91 + 0x64; // 0xd730c015
					_push(0);
					_push(1);
					_push(_t75);
					if( *((intOrPtr*)( *_t20 + _t75))() != 0) {
						_t89 =  *0x6dd730c4(_v24 << 2);
						if(_t89 != 0) {
							_t76 = 0;
							if(_v12 + 0x510573c0 == 0) {
								L13:
								_t75 = _v20;
								 *_a4 = _t89;
								_t87 = _v12;
								 *_a8 = _v16;
								L14:
								if(_v8 == 0) {
									goto L17;
								}
								goto L15;
							} else {
								goto L10;
							}
							do {
								L10:
								_t26 = _t76 + 1; // 0x1
								_t70 = E6DD71734(_t91, _v20, _t26);
								 *((intOrPtr*)(_t89 + _t76 * 4)) = _t70;
								if(_t70 != 0) {
									_v16 = _v16 + 1;
								}
								_t76 = _t76 + 1;
							} while (_t76 < _v12 + 0x510573c0);
							goto L13;
						}
						_t87 = _v12;
						_v8 = 8;
						goto L15;
					}
					_v8 = 1;
					goto L15;
				}
				_v8 = GetLastError();
				goto L14;
			}

0x6dd71961
0x6dd71967
0x6dd7197f
0x6dd71989
0x6dd71aab
0x6dd71ab2
0x6dd71ab8
0x6dd71ab8
0x6dd71990
0x6dd71993
0x6dd71996
0x6dd71996
0x6dd7199d
0x6dd719a0
0x6dd719b0
0x6dd719b2
0x6dd719b7
0x6dd719c8
0x6dd719cd
0x6dd719d0
0x6dd719d6
0x6dd719db
0x6dd719de
0x6dd719de
0x6dd719e1
0x6dd719e6
0x6dd719eb
0x6dd719f0
0x6dd71a8b
0x6dd71a8d
0x6dd71a99
0x6dd71a99
0x6dd71a9f
0x6dd71aa3
0x00000000
0x6dd71aa8
0x6dd719f9
0x6dd719fe
0x6dd71a03
0x00000000
0x00000000
0x6dd71a09
0x6dd71a0c
0x6dd71a0e
0x6dd71a12
0x6dd71a17
0x6dd71a2f
0x6dd71a33
0x6dd71a44
0x6dd71a4b
0x6dd71a72
0x6dd71a78
0x6dd71a7b
0x6dd71a80
0x6dd71a83
0x6dd71a85
0x6dd71a89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6dd71a4d
0x6dd71a4d
0x6dd71a4d
0x6dd71a56
0x6dd71a5b
0x6dd71a60
0x6dd71a62
0x6dd71a62
0x6dd71a68
0x6dd71a6e
0x00000000
0x6dd71a4d
0x6dd71a35
0x6dd71a38
0x00000000
0x6dd71a38
0x6dd71a19
0x00000000
0x6dd71a19
0x6dd719bf
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,50FC458D,0000000100001000,0000000100000004,?,6DD712AD,?,AEFA8C44,?,?,?,?,6DD712AD), ref: 6DD719AA
GetLastError.KERNEL32(?,?,?,?,6DD712AD), ref: 6DD719B9
VirtualFree.KERNEL32(00000000,00000000,5DF49888,50FC458D,00000000,00000000,?,?,?,?,6DD712AD), ref: 6DD71A99

Strings

~, xrefs: 6DD71AAB

Memory Dump Source

Source File: 00000006.00000002.545470853.000000006DD71000.00000020.00020000.sdmp, Offset: 6DD70000, based on PE: true

Associated: 00000006.00000002.545460972.000000006DD70000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545485510.000000006DD73000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545496349.000000006DD75000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.545508050.000000006DD76000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocErrorFreeLast
String ID: ~
API String ID: 3335258512-1707062198
Opcode ID: 559215f5345db920402efed2ac6b272f9c372261d6a38dfee28a45298eb5baa2
Instruction ID: ad47583099edcc24982ea36ef826e240a9c3422e6395f44d28a0102388a847f6
Opcode Fuzzy Hash: 559215f5345db920402efed2ac6b272f9c372261d6a38dfee28a45298eb5baa2
Instruction Fuzzy Hash: C6418071A00716EBDB21EF98C8A0BAEB7B8FF05304F105599F951E7341E774EA068B60

Uniqueness

Uniqueness Score: -1.00%

Function 6DDB4554, Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6DDB4588
__isleadbyte_l.LIBCMT ref: 6DDB45BC
MultiByteToWideChar.KERNEL32(00000080,00000009,6DDAE3E3,?,00000000,00000000,?,?,?,?,6DDAE3E3,00000000,?), ref: 6DDB45ED
MultiByteToWideChar.KERNEL32(00000080,00000009,6DDAE3E3,00000001,00000000,00000000,?,?,?,?,6DDAE3E3,00000000,?), ref: 6DDB465B

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9bce91e18559311c9062655ad659eb17067d132b553426c91b34bc26494d2821
Instruction ID: afcece274a9a24e91fccfa8dde09744d79a49fb99defe7d9abd84b98fc163745
Opcode Fuzzy Hash: 9bce91e18559311c9062655ad659eb17067d132b553426c91b34bc26494d2821
Instruction Fuzzy Hash: A431D2B1A08256EFDB11EFA8C8809BE3BF5BF0931DF158568F4668B192D730D980CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6DD9C420, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,6DDD07C0,6DDCF010), ref: 6DD9C478
GetModuleFileNameA.KERNEL32(00000000), ref: 6DD9C47F
GetModuleHandleA.KERNEL32(00000000,6DDD07C0,6DDCF010), ref: 6DD9C4D0
GetModuleFileNameA.KERNEL32(00000000), ref: 6DD9C4D7

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: Module$FileHandleName
String ID:
API String ID: 4146042529-0
Opcode ID: 9744fe8b7e68c41f275593ec9882dea9fb07fff56639c45f9faeb79953f54c37
Instruction ID: 1aafa780f4c3abe9eeefa7cfb7f10e04e83cfd7f1f0537559fba8b410187b11a
Opcode Fuzzy Hash: 9744fe8b7e68c41f275593ec9882dea9fb07fff56639c45f9faeb79953f54c37
Instruction Fuzzy Hash: 172116B2945206EFEF08EFB8D994BACBFF8AB4A700F008099E445D7344D7345640AF60

Uniqueness

Uniqueness Score: -1.00%

Function 6DDAEEBA, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6DDAEEE0

Part of subcall function 6DDAED05: __fltout2.LIBCMT ref: 6DDAED31

__cftog_l.LIBCMT ref: 6DDAEF06
__cftoe_l.LIBCMT ref: 6DDAEF38

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 42a7b64169faca37fd47fb481e176dc1d301ef636df94243109bf4f02c02b780
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 8311363254414AFBCF126F84CC01CEE3F62FB59254B4A8815FE2899021D336CAB5EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA4A1D, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6DDA4A37

Part of subcall function 6DDA3203: __FF_MSGBANNER.LIBCMT ref: 6DDA3226
Part of subcall function 6DDA3203: __NMSG_WRITE.LIBCMT ref: 6DDA322D

std::bad_alloc::bad_alloc.LIBCMT ref: 6DDA4A5A

Part of subcall function 6DDA4A02: std::exception::exception.LIBCMT ref: 6DDA4A0E

std::bad_exception::bad_exception.LIBCMTD ref: 6DDA4A6E
__CxxThrowException@8.LIBCMT ref: 6DDA4A7C

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1802512180-0
Opcode ID: 785f25daac0a1c721dbc96b5795f21dc2895d2625bce61f1884d9a2fdc2f6c9a
Instruction ID: 0a93101568b5886283d7b3581a5914b72a9cb424c12e2436ff96eb2ab87c15ca
Opcode Fuzzy Hash: 785f25daac0a1c721dbc96b5795f21dc2895d2625bce61f1884d9a2fdc2f6c9a
Instruction Fuzzy Hash: 9DF0273190824673CB04B770DC01E7D3B685F4A31CB19C415FA2596091FF22DB0882B5

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA35A2, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6DDA35AE

Part of subcall function 6DDAB201: __getptd_noexit.LIBCMT ref: 6DDAB204
Part of subcall function 6DDAB201: __amsg_exit.LIBCMT ref: 6DDAB211

__getptd.LIBCMT ref: 6DDA35C5
__amsg_exit.LIBCMT ref: 6DDA35D3
__lock.LIBCMT ref: 6DDA35E3

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: cc5eb4582580352573bdf22c486054f1d19a290365ca77cd83fbe561005a27ef
Instruction ID: 57bb06e1c6d49ee92815d613bc3a7f253ead4f6b5b5946d18b2b70ec48e7e35e
Opcode Fuzzy Hash: cc5eb4582580352573bdf22c486054f1d19a290365ca77cd83fbe561005a27ef
Instruction Fuzzy Hash: C5F09072948305CBDB10FBFCC401B5D77A1AF41729F5AC51AFA60A72C1CB34AA01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DDA6653, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6DDA6662

Part of subcall function 6DDAB201: __getptd_noexit.LIBCMT ref: 6DDAB204
Part of subcall function 6DDAB201: __amsg_exit.LIBCMT ref: 6DDAB211

__getptd.LIBCMT ref: 6DDA6670

Strings

csm, xrefs: 6DDA667E

Memory Dump Source

Source File: 00000006.00000002.545526290.000000006DD80000.00000020.00020000.sdmp, Offset: 6DD80000, based on PE: false

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 8e611b6aaecf06aec74463a2a3824efe6b4892ac6918fa6a041a03e8e15cf591
Instruction ID: df79927e951134a19a669b3bfaffac7bb522ce18ec25f572d29df5a24a8f939e
Opcode Fuzzy Hash: 8e611b6aaecf06aec74463a2a3824efe6b4892ac6918fa6a041a03e8e15cf591
Instruction Fuzzy Hash: AF018F30805F06CACF20BF68C4407ACBBB4AF10315F5DC86EF450565A2CB319585CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DD7141A, Relevance: 5.1, APIs: 4, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E6DD7141A(void* __esi, void* _a4) {
				intOrPtr _v8;
				void _v12;
				int _v16;
				signed int _v20;
				int _t45;
				intOrPtr _t52;
				int _t57;
				void _t68;
				intOrPtr _t74;
				signed int _t79;
				int _t80;
				intOrPtr* _t82;
				int _t85;
				int _t91;
				void* _t93;
				void* _t96;
				void* _t98;
				signed int _t99;
				void* _t103;

				_t98 = __esi;
				_t45 =  *0x6dd75000; // 0xaefa8c44
				_t1 = _t98 + 0x62; // 0xc015ff56
				_t79 =  *_t1 & 0x0000ffff;
				_v20 = _t79;
				_t80 = _t79 * 0x28;
				_v16 = _t45;
				_t4 = _t98 + 0x14; // 0xff1075ff
				_t93 = _a4;
				_t6 = _t98 + 0xc; // 0x4f72f475
				memcpy(_t93,  *_t6 + __esi,  *_t4 - _t80);
				 *(_t93 + 0x3c) =  *(_t93 + 0x3c) & 0x00000000;
				_t9 = _t98 + 0x10; // 0x50fc458d
				 *((intOrPtr*)(_t93 + 0x50)) =  *_t9;
				_t11 = _t98 + 0x14; // 0xff1075ff
				_t52 =  *_t11;
				_t12 = _t98 + 0xc; // 0x4f72f475
				_t96 = _t52 - _t80 + _a4;
				memcpy(_t96, _t52 - _t80 +  *_t12 + __esi, _t80);
				_t57 = _v16;
				_t103 = (_t99 & 0xfffffff8) - 0x10 + 0x18;
				_v12 =  *((intOrPtr*)(_t57 - 0x2efc8c30));
				_v8 =  *((intOrPtr*)(_t57 - 0x2efc8c2c));
				if(_v20 > 0) {
					_t21 = _t98 + 0x6c; // 0x6dd71319
					_t82 = _t21;
					do {
						_t24 = _t82 + 8; // 0xff6dd730
						_t91 =  *_t24;
						_t68 = _v12 + _v12;
						asm("adc ecx, [esp+0x14]");
						 *(_t96 + 0x14) =  *(_t96 + 0x14) & 0x00000000;
						 *_t96 = _t68;
						_v12 = _t68;
						 *((intOrPtr*)(_t96 + 4)) = 0;
						_t29 = _t82 + 4; // 0x6425ff00
						_t30 = _t82 - 4; // 0xc78b5e6d
						_v16 = _t91;
						_v8 = 0;
						_t96 = _t96 + 0x28;
						memcpy( *_t30 + _a4,  *_t29 + _t98, _t91);
						_t74 =  *_t82;
						_t85 = _v16;
						_t103 = _t103 + 0xc;
						if(_t74 > _t85) {
							_t36 = _t82 - 4; // 0xc78b5e6d
							memset(_a4 + _t85 +  *_t36, 0, _t74 - _t85);
							_t103 = _t103 + 0xc;
						}
						_t82 = _t82 + 0x14;
						_t37 =  &_v20;
						 *_t37 = _v20 - 1;
					} while ( *_t37 != 0);
				}
				_t40 = _t98 + 0x30; // 0x6dd712dd
				E6DD71B2B(_t40, _a4, _t98, 0xaefa8c48);
				_t42 = _t98 + 0x48; // 0x6dd712f5
				E6DD71B2B(_t42, _a4, _t98, 0xaefa8c47);
				_t44 = _t98 + 0x3c; // 0x6dd712e9
				E6DD71B2B(_t44, _a4, _t98, 0xaefa8c40);
				return 0;
			}

0x6dd7141a
0x6dd71423
0x6dd71429
0x6dd71429
0x6dd7142d
0x6dd71431
0x6dd71434
0x6dd71438
0x6dd7143c
0x6dd71442
0x6dd71449
0x6dd7144e
0x6dd71452
0x6dd71455
0x6dd71458
0x6dd71458
0x6dd7145f
0x6dd71467
0x6dd7146f
0x6dd71474
0x6dd71484
0x6dd7148c
0x6dd71490
0x6dd71494
0x6dd7149a
0x6dd7149a
0x6dd714a1
0x6dd714a5
0x6dd714a5
0x6dd714aa
0x6dd714ac
0x6dd714b0
0x6dd714b4
0x6dd714b6
0x6dd714ba
0x6dd714bd
0x6dd714c4
0x6dd714ca
0x6dd714cf
0x6dd714d3
0x6dd714d6
0x6dd714db
0x6dd714dd
0x6dd714e1
0x6dd714e6
0x6dd714f0
0x6dd714f6
0x6dd714fb
0x6dd714fb
0x6dd714fe
0x6dd71501
0x6dd71501
0x6dd71501
0x6dd714a1
0x6dd71510
0x6dd71513
0x6dd71521
0x6dd71524
0x6dd71532
0x6dd71535
0x6dd71541

APIs

memcpy.NTDLL(?,4F72F475,FF1075FF,AEFA8C44,00000000,6DD719CD,00000000,?,?,?,?,6DD712AD), ref: 6DD71449
memcpy.NTDLL(?,4F72F475,C015FF56), ref: 6DD7146F
memcpy.NTDLL(?,6425FF00,FF6DD730), ref: 6DD714D6
memset.NTDLL ref: 6DD714F6

Memory Dump Source

Source File: 00000006.00000002.545470853.000000006DD71000.00000020.00020000.sdmp, Offset: 6DD70000, based on PE: true

Associated: 00000006.00000002.545460972.000000006DD70000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545485510.000000006DD73000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545496349.000000006DD75000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.545508050.000000006DD76000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 8bc7c3f9f2849accdac27dc96719c46880ce3b8fd9e5c7f96019f95d4307acab
Instruction ID: 2c377bf7c1b193ab445ea1fb0b8b4a22bd5061c9987c3d4835f08b211b9e8ebb
Opcode Fuzzy Hash: 8bc7c3f9f2849accdac27dc96719c46880ce3b8fd9e5c7f96019f95d4307acab
Instruction Fuzzy Hash: 6C4128B1604601AFC310DF28D995A5ABBE8FF88254F048A29F949CB704D334FA59CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DD71628, Relevance: 5.0, APIs: 4, Instructions: 24
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DD71628(void* _a4, int _a8) {
				int _t3;
				void* _t7;

				_t3 = _a8;
				_t7 = _a4;
				if(_t3 != 0) {
					if(_t3 == 0xffffffff) {
						_t3 = lstrlenW(_t7) + _t6;
					}
				} else {
					_t3 = lstrlenA(_t7);
				}
				memset(_t7, 0, _t3);
				return HeapFree( *0x6dd74030, 0, _t7);
			}

0x6dd71628
0x6dd7162d
0x6dd71633
0x6dd71641
0x6dd7164a
0x6dd7164a
0x6dd71635
0x6dd71636
0x6dd71636
0x6dd71650
0x6dd71668

APIs

lstrlenA.KERNEL32(?,6DD712AD,6DD71AA8,6DD712AD,?,50FC458D,00000000,00000000,?,?,?,?,6DD712AD), ref: 6DD71636
lstrlenW.KERNEL32(?,6DD712AD,6DD71AA8,6DD712AD,?,50FC458D,00000000,00000000,?,?,?,?,6DD712AD), ref: 6DD71644
memset.NTDLL ref: 6DD71650
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,6DD712AD), ref: 6DD71661

Memory Dump Source

Source File: 00000006.00000002.545470853.000000006DD71000.00000020.00020000.sdmp, Offset: 6DD70000, based on PE: true

Associated: 00000006.00000002.545460972.000000006DD70000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545485510.000000006DD73000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.545496349.000000006DD75000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.545508050.000000006DD76000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$FreeHeapmemset
String ID:
API String ID: 439345311-0
Opcode ID: ca39a5ac6e7f5eb8eb8bcaa89b37b4ebeb880bb40dbbc088338dd53685cc1758
Instruction ID: 0041268236f3d6fe7c3ce1947ca7a4f90d79505557700495c9aee8ec01552513
Opcode Fuzzy Hash: ca39a5ac6e7f5eb8eb8bcaa89b37b4ebeb880bb40dbbc088338dd53685cc1758
Instruction Fuzzy Hash: 86E04F31155131BBE7213B24DC15FDF3B78BF03760F181680F924E1191E724595086AA

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Processwindo.DLL

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 5572 Parent PID: 5780

Function 6DD7166B, Relevance: 6.0, APIs: 4, Instructions: 47
memorythreadCOMMON

Function 6DD7132A, Relevance: 4.6, APIs: 3, Instructions: 91
libraryloaderCOMMON

Function 6DD72411, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 6DD721F0, Relevance: .1, Instructions: 77
COMMONCrypto

Function 6DD71C7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89
COMMON

Function 6DD7195B, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 123
memoryCOMMON